gpdb/gpfdist1.patch

commit 406665a6cf49d25d0506439ab27a23e557a80be5
Author: zhaorui <zhaoru@vmware.com>
Date:   Thu Jul 8 09:52:37 2021 +0800

    Disable unsafe tls(tls1.0 and tls1.1) protocol for gpfdist.

diff --git a/src/bin/gpfdist/gpfdist.c b/src/bin/gpfdist/gpfdist.c
index 2d066f5b94..dd4179960d 100644
--- a/src/bin/gpfdist/gpfdist.c
+++ b/src/bin/gpfdist/gpfdist.c
@@ -4028,7 +4028,9 @@ static SSL_CTX *initialize_ctx(void)
 	}
 
 	/* Create our context*/
-	ctx = SSL_CTX_new( TLSv1_server_method() );
+	ctx = SSL_CTX_new( SSLv23_method() );
+	/* Disable old protocol versions */
+	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 );
 
 	/* Generate random seed */
 	if ( RAND_poll() == 0 )
diff --git a/src/bin/gpfdist/regress/input/gpfdist_ssl.source b/src/bin/gpfdist/regress/input/gpfdist_ssl.source
index 8dae7b6888..daa55fe3e2 100644
--- a/src/bin/gpfdist/regress/input/gpfdist_ssl.source
+++ b/src/bin/gpfdist/regress/input/gpfdist_ssl.source
@@ -76,6 +76,41 @@ LOCATION ('gpfdists://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl')
 FORMAT 'TEXT' (DELIMITER '|' );
 INSERT INTO tbl SELECT * FROM tbl_on_heap;
 SELECT * FROM tbl_on_heap ORDER BY s1;
+-- test disable tls1.0 and tls1.1
+CREATE EXTERNAL WEB TABLE curl_with_tls10 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.0 >/dev/null 2>&1;ret=$?;
+if [ $ret -eq 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+CREATE EXTERNAL WEB TABLE curl_with_tls11 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.1 >/dev/null 2>&1;ret=$?;
+if [ $ret -eq 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+CREATE EXTERNAL WEB TABLE curl_with_tls12 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.2 >/dev/null 2>&1;ret=$?;
+if [ $ret -ne 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+select * from curl_with_tls10;
+select * from curl_with_tls11;
+select * from curl_with_tls12;
+drop external table if exists curl_with_tls10;
+drop external table if exists curl_with_tls11;
+drop external table if exists curl_with_tls12;
+-- end test disable tls1.0 and tls1.1
 
 -- gpfdist_ssl case 2
 DROP TABLE IF EXISTS tbl_on_heap2;
diff --git a/src/bin/gpfdist/regress/output/gpfdist_ssl.source b/src/bin/gpfdist/regress/output/gpfdist_ssl.source
index 286c51644f..4ba57cf26a 100644
--- a/src/bin/gpfdist/regress/output/gpfdist_ssl.source
+++ b/src/bin/gpfdist/regress/output/gpfdist_ssl.source
@@ -70,6 +70,56 @@ SELECT * FROM tbl_on_heap ORDER BY s1;
  ccc | twoc | shpits | Wed Jun 01 12:30:30 2011 | 23 | 732 | 834567 | 45.67 | 789.123 | 7.12345 | 123.456789
 (3 rows)
 
+-- test disable tls1.0 and tls1.1
+CREATE EXTERNAL WEB TABLE curl_with_tls10 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.0 >/dev/null 2>&1;ret=$?;
+if [ $ret -eq 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+CREATE EXTERNAL WEB TABLE curl_with_tls11 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.1 >/dev/null 2>&1;ret=$?;
+if [ $ret -eq 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+CREATE EXTERNAL WEB TABLE curl_with_tls12 (x text)
+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.2 >/dev/null 2>&1;ret=$?;
+if [ $ret -ne 35 ];then
+    echo "success";
+else
+    echo $ret;
+fi'
+on SEGMENT 0
+FORMAT 'text';
+select * from curl_with_tls10;
+    x    
+---------
+ success
+(1 row)
+
+select * from curl_with_tls11;
+    x    
+---------
+ success
+(1 row)
+
+select * from curl_with_tls12;
+    x    
+---------
+ success
+(1 row)
+
+drop external table if exists curl_with_tls10;
+drop external table if exists curl_with_tls11;
+drop external table if exists curl_with_tls12;
+-- end test disable tls1.0 and tls1.1
 -- gpfdist_ssl case 2
 DROP TABLE IF EXISTS tbl_on_heap2;
 NOTICE:  table "tbl_on_heap2" does not exist, skipping
Add test report for gpdb 6.17.0 Test can be executed by "make installcheck-world" after applying all source patches. 2021-08-11 04:05:40 +00:00			`commit 406665a6cf49d25d0506439ab27a23e557a80be5`
			`Author: zhaorui <zhaoru@vmware.com>`
			`Date: Thu Jul 8 09:52:37 2021 +0800`

			`Disable unsafe tls(tls1.0 and tls1.1) protocol for gpfdist.`

			`diff --git a/src/bin/gpfdist/gpfdist.c b/src/bin/gpfdist/gpfdist.c`
			`index 2d066f5b94..dd4179960d 100644`
			`--- a/src/bin/gpfdist/gpfdist.c`
			`+++ b/src/bin/gpfdist/gpfdist.c`
			`@@ -4028,7 +4028,9 @@ static SSL_CTX *initialize_ctx(void)`
			`}`

