Return-Path: 
 <dev-return-104543-apmail-ambari-dev-archive=ambari.apache.org@ambari.apache.org>
X-Original-To: apmail-ambari-dev-archive@www.apache.org
Delivered-To: apmail-ambari-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C20D3173B6
	for <apmail-ambari-dev-archive@www.apache.org>;
 Tue, 26 Jan 2016 11:18:02 +0000 (UTC)
Received: (qmail 44719 invoked by uid 500); 26 Jan 2016 11:18:02 -0000
Delivered-To: apmail-ambari-dev-archive@ambari.apache.org
Received: (qmail 44680 invoked by uid 500); 26 Jan 2016 11:18:02 -0000
Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@ambari.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@ambari.apache.org>
List-Post: <mailto:dev@ambari.apache.org>
List-Id: <dev.ambari.apache.org>
Reply-To: dev@ambari.apache.org
Delivered-To: mailing list dev@ambari.apache.org
Received: (qmail 44662 invoked by uid 99); 26 Jan 2016 11:18:02 -0000
Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Jan 2016 11:18:02 +0000
Received: from reviews.apache.org (localhost [127.0.0.1])
	by reviews.apache.org (Postfix) with ESMTP id D9CA7288C8C;
	Tue, 26 Jan 2016 11:18:01 +0000 (UTC)
Content-Type: multipart/alternative;
 boundary="===============2770293241294074319=="
MIME-Version: 1.0
Subject: Re: Review Request 42770: Ambari Server CA should use sha265 as
 default message digest algorthm
From: Dmytro Sen <dsen@hortonworks.com>
To: Mahadev Konar <mahadev@apache.org>, Dmytro Sen <dsen@hortonworks.com>,
 Yusaku Sako <yusaku@hortonworks.com>
Cc: Robert Levas <rlevas@hortonworks.com>, Ambari <dev@ambari.apache.org>
Date: Tue, 26 Jan 2016 11:18:01 -0000
Message-ID: <20160126111801.25059.33468@reviews.apache.org>
X-ReviewBoard-URL: https://reviews.apache.org/
Auto-Submitted: auto-generated
Sender: Dmytro Sen <noreply@reviews.apache.org>
X-ReviewGroup: Ambari
X-Auto-Response-Suppress: DR, RN, OOF, AutoReply
X-ReviewRequest-URL: https://reviews.apache.org/r/42770/
X-Sender: Dmytro Sen <noreply@reviews.apache.org>
X-ReviewBoard-ShipIt: 1
References: <20160126011317.25059.90704@reviews.apache.org>
In-Reply-To: <20160126011317.25059.90704@reviews.apache.org>
X-ReviewBoard-ShipIt-Only: 1
Reply-To: Dmytro Sen <dsen@hortonworks.com>
X-ReviewRequest-Repository: ambari

--===============2770293241294074319==
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/42770/#review116342
-----------------------------------------------------------


Ship it!




Ship It!

- Dmytro Sen


On Янв. 26, 2016, 1:13 д.п., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/42770/
> -----------------------------------------------------------
> 
> (Updated Янв. 26, 2016, 1:13 д.п.)
> 
> 
> Review request for Ambari, Dmytro Sen, Mahadev Konar, and Yusaku Sako.
> 
> 
> Bugs: AMBARI-14778
>     https://issues.apache.org/jira/browse/AMBARI-14778
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> The Ambari Server (built-in) CA should use {{SHA265}} as default message digest algorithm rather than the no longer trusted {{MD5}} and {{SHA1}} digest algorithms.
> 
> To do this, change the following line (in both the unix and windows version of the file):
> 
> #ambari-server/conf/.../ca.config#
> ```
> default_md             = md5 
> ```
> to 
> ```
> default_md             = sha256
> ```
> 
> Note: This directly affects 2-way SSL between Ambari server and the agents due to security constraints in newer JVMs, like 
> ```
> openjdk version "1.8.0_71"
> OpenJDK Runtime Environment (build 1.8.0_71-b15)
> OpenJDK 64-Bit Server VM (build 25.71-b15, mixed mode)
> ```
> 
> 
> The following error in the ambari-agent log may indicate that the agent's SSL certificate is signed using MD5:
> ```
> ERROR 2016-01-22 17:01:56,982 Controller.py:186 - Unable to connect to: https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org
> Traceback (most recent call last):
>   File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 140, in registerWithServer
>     ret = self.sendRequest(self.registerUrl, data)
>   File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 413, in sendRequest
>     raise IOError('Request to {0} failed due to {1}'.format(url, str(exception)))
> IOError: Request to https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
> ERROR 2016-01-22 17:01:56,982 Controller.py:187 - Error:Request to https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
> ```
> 
> The following error in the ambari-server log (when logging DEBUG messages) indicates that the agent's SSL certificate is signed using MD5, which is not supported by the underling JVM:
> ```
> 22 Jan 2016 21:09:43,577 DEBUG [qtp-ambari-agent-50] HttpParser:1049 -
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>         at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
>         at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
>         at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
>         at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
>         at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
>         at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:465)
>         at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386)
>         at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
>         at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:715)
>         at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
>         at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
>         at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
>         at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>         at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
>         at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
>         at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
>         at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>         at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>         at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>         at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1909)
>         at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
>         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>         at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
>         at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
>         at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:375)
>         ... 12 more
> Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA
>         at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352)
>         at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
>         at sun.security.validator.Validator.validate(Validator.java:260)
>         at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>         at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
>         at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
>         at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1896)
>         ... 19 more
> Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA
>         at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
>         at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
>         at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
>         at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
>         at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
>         at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347)
>         ... 25 more
> ```
> 
> 
> Diffs
> -----
> 
>   ambari-server/conf/unix/ca.config b80f797 
>   ambari-server/conf/windows/ca.config b4dd1c5 
> 
> Diff: https://reviews.apache.org/r/42770/diff/
> 
> 
> Testing
> -------
> 
> Manually tested with Oracld JVM 1.7 and 1.8 (with and without JCE installed). Also tested with OpenJDK 1.8
> 
> No unit tests were updated.
> 
> 
> Thanks,
> 
> Robert Levas
> 
>


--===============2770293241294074319==--