#7196: Health checks should default to TLSv1.2

Summary: D10596 introduced a bug where if ssl_protocols is not specified, the cqlsh check will error out by trying to pass in None. This diff fixes that by defaulting to TLSv1.2 and also allowing ssl_protocols flag to have more than one value (e.g. "ssl2 ssl3,tls10 tls11") Test Plan: Create TLS universe without the flag. Try health check. Create TLS universe with the flag set to "ssl2 ssl3,tls10 tls11". Try health check. Reviewers: daniel, arnav, sanketh, sb-yb Reviewed By: sb-yb Subscribers: jenkins-bot, yugaware Differential Revision: https://phabricator.dev.yugabyte.com/D10617
yugabyte · Feb 12, 2021 · f6f8ad6 · f6f8ad6
1 parent f88fd5c
commit f6f8ad6
Showing 1 changed file with 20 additions and 12 deletions.
diff --git a/managed/devops/bin/cluster_health.py b/managed/devops/bin/cluster_health.py
@@ -12,6 +12,7 @@
 import json
 import logging
 import os
+import re
 import subprocess
 import sys
 import time
@@ -43,6 +44,15 @@
 MAX_CONCURRENT_PROCESSES = 10
 MAX_TRIES = 2
 
+DEFAULT_SSL_VERSION = "TLSv1_2"
+SSL_PROTOCOL_TO_SSL_VERSION = {
+    "ssl2": "SSLv23",
+    "ssl3": "SSLv23",
+    "tls10": "TLSv1",
+    "tls11": "TLSv1_1",
+    "tls12": "TLSv1_2"
+}
+
 ###################################################################################################
 # Reporting
 ###################################################################################################
@@ -381,18 +391,16 @@ def check_cqlsh(self):
         remote_cmd = '{} {} {} -e "SHOW HOST"'.format(cqlsh, self.node, self.ycql_port)
         if self.enable_tls_client:
             cert_file = K8S_CERT_FILE_PATH if self.is_k8s else VM_CERT_FILE_PATH
-
-            remote_cmd = 'SSL_CERTFILE={} {} {}'.format(cert_file, remote_cmd, '--ssl')
-            if self.ssl_protocol is not None:
-                SSL_PROTOCOL_TO_SSL_VERSION = {
-                    "ssl2": "SSLv23",
-                    "ssl3": "SSLv23",
-                    "tls10": "TLSv1",
-                    "tls11": "TLSv1_1",
-                    "tls12": "TLSv1_2"
-                }
-                protocol = SSL_PROTOCOL_TO_SSL_VERSION.get(self.ssl_protocol)
-                remote_cmd = 'SSL_VERSION={} {}'.format(protocol, remote_cmd)
+            protocols = re.split('\\W+', self.ssl_protocol or "")
+            ssl_version = DEFAULT_SSL_VERSION
+            for protocol in protocols:
+                cur_version = SSL_PROTOCOL_TO_SSL_VERSION.get(protocol)
+                if cur_version is not None:
+                    ssl_version = cur_version
+                    break
+
+            remote_cmd = 'SSL_VERSION={} SSL_CERTFILE={} {} {}'.format(
+                ssl_version, cert_file, remote_cmd, '--ssl')
 
         output = self._remote_check_output(remote_cmd).strip()