[HADOOP-11217] Disable SSLv3 in KMS - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.6.0
Fix Version/s: 2.6.0
Component/s: kms
Labels:
None

Target Version/s:

2.6.0
Hadoop Flags:

Reviewed

Description

We should disable SSLv3 in KMS to protect against the POODLEbleed vulnerability.
See CVE-2014-3566

We have sslProtocol="TLS" set to only allow TLS in ssl-server.xml, but when I checked, I could still connect with SSLv3. There documentation is somewhat unclear in the tomcat configs between sslProtocol, sslProtocols, and sslEnabledProtocols and what each value they take does exactly. From what I can gather, sslProtocol="TLS" actually includes SSLv3 and the only way to fix this is to explicitly list which TLS versions we support.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-11217-addendum.patch
11/Nov/14 22:30
0.8 kB
Robert Kanter
HADOOP-11217.patch
23/Oct/14 18:10
0.7 kB
Robert Kanter
HADOOP-11217.patch
21/Oct/14 22:00
0.7 kB
Robert Kanter

Issue Links

is related to

HDFS-7274 Disable SSLv3 in HttpFS

Closed

relates to

HADOOP-11218 Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory

Resolved

HADOOP-11243 SSLFactory shouldn't allow SSLv3

Closed

Activity

People

Assignee:: Robert Kanter

Reporter:: Robert Kanter

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 21/Oct/14 21:37

Updated:: 01/Dec/14 03:10

Resolved:: 13/Nov/14 02:43