hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Thompson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7391) Renable SSLv2Hello in HttpFS
Date Wed, 12 Nov 2014 16:00:36 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14208172#comment-14208172

Dave Thompson commented on HDFS-7391:

For clarifications you are not suggesting turning on SSLv2, which has 
been deprecated for 18 years, for reasons discussed in RFC6176.

Rather, you are suggesting turning on the backwards compatible Client-Hello,
that was introduced in 1996 for transition, for clients that didn't know 
if they were connecting to an SSLv2 or SSLv3 server.

A bit surprised that there exists hadoop clients that find this necessary.
Java 6 with openssl 0.9.8x, I believe will support up to SSLv3.1 (TLS 1.0),
which I've used as a server... I can't speak to client configurability.

My primary concern would be that in enabling acceptance of SSLv2 Client-Hello,
that assurances/confirmation be made that a resulting SSLv2.0 session 
is not allowed.

> Renable SSLv2Hello in HttpFS
> ----------------------------
>                 Key: HDFS-7391
>                 URL: https://issues.apache.org/jira/browse/HDFS-7391
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: webhdfs
>    Affects Versions: 2.6.0, 2.5.2
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Blocker
>         Attachments: HDFS-7391-branch-2.5.patch, HDFS-7391.patch
> We should re-enable "SSLv2Hello", which is required for older clients (e.g. Java 6 with
openssl 0.9.8x) so they can't connect without it. Just to be clear, it does not mean SSLv2,
which is insecure.
> I couldn't simply do an addendum patch on HDFS-7274 because it's already been closed.

This message was sent by Atlassian JIRA

View raw message