hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vijay Singh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11218) Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory
Date Fri, 02 Oct 2015 05:30:27 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14940781#comment-14940781
] 

Vijay Singh commented on HADOOP-11218:
--------------------------------------

I posted an approach for enabling TLSv1.1 and TLSv1.2 for HttpFS service in duplicate ticket.
The reason for our customers to go for TLS1.2 is that current RHEL7 and Ubuntu based HDFS
client gateways when used with curl can enforce which TLS level to use. The security teams
wants application using curl to enforce TLSv1.2; however, in absence of server support its
not feasible. Regardless, once we allow TLSv1, TLSv1.1, TLSv1.2 options as part of server
config,server can choose highest level of support for TLS available and may or may not honor
client request. But, atleast client application can downgrade or choose not to  use TLSv1.
Since we support JDK7 I propose that we add support for TLSv1.1 and TLSv1.2 for KMS and HttpFS
services atleast using SSLFactory.
Please find the code snippet for implemented changes.
{code:xml}
     <Connector port="${httpfs.http.port}" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
               keystoreFile="${httpfs.ssl.keystore.file}"
               keystorePass="_httpfs_ssl_keystore_pass_"/>
{code}

Changes include addition of TLSv1.1,TLSv1.2 to SSLenabledProtocols xml attribute on line 73
of file hadoop/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf

> Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory
> ----------------------------------------------
>
>                 Key: HADOOP-11218
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11218
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.7.0
>            Reporter: Robert Kanter
>            Priority: Critical
>
> HADOOP-11217 required us to specifically list the versions of TLS that KMS supports.
With Hadoop 2.7 dropping support for Java 6 and Java 7 supporting TLSv1.1 and TLSv1.2, we
should add them to the list.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message