Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
Impala 4.1.0
-
None
-
ghx-label-9
Description
The default value for ssl_cipher_list is empty, which uses any cipher supported by the operating system's OpenSSL version. Some older ciphers are known to be weak, and Mozilla's guide to server side SSL settings recommends restricting the SSL ciphers:
https://wiki.mozilla.org/Security/Server_Side_TLS
In particular, a curated list based on the intermediate compatibility level seems like a reasonable way to improve security. For example, Kudu restricts SSL ciphers to this list:
https://github.com/apache/kudu/blob/master/src/kudu/security/security_flags.cc#L30
const char* const SecurityDefaults::SecurityDefaults::kDefaultTlsCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";
We should consider doing something similar.