IMPALA-5800, IMPALA-5775 and IMPALA-5743 added TLS configuration to Impala and Squeasel. Since Impala is often built against different versions of OpenSSL (with different TLS capabilities), we used compile-time definitions to avoid using symbols from OpenSSL 1.0.1 that weren't available.
This works great if we can ensure that the machine on which Impala is built is the same environment as the one on which it executes, but we have discovered that the installed version of OpenSSL can vary between minor releases of Linux distributions.
It appears possible to write the support for TLS1.1+ in terms of symbols that are available in OpenSSL 1.0.0 only. The only downside is that Impala can't then tell whether or not the runtime supports TLS 1.2, and so the error messages won't be quite as clear. However, the benefit of a single binary and Thrift toolchain dependency for all supported versions of OpenSSL is well worth it.