Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12668

Support excluding weak Ciphers in HttpServer2 through ssl-server.xml

    XMLWordPrintableJSON

Details

    • Reviewed
    • Hide
      The Code Changes include following:
      - Modified DFSUtil.java in Apache HDFS project for supplying new parameter ssl.server.exclude.cipher.list
      - Modified HttpServer2.java in Apache Hadoop-common project to work with new parameter and exclude ciphers using jetty setExcludeCihers method.
      - Modfied associated test classes to owrk with existing code and also cover the newfunctionality in junit
      Show
      The Code Changes include following: - Modified DFSUtil.java in Apache HDFS project for supplying new parameter ssl.server.exclude.cipher.list - Modified HttpServer2.java in Apache Hadoop-common project to work with new parameter and exclude ciphers using jetty setExcludeCihers method. - Modfied associated test classes to owrk with existing code and also cover the newfunctionality in junit
    • security ssl tls hadoop

    Description

      Currently Embeded jetty Server used across all hadoop services is configured through ssl-server.xml file from their respective configuration section. However, the SSL/TLS protocol being used for this jetty servers can be downgraded to weak cipher suites. This code changes aims to add following functionality:
      1) Add logic in hadoop common (HttpServer2.java and associated interfaces) to spawn jetty servers with ability to exclude weak cipher suites. I propose we make this though ssl-server.xml and hence each service can choose to disable specific ciphers.
      2) Modify DFSUtil.java used by HDFS code to supply new parameter ssl.server.exclude.cipher.list for hadoop-common code, so it can exclude the ciphers supplied through this key.

      Attachments

        1. Hadoop-12668.006.patch
          14 kB
          Vijay Singh
        2. Hadoop-12668.007.patch
          16 kB
          Vijay Singh
        3. Hadoop-12668.008.patch
          20 kB
          Vijay Singh
        4. Hadoop-12668.009.patch
          20 kB
          Vijay Singh
        5. Hadoop-12668.010.patch
          24 kB
          Vijay Singh
        6. Hadoop-12668.011.patch
          24 kB
          Vijay Singh
        7. Hadoop-12668.012.patch
          23 kB
          Zhe Zhang
        8. test.log
          186 kB
          Vijay Singh

        Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-14341 Support multi-line value for ssl.server.exclude.cipher.list

          • Major - Major loss of function.
          • Resolved
          is depended upon by

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-14340 Enable KMS and HttpFS to exclude SSL ciphers

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is related to

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-12886 Exclude weak ciphