IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

The shell uses Thrift's TSSLSocket to negotiate secure connections to Impala. This socket uses a variable SSL_VERSION to determine which SSL and TLS protocol versions it will connect to. SSL_VERSION was hardcoded to be PROTOCOL_TLSv1, which only supports TLSv1 servers and no other protocol version. Change the allowed version to be PROTOCOL_SSLv23, which supports any TLS or SSL protocol. We rely on the server not to allow SSLv2 or v3 connections. Testing: Added a new custom cluster test to confirm that the shell can connect to a TLSv1.2 cluster. Confirmed that the test is correctly skipped on machines with an old version of OpenSSL that does not support TLSv1.2. Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0 Reviewed-on: http://gerrit.cloudera.org:8080/7675 Reviewed-by: Tim Armstrong <tarmstrong@cloudera.com> Tested-by: Impala Public Jenkins
2025-12-25 02:03:09 -05:00 · 2017-08-14 18:04:55 -07:00
parent 8149dbfc9c
commit e4a0e2f391
3 changed files with 41 additions and 2 deletions
--- a/tests/util/thrift_util.py
+++ b/tests/util/thrift_util.py
@@ -42,6 +42,9 @@ def create_transport(host, port, service, transport_type="buffered", user=None,
      sock = TSSLSocket.TSSLSocket(host, port, validate=False)
    else:
      sock = TSSLSocket.TSSLSocket(host, port, validate=True, ca_certs=ssl_cert)
+    # Set allowed SSL / TLS protocols to a permissive set to connect to any Impala server.
+    import ssl
+    sock.SSL_VERSION = ssl.PROTOCOL_SSLv23
  else:
    sock = TSocket(host, port)
  if transport_type.lower() == "buffered":