Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
2.4.0
-
None
Description
SSL/TLS protocols should be explicitly enabled and then filtered when Ambari starts up.
Currently the following protocols are explicitly enabled:
- SSLv2Hello
- TLSv1
factory.setIncludeProtocols(new String[] { "SSLv2Hello","TLSv1"});
However the following protocols should be enabled by default:
- SSLv2Hello
- TLSv1
- TLSv1.1
- TLSv1.2
- SSLv3
factory.setIncludeProtocols(new String[] {"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});
Once set, the protocols may be filtered out using the security.server.disabled.protocols property from the ambari.properties file. For example:
security.server.disabled.protocols=TLSv1.1|TLSv1|SSLv2Hello
The availability of a particular protocol may be tested using the OpenSSL s_client facility.
openssl s_client -connect localhost:8440 -tls1_2
CONNECTED(00000003) depth=0 C = XX, L = Default City, O = Default Company Ltd verify error:num=18:self signed certificate verify return:1 depth=0 C = XX, L = Default City, O = Default Company Ltd verify return:1 --- Certificate chain 0 s:/C=XX/L=Default City/O=Default Company Ltd i:/C=XX/L=Default City/O=Default Company Ltd --- Server certificate -----BEGIN CERTIFICATE----- MIIā¦ -----END CERTIFICATE----- subject=/C=XX/L=Default City/O=Default Company Ltd issuer=/C=XX/L=Default City/O=Default Company Ltd --- No client certificate CA names sent Server Temp Key: ECDH, secp521r1, 521 bits --- SSL handshake has read 2248 bytes and written 441 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 5829F75B49C2FED58C60CB7663181B39BCA3AF473F253EDB4BA04D827B9D58BA Session-ID-ctx: Master-Key: 46301FB9B4263547C62F8C793380319DC60A10C1D077C7DAB52D328B12D1FB4B868EE5131CD7F62917C02866196317B8 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1479145307 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) ---
CONNECTED(00000003) 140518067173192:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1479145122 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
Note: This does not address the agent-side issue of connecting to an Ambari server where TLSv1 is disabled. See AMBARI-17666.
Attachments
Attachments
Issue Links
- relates to
-
AMBARI-20545 Remove the use of legacy SSL and TLS protocol versions
- Open
- links to