[AMBARI-17666] Ambari agent can't start when TLSv1 is disabled in Java security - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.0
Fix Version/s: 2.5.0, 2.4.3
Component/s: ambari-agent
Labels:
- security

Description

Currently, the commit for https://issues.apache.org/jira/browse/AMBARI-14236 explicit force the SSL protocol to TLSv1 in ambari-agent/src/main/python/ambari_agent/alerts/web_alert.py. Unfortunate, this setting in effect whenever web_alert pacackged is loaded (ambari-agent/src/main/python/ambari_agent/AlertSchedulerHandler.py) regardless whether ssl is used or not.

As a result, disabling TLSv1 in Ambari server will cause the agent to fail to start.

Recreate:

In Ambari's acitve JDK on Ambari server node, in java.security file, set jdk.tls.disabledAlgorithms=MD5, SSLv2, SSLv3, TLSv1, DSA, RC4, RSA keySize < 2048
restart ambari-server, and you will see errors in ambari agent logs:

ERROR 2016-07-11 15:11:15,269 NetUtil.py:84 - [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
ERROR 2016-07-11 15:11:15,269 NetUtil.py:85 - SSLError: Failed to connect. Please check openssl library versions.
Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-17666_test_trunk.patch
16/Dec/16 13:58
1 kB
Attila Doroszlai

Issue Links

is related to

AMBARI-20831 Ambari agents can only connect to the server using TLSv1

Resolved

links to

Review request #2: fix for unit test failure

review_request_

Activity

People

Assignee:: Dmitry Lysnichenko

Reporter:: Tuong Truong

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 12/Jul/16 00:06

Updated:: 25/Apr/17 22:56

Resolved:: 16/Dec/16 14:49