ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Hill (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-12393) Ambari Server is vulnerable to logjam
Date Fri, 11 Sep 2015 14:30:45 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-12393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14740905#comment-14740905
] 

Greg Hill commented on AMBARI-12393:
------------------------------------

I didn't move the end quote in ambari-env.sh to cover the new setting.  /facepalm  Testing
it again now.

> Ambari Server is vulnerable to logjam
> -------------------------------------
>
>                 Key: AMBARI-12393
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12393
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.0
>         Environment: Red Hat Enterprise Linux Server release 6.6 
>            Reporter: Jeffrey E  Rodriguez
>            Priority: Critical
>             Fix For: 2.1.2
>
>
> All Ambari servers running in Jetty server as well as the Ambari server itself are vulnerable
to LogJam  see details.
> https://weakdh.org/
> Test setting up Ambari SSL.
> 1. create certificate 
> openssl genrsa -out $wserver.key 2048 
>  openssl req -new -key $wserver.key -out $wserver.csr  
>   openssl x509 -req -days 365 -in $wserver.csr -signkey $wserver.key -out $wserver.crt
> where #wscver is hostname of ambari server.
> 2. run ambari-server setup-security
> 3. Run openssl to check DH key lenght
> penssl s_client -connect bdvs1390.svl.ibm.com:8444 -cipher "EDH" | grep "Server Temp
Key"
> depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = sever.com, emailAddress
= test
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = server.com, emailAddress
= test
> verify return:1
> Server Temp Key: DH, 1024 bits
> Furthermore, some versions of Firefox would reject the certificate so Ambari server would
not be accessible from browser.
> Jira https://issues.apache.org/jira/browse/KNOX-566 has already been open for Knox.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message