Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7C66318379 for ; Fri, 11 Sep 2015 14:31:02 +0000 (UTC) Received: (qmail 11711 invoked by uid 500); 11 Sep 2015 14:30:46 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 11682 invoked by uid 500); 11 Sep 2015 14:30:46 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 11667 invoked by uid 99); 11 Sep 2015 14:30:46 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Sep 2015 14:30:46 +0000 Date: Fri, 11 Sep 2015 14:30:45 +0000 (UTC) From: "Greg Hill (JIRA)" To: dev@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (AMBARI-12393) Ambari Server is vulnerable to logjam MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AMBARI-12393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14740905#comment-14740905 ] Greg Hill commented on AMBARI-12393: ------------------------------------ I didn't move the end quote in ambari-env.sh to cover the new setting. /facepalm Testing it again now. > Ambari Server is vulnerable to logjam > ------------------------------------- > > Key: AMBARI-12393 > URL: https://issues.apache.org/jira/browse/AMBARI-12393 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.1.0 > Environment: Red Hat Enterprise Linux Server release 6.6 > Reporter: Jeffrey E Rodriguez > Priority: Critical > Fix For: 2.1.2 > > > All Ambari servers running in Jetty server as well as the Ambari server itself are vulnerable to LogJam see details. > https://weakdh.org/ > Test setting up Ambari SSL. > 1. create certificate > openssl genrsa -out $wserver.key 2048 > openssl req -new -key $wserver.key -out $wserver.csr > openssl x509 -req -days 365 -in $wserver.csr -signkey $wserver.key -out $wserver.crt > where #wscver is hostname of ambari server. > 2. run ambari-server setup-security > 3. Run openssl to check DH key lenght > penssl s_client -connect bdvs1390.svl.ibm.com:8444 -cipher "EDH" | grep "Server Temp Key" > depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = sever.com, emailAddress = test > verify error:num=18:self signed certificate > verify return:1 > depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = server.com, emailAddress = test > verify return:1 > Server Temp Key: DH, 1024 bits > Furthermore, some versions of Firefox would reject the certificate so Ambari server would not be accessible from browser. > Jira https://issues.apache.org/jira/browse/KNOX-566 has already been open for Knox. -- This message was sent by Atlassian JIRA (v6.3.4#6332)