Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-17666

Ambari agent can't start when TLSv1 is disabled in Java security

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.5.0, 2.4.3
    • Component/s: ambari-agent
    • Labels:

      Description

      Currently, the commit for https://issues.apache.org/jira/browse/AMBARI-14236 explicit force the SSL protocol to TLSv1 in ambari-agent/src/main/python/ambari_agent/alerts/web_alert.py. Unfortunate, this setting in effect whenever web_alert pacackged is loaded (ambari-agent/src/main/python/ambari_agent/AlertSchedulerHandler.py) regardless whether ssl is used or not.

      As a result, disabling TLSv1 in Ambari server will cause the agent to fail to start.

      Recreate:

      In Ambari's acitve JDK on Ambari server node, in java.security file, set jdk.tls.disabledAlgorithms=MD5, SSLv2, SSLv3, TLSv1, DSA, RC4, RSA keySize < 2048
      restart ambari-server, and you will see errors in ambari agent logs:

      ERROR 2016-07-11 15:11:15,269 NetUtil.py:84 - [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
      ERROR 2016-07-11 15:11:15,269 NetUtil.py:85 - SSLError: Failed to connect. Please check openssl library versions.
      Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details.

        Attachments

        1. AMBARI-17666_test_trunk.patch
          1 kB
          Attila Doroszlai

          Issue Links

            Activity

              People

              • Assignee:
                dmitriusan Dmitry Lysnichenko
                Reporter:
                tctruong213 Tuong Truong
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: