Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.6.0
    • Fix Version/s: 2.6.0
    • Component/s: kms
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      We should disable SSLv3 in KMS to protect against the POODLEbleed vulnerability.
      See CVE-2014-3566

      We have sslProtocol="TLS" set to only allow TLS in ssl-server.xml, but when I checked, I could still connect with SSLv3. There documentation is somewhat unclear in the tomcat configs between sslProtocol, sslProtocols, and sslEnabledProtocols and what each value they take does exactly. From what I can gather, sslProtocol="TLS" actually includes SSLv3 and the only way to fix this is to explicitly list which TLS versions we support.

        Attachments

        1. HADOOP-11217.patch
          0.7 kB
          Robert Kanter
        2. HADOOP-11217.patch
          0.7 kB
          Robert Kanter
        3. HADOOP-11217-addendum.patch
          0.8 kB
          Robert Kanter

          Issue Links

            Activity

              People

              • Assignee:
                rkanter Robert Kanter
                Reporter:
                rkanter Robert Kanter
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: