hadoop-common-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ka...@apache.org
Subject git commit: HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)
Date Wed, 29 Oct 2014 01:09:49 GMT
Repository: hadoop
Updated Branches:
  refs/heads/branch-2 720de7eb4 -> 160aebcae


HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)

(cherry picked from commit 3c5f5af1184e85158dec962df0b0bc2be8d0d1e3)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/160aebca
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/160aebca
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/160aebca

Branch: refs/heads/branch-2
Commit: 160aebcae2d2510ecc2f2982db01a1815d8b5297
Parents: 720de7e
Author: Karthik Kambatla <kasha@apache.org>
Authored: Tue Oct 28 18:03:00 2014 -0700
Committer: Karthik Kambatla <kasha@apache.org>
Committed: Tue Oct 28 18:08:00 2014 -0700

----------------------------------------------------------------------
 hadoop-common-project/hadoop-common/CHANGES.txt         |  2 ++
 .../java/org/apache/hadoop/security/ssl/SSLFactory.java | 12 +++++++++++-
 .../hadoop-common/src/main/resources/core-default.xml   |  8 ++++++++
 .../src/site/apt/EncryptedShuffle.apt.vm                |  2 ++
 4 files changed, 23 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/160aebca/hadoop-common-project/hadoop-common/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 4a2d165..11df1ff 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -671,6 +671,8 @@ Release 2.6.0 - UNRELEASED
 
     HADOOP-11217. Disable SSLv3 in KMS. (Robert Kanter via kasha)
 
+    HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)
+
 Release 2.5.1 - 2014-09-05
 
   INCOMPATIBLE CHANGES

http://git-wip-us.apache.org/repos/asf/hadoop/blob/160aebca/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
index 404b007..bbea33b 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
@@ -66,6 +66,10 @@ public class SSLFactory implements ConnectionConfigurator {
   public static final String KEYSTORES_FACTORY_CLASS_KEY =
     "hadoop.ssl.keystores.factory.class";
 
+  public static final String SSL_ENABLED_PROTOCOLS =
+      "hadoop.ssl.enabled.protocols";
+  public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1";
+
   private Configuration conf;
   private Mode mode;
   private boolean requireClientCert;
@@ -73,6 +77,8 @@ public class SSLFactory implements ConnectionConfigurator {
   private HostnameVerifier hostnameVerifier;
   private KeyStoresFactory keystoresFactory;
 
+  private String[] enabledProtocols = null;
+
   /**
    * Creates an SSLFactory.
    *
@@ -94,6 +100,9 @@ public class SSLFactory implements ConnectionConfigurator {
       = conf.getClass(KEYSTORES_FACTORY_CLASS_KEY,
                       FileBasedKeyStoresFactory.class, KeyStoresFactory.class);
     keystoresFactory = ReflectionUtils.newInstance(klass, sslConf);
+
+    enabledProtocols = conf.getStrings(SSL_ENABLED_PROTOCOLS,
+        DEFAULT_SSL_ENABLED_PROTOCOLS);
   }
 
   private Configuration readSSLConfiguration(Mode mode) {
@@ -122,7 +131,7 @@ public class SSLFactory implements ConnectionConfigurator {
     context = SSLContext.getInstance("TLS");
     context.init(keystoresFactory.getKeyManagers(),
                  keystoresFactory.getTrustManagers(), null);
-
+    context.getDefaultSSLParameters().setProtocols(enabledProtocols);
     hostnameVerifier = getHostnameVerifier(conf);
   }
 
@@ -185,6 +194,7 @@ public class SSLFactory implements ConnectionConfigurator {
       sslEngine.setUseClientMode(false);
       sslEngine.setNeedClientAuth(requireClientCert);
     }
+    sslEngine.setEnabledProtocols(enabledProtocols);
     return sslEngine;
   }
 

http://git-wip-us.apache.org/repos/asf/hadoop/blob/160aebca/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index a23a7fa..4ba2e5a 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -1366,6 +1366,14 @@ for ldap providers in the same way as above does.
 </property>
 
 <property>
+  <name>hadoop.ssl.enabled.protocols</name>
+  <value>TLSv1</value>
+  <description>
+    Protocols supported by the ssl.
+  </description>
+</property>
+
+<property>
   <name>hadoop.jetty.logs.serve.aliases</name>
   <value>true</value>
   <description>

http://git-wip-us.apache.org/repos/asf/hadoop/blob/160aebca/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm
----------------------------------------------------------------------
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm
b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm
index e766cbc..da412df 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm
@@ -54,6 +54,8 @@ Hadoop MapReduce Next Generation - Encrypted Shuffle
 *--------------------------------------+---------------------+-----------------+
 | <<<hadoop.ssl.client.conf>>>         | <<<ss-client.xml>>>
| Resource file from which ssl server keystore information will be extracted. This file is
looked up in the classpath, typically it should be in Hadoop conf/ directory |
 *--------------------------------------+---------------------+-----------------+
+| <<<hadoop.ssl.enabled.protocols>>>   | <<<TLSv1>>>
        | The supported SSL protocols (JDK6 can use <<TLSv1>>, JDK7+ can use <<TLSv1,TLSv1.1,TLSv1.2>>)
|
+*--------------------------------------+---------------------+-----------------+
 
   <<IMPORTANT:>> Currently requiring client certificates should be set to false.
   Refer the {{{ClientCertificates}Client Certificates}} section for details.


Mime
View raw message