hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Zhuge (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-14083) KMS should support old SSL clients
Date Wed, 15 Feb 2017 20:05:42 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

John Zhuge updated HADOOP-14083:
    Attachment: HADOOP-14083.branch-2.001.patch

Patch branch-2.001
* Add env KMS_SSL_CIPHERS, default to a list of selected ciphers
* Configure Tomcat to accept a list of ciphers

* Discuss Allen's idea of strong security by default

Testing done
* hadoop-kms unit tests
* Verify KMS_SSL_CIPHERS value on stdout during kms startup
* Run https://github.com/jzhuge/hadoop-bats-tests/blob/master/kms.bats in insecure, SSL, and
SSL+Kerberos single node setup
* Sslcan result should include only listed ciphers
* On Centos 6.6, run the following curl command. Expect {{NSS error -12286}} without the fix.
curl -v -k [--negotiate] -u: -sS 'https:/<kms_host>:16000/kms/v1/keys/names'

> KMS should support old SSL clients
> ----------------------------------
>                 Key: HADOOP-14083
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14083
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>    Affects Versions: 2.8.0, 2.7.4, 2.6.6
>            Reporter: John Zhuge
>            Assignee: John Zhuge
>            Priority: Minor
>         Attachments: HADOOP-14083.branch-2.001.patch
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL clients such
as curl stop working. The symptom is {{NSS error -12286}} when running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to explicitly
allow enough weak ciphers so that old SSL clients can work.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message