hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-12886) Exclude weak ciphers in SSLFactory through ssl-server.xml
Date Fri, 04 Mar 2016 02:00:43 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-12886?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Wei-Chiu Chuang updated HADOOP-12886:
-------------------------------------
    Attachment: HADOOP-12886.001.patch

Rev01: initial patch for SSLFactory to exclude cipher suites listed listed in ssl-server.xml.

I have tested this patch on a CDH cluster, and this is the result of opening an SSL connection
using excluded cipher suites to a data node web URL:
{noformat}
openssl s_client -connect weichiu-cipher-2.vpc.cloudera.com:20004 -cipher RC4-SHA
CONNECTED(00000003)
139952247441224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 99 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
{noformat}

I'll include test cases in the next revision.

> Exclude weak ciphers in SSLFactory through ssl-server.xml
> ---------------------------------------------------------
>
>                 Key: HADOOP-12886
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12886
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 2.7.2
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>              Labels: Netty, datanode, security
>         Attachments: HADOOP-12886.001.patch
>
>
> HADOOP-12668 added support to exclude weak ciphers in HttpServer2, which is good for
name nodes. But data node web UI is based on Netty, which uses SSLFactory and does not read
ssl-server.xml to exclude the ciphers.
> We should also add the same support for Netty for consistency.
> I will attach a full patch later.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message