			`/* Create our context*/`
			`- ctx = SSL_CTX_new( TLSv1_server_method() );`
			`+ ctx = SSL_CTX_new( SSLv23_method() );`
			`+ /* Disable old protocol versions */`
			`+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3 \| SSL_OP_NO_TLSv1 \| SSL_OP_NO_TLSv1_1 );`

			`/* Generate random seed */`
			`if ( RAND_poll() == 0 )`
			`diff --git a/src/bin/gpfdist/regress/input/gpfdist_ssl.source b/src/bin/gpfdist/regress/input/gpfdist_ssl.source`
			`index 8dae7b6888..daa55fe3e2 100644`
			`--- a/src/bin/gpfdist/regress/input/gpfdist_ssl.source`
			`+++ b/src/bin/gpfdist/regress/input/gpfdist_ssl.source`
			`@@ -76,6 +76,41 @@ LOCATION ('gpfdists://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl')`
			`FORMAT 'TEXT' (DELIMITER '\|' );`
			`INSERT INTO tbl SELECT * FROM tbl_on_heap;`
			`SELECT * FROM tbl_on_heap ORDER BY s1;`
			`+-- test disable tls1.0 and tls1.1`
			`+CREATE EXTERNAL WEB TABLE curl_with_tls10 (x text)`
			`+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.0 >/dev/null 2>&1;ret=$?;`
			`+if [ $ret -eq 35 ];then`
			`+ echo "success";`
			`+else`
			`+ echo $ret;`
			`+fi'`
			`+on SEGMENT 0`
			`+FORMAT 'text';`
			`+CREATE EXTERNAL WEB TABLE curl_with_tls11 (x text)`
			`+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.1 >/dev/null 2>&1;ret=$?;`
			`+if [ $ret -eq 35 ];then`
			`+ echo "success";`
			`+else`
			`+ echo $ret;`
			`+fi'`
			`+on SEGMENT 0`
			`+FORMAT 'text';`
			`+CREATE EXTERNAL WEB TABLE curl_with_tls12 (x text)`
			`+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.2 >/dev/null 2>&1;ret=$?;`
			`+if [ $ret -ne 35 ];then`
			`+ echo "success";`
			`+else`
			`+ echo $ret;`
			`+fi'`
			`+on SEGMENT 0`
			`+FORMAT 'text';`
			`+select * from curl_with_tls10;`
			`+select * from curl_with_tls11;`
			`+select * from curl_with_tls12;`
			`+drop external table if exists curl_with_tls10;`
			`+drop external table if exists curl_with_tls11;`
			`+drop external table if exists curl_with_tls12;`
			`+-- end test disable tls1.0 and tls1.1`

			`-- gpfdist_ssl case 2`
			`DROP TABLE IF EXISTS tbl_on_heap2;`
			`diff --git a/src/bin/gpfdist/regress/output/gpfdist_ssl.source b/src/bin/gpfdist/regress/output/gpfdist_ssl.source`
			`index 286c51644f..4ba57cf26a 100644`
			`--- a/src/bin/gpfdist/regress/output/gpfdist_ssl.source`
			`+++ b/src/bin/gpfdist/regress/output/gpfdist_ssl.source`
			`@@ -70,6 +70,56 @@ SELECT * FROM tbl_on_heap ORDER BY s1;`
			`ccc \| twoc \| shpits \| Wed Jun 01 12:30:30 2011 \| 23 \| 732 \| 834567 \| 45.67 \| 789.123 \| 7.12345 \| 123.456789`
			`(3 rows)`

			`+-- test disable tls1.0 and tls1.1`
			`+CREATE EXTERNAL WEB TABLE curl_with_tls10 (x text)`
			`+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.0 >/dev/null 2>&1;ret=$?;`
			`+if [ $ret -eq 35 ];then`
			`+ echo "success";`
			`+else`
			`+ echo $ret;`
			`+fi'`
			`+on SEGMENT 0`
			`+FORMAT 'text';`
			`+CREATE EXTERNAL WEB TABLE curl_with_tls11 (x text)`
			`+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.1 >/dev/null 2>&1;ret=$?;`
			`+if [ $ret -eq 35 ];then`
			`+ echo "success";`
			`+else`
			`+ echo $ret;`
			`+fi'`
			`+on SEGMENT 0`
			`+FORMAT 'text';`
			`+CREATE EXTERNAL WEB TABLE curl_with_tls12 (x text)`
			`+execute E'curl -H "X-GP-PROTO: 1" https://127.0.0.1:7070/gpfdist_ssl/tbl2.tbl -vk --cert @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.crt --key @abs_srcdir@/data/gpfdist_ssl/certs_matching/client.key --tlsv1.2 >/dev/null 2>&1;ret=$?;`
			`+if [ $ret -ne 35 ];then`
			`+ echo "success";`
			`+else`
			`+ echo $ret;`
			`+fi'`
			`+on SEGMENT 0`
			`+FORMAT 'text';`
			`+select * from curl_with_tls10;`
			`+ x`
			`+---------`
			`+ success`
			`+(1 row)`
			`+`
			`+select * from curl_with_tls11;`
			`+ x`
			`+---------`
			`+ success`
			`+(1 row)`
			`+`
			`+select * from curl_with_tls12;`
			`+ x`
			`+---------`
			`+ success`
			`+(1 row)`
			`+`
			`+drop external table if exists curl_with_tls10;`
			`+drop external table if exists curl_with_tls11;`
			`+drop external table if exists curl_with_tls12;`
			`+-- end test disable tls1.0 and tls1.1`
			`-- gpfdist_ssl case 2`
			`DROP TABLE IF EXISTS tbl_on_heap2;`
			`NOTICE: table "tbl_on_heap2" does not exist, skipping`