Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
2.1.0
-
None
-
None
-
Red Hat Enterprise Linux Server release 6.6
Description
All Ambari servers running in Jetty server as well as the Ambari server itself are vulnerable to LogJam see details.
https://weakdh.org/
Test setting up Ambari SSL.
1. create certificate
openssl genrsa -out $wserver.key 2048
openssl req -new -key $wserver.key -out $wserver.csr
openssl x509 -req -days 365 -in $wserver.csr -signkey $wserver.key -out $wserver.crt
where #wscver is hostname of ambari server.
2. run ambari-server setup-security
3. Run openssl to check DH key lenght
penssl s_client -connect bdvs1390.svl.ibm.com:8444 -cipher "EDH" | grep "Server Temp Key"
depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = sever.com, emailAddress = test
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = server.com, emailAddress = test
verify return:1
Server Temp Key: DH, 1024 bits
Furthermore, some versions of Firefox would reject the certificate so Ambari server would not be accessible from browser.
Jira https://issues.apache.org/jira/browse/KNOX-566 has already been open for Knox.