hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vijay Singh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11218) Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory
Date Fri, 02 Oct 2015 05:51:27 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14940792#comment-14940792
] 

Vijay Singh commented on HADOOP-11218:
--------------------------------------

The code snippted changes for kms will be required on line 73 of file /hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf.
The code changes are as follows:
{code:xml}
<Connector port="${kms.http.port}" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="${kms.max.threads}" scheme="https" secure="true"
               clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
               truststorePass="_kms_ssl_truststore_pass_"
               keystoreFile="${kms.ssl.keystore.file}"
               keystorePass="_kms_ssl_keystore_pass_"/>
{code:xml}

Please see the excerpts from test log.
{noformat}
[root@vjs-kms ~]# diff /opt/myclient/hadoop-kms/tomcat-conf.https/conf/server.xml /opt/myclient/hadoop-kms/tomcat-conf.https/conf/server_tls1.xml 
73c73
<                clientAuth="false" sslEnabledProtocols=“TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
---
>                clientAuth="false" sslEnabledProtocols="TLSv1,SSLv2Hello"

[root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000  -tls1 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem
| grep Renegotiation
depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
verify return:1
depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com
verify return:1

Secure Renegotiation IS supported

[root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000  -tls1_1 -CAfile
/opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation
depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
verify return:1
depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com
verify return:1

Secure Renegotiation IS supported

[root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000  -tls1_2 -CAfile
/opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation
depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
verify return:1
depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com
verify return:1

Secure Renegotiation IS supported
{noformat}

Please review my proposed changes and suggest any feedback. I will work on the patch for submission
in the meantime.


> Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory
> ----------------------------------------------
>
>                 Key: HADOOP-11218
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11218
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.7.0
>            Reporter: Robert Kanter
>            Priority: Critical
>
> HADOOP-11217 required us to specifically list the versions of TLS that KMS supports.
With Hadoop 2.7 dropping support for Java 6 and Java 7 supporting TLSv1.1 and TLSv1.2, we
should add them to the list.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message