hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Yoder (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
Date Tue, 04 Nov 2014 17:56:35 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14196454#comment-14196454
] 

Mike Yoder commented on HADOOP-11260:
-------------------------------------

Ah, well there's my answer.  The docs for SSLContext say

{quote}
Every implementation of the Java platform is required to support the following standard SSLContext
protocol: TLSv1
{quote}

And all of the SSLContext algorithms at http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext
say "may support other versions".

In SSLFactory's init(), if I explicitly set the enabled protocols to "SSLv3" the internal
default client protocol list still has "TLSv1" in it.  Looks like it's possible to remove
SSLv3, but not possible to remove TLSv1.  So nope, no easy way to test. 



> Patch up Jetty to disable SSLv3
> -------------------------------
>
>                 Key: HADOOP-11260
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11260
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.5.1
>            Reporter: Karthik Kambatla
>            Assignee: Mike Yoder
>            Priority: Blocker
>         Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch
>
>
> Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message