Cloudera Community

Welcome to the Cloudera Community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Who agreed with this topic

Impyla TLS/SSL issues with newer versions of SSL

avatar
author-rank madsteer
New Contributor

Created ‎03-06-2018 06:52 AM

I apologize if this is a duplicate, but I was unable to find anything on it via searches.  We recently restricted remote access to hive to SSL/TLS with the TLS protocol version being 1.1 or higher (1.2).  This caused our business partners using impyla to have issues.  The erorr we get includes 

 [SSL: WRONG_VERSION_NUMBER]

We tracked it down and it appears the problem is that impyla, when used with python 2, realies on thrift version 0.9.3 or older. In that version of thrift, in the transport package, is a python class called TSSLSockey.py. In that python class the version is hard coded to version 1 with: 

SSL_VERSION = ssl.PROTOCOL_TLSv1

 

 

The comments indicate that the calling program could override that version after instantiating an instance of the class, but the impyla code does not do that.

 

Newer versions of thrift correctly let openssl auto negotiate that version, but impyla won't work with newer versions of thrift without code changes. I was wondering if anyone had solved this in a robust way.  Our solution was to create a python virtual environment and change the TSSLSOcket.py code to hard code: 

SSL_VERSION = ssl.PROTOCOL_TLSv1.2

 

 

This feels like a very brittle solution at best.  I opened Case 203382 with Cloudera, but they don't support impyla. Looking to the community for additional ideas.  Thanks,

 

1,184
0 Kudos
1
Who agreed with this topic