Reply
New Contributor
Posts: 1
Registered: ‎03-06-2018

Impyla TLS/SSL issues with newer versions of SSL

I apologize if this is a duplicate, but I was unable to find anything on it via searches.  We recently restricted remote access to hive to SSL/TLS with the TLS protocol version being 1.1 or higher (1.2).  This caused our business partners using impyla to have issues.  The erorr we get includes 

 [SSL: WRONG_VERSION_NUMBER] 

We tracked it down and it appears the problem is that impyla, when used with python 2, realies on thrift version 0.9.3 or older. In that version of thrift, in the transport package, is a python class called TSSLSockey.py. In that python class the version is hard coded to version 1 with: 

SSL_VERSION = ssl.PROTOCOL_TLSv1

 

 

The comments indicate that the calling program could override that version after instantiating an instance of the class, but the impyla code does not do that.

 

Newer versions of thrift correctly let openssl auto negotiate that version, but impyla won't work with newer versions of thrift without code changes. I was wondering if anyone had solved this in a robust way.  Our solution was to create a python virtual environment and change the TSSLSOcket.py code to hard code: 

SSL_VERSION = ssl.PROTOCOL_TLSv1.2

 

 

This feels like a very brittle solution at best.  I opened Case 203382 with Cloudera, but they don't support impyla. Looking to the community for additional ideas.  Thanks,

 

Announcements