hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
Date Thu, 16 Feb 2017 08:44:41 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15869544#comment-15869544

Xiao Chen commented on HADOOP-14083:

Thanks John for filing a jira and providing a patch, and Allen for discussion.

I agree with Allen that best practice is default to strong, and allow people to configure.

But from this [comment|https://issues.apache.org/jira/browse/HADOOP-13812?focusedCommentId=15695443&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15695443]
of HADOOP-13812, clients could break outright after upgrading. HADOOP-13812 is marked incompatible,
but in x.y.z branches to include tomcat security fixes. 

So choosing between the two frown-upon's, IMO we should trade off for compatibility here,
and release doc it so security-concerned users are aware.

> KMS should support old SSL clients
> ----------------------------------
>                 Key: HADOOP-14083
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14083
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>    Affects Versions: 2.8.0, 2.7.4, 2.6.6
>            Reporter: John Zhuge
>            Assignee: John Zhuge
>            Priority: Minor
>         Attachments: HADOOP-14083.branch-2.001.patch
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL clients such
as curl stop working. The symptom is {{NSS error -12286}} when running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to explicitly
allow enough weak ciphers so that old SSL clients can work.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message