From f6f8ad6228e5bdf3eb5805be805fa5b93ef530c2 Mon Sep 17 00:00:00 2001
From: Wesley Wang <2791412+WesleyW@users.noreply.github.com>
Date: Fri, 12 Feb 2021 11:48:20 -0800
Subject: [PATCH] #7196: Health checks should default to TLSv1.2

Summary:
D10596 introduced a bug where if ssl_protocols is not specified, the cqlsh check will error out by
trying to pass in None.

This diff fixes that by defaulting to TLSv1.2 and also allowing ssl_protocols flag to have more
than one value (e.g. "ssl2 ssl3,tls10 tls11")

Test Plan:
Create TLS universe without the flag. Try health check.
Create TLS universe with the flag set to "ssl2 ssl3,tls10 tls11". Try health check.

Reviewers: daniel, arnav, sanketh, sb-yb

Reviewed By: sb-yb

Subscribers: jenkins-bot, yugaware

Differential Revision: https://phabricator.dev.yugabyte.com/D10617
---
 managed/devops/bin/cluster_health.py | 32 +++++++++++++++++-----------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/managed/devops/bin/cluster_health.py b/managed/devops/bin/cluster_health.py
index 3c0207b13ec0..dd582e7d6730 100755
--- a/managed/devops/bin/cluster_health.py
+++ b/managed/devops/bin/cluster_health.py
@@ -12,6 +12,7 @@
 import json
 import logging
 import os
+import re
 import subprocess
 import sys
 import time
@@ -43,6 +44,15 @@
 MAX_CONCURRENT_PROCESSES = 10
 MAX_TRIES = 2
 
+DEFAULT_SSL_VERSION = "TLSv1_2"
+SSL_PROTOCOL_TO_SSL_VERSION = {
+    "ssl2": "SSLv23",
+    "ssl3": "SSLv23",
+    "tls10": "TLSv1",
+    "tls11": "TLSv1_1",
+    "tls12": "TLSv1_2"
+}
+
 ###################################################################################################
 # Reporting
 ###################################################################################################
@@ -381,18 +391,16 @@ def check_cqlsh(self):
         remote_cmd = '{} {} {} -e "SHOW HOST"'.format(cqlsh, self.node, self.ycql_port)
         if self.enable_tls_client:
             cert_file = K8S_CERT_FILE_PATH if self.is_k8s else VM_CERT_FILE_PATH
-
-            remote_cmd = 'SSL_CERTFILE={} {} {}'.format(cert_file, remote_cmd, '--ssl')
-            if self.ssl_protocol is not None:
-                SSL_PROTOCOL_TO_SSL_VERSION = {
-                    "ssl2": "SSLv23",
-                    "ssl3": "SSLv23",
-                    "tls10": "TLSv1",
-                    "tls11": "TLSv1_1",
-                    "tls12": "TLSv1_2"
-                }
-                protocol = SSL_PROTOCOL_TO_SSL_VERSION.get(self.ssl_protocol)
-                remote_cmd = 'SSL_VERSION={} {}'.format(protocol, remote_cmd)
+            protocols = re.split('\\W+', self.ssl_protocol or "")
+            ssl_version = DEFAULT_SSL_VERSION
+            for protocol in protocols:
+                cur_version = SSL_PROTOCOL_TO_SSL_VERSION.get(protocol)
+                if cur_version is not None:
+                    ssl_version = cur_version
+                    break
+
+            remote_cmd = 'SSL_VERSION={} SSL_CERTFILE={} {} {}'.format(
+                ssl_version, cert_file, remote_cmd, '--ssl')
 
         output = self._remote_check_output(remote_cmd).strip()