hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vijay Singh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12668) Modify HDFS embeded jetty server logic in HttpServer2.java to exclude weak Ciphers through ssl-server.conf
Date Wed, 13 Jan 2016 23:07:40 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097231#comment-15097231
] 

Vijay Singh commented on HADOOP-12668:
--------------------------------------

Thanks for the feedback. I will include the property for both to include and exclude ciphers.
Since all these services are based on jetty  and since jetty first covers included ciphers
followed by excluded ciphers causing the excluded ciphers to take precedence and override
included ciphers selection in case of conflict, similar behavior will be observed in hadoop
services as well.
Please refer the following link for jetty cipher selection behavior. 
https://wiki.eclipse.org/Jetty/Howto/CipherSuites
Please read Disabling Cipher Suites Section for verifying jetty behavior. I will work on this
request and submit the updated patch tonight.

> Modify HDFS embeded jetty server logic in HttpServer2.java to exclude weak Ciphers through
ssl-server.conf
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-12668
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12668
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.7.1
>            Reporter: Vijay Singh
>            Assignee: Vijay Singh
>            Priority: Critical
>              Labels: common, ha, hadoop, hdfs, security
>         Attachments: Hadoop-12668.006.patch
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Currently Embeded jetty Server used across all hadoop services is configured through
ssl-server.xml file from their respective configuration section. However, the SSL/TLS protocol
being used for this jetty servers can be downgraded to weak cipher suites. This code changes
aims to add following functionality:
> 1) Add logic in hadoop common (HttpServer2.java and associated interfaces) to spawn jetty
servers with ability to exclude weak cipher suites. I propose we make this though ssl-server.xml
and hence each service can choose to disable specific ciphers.
> 2) Modify DFSUtil.java used by HDFS code to supply new parameter ssl.server.exclude.cipher.list
for hadoop-common code, so it can exclude the ciphers supplied through this key.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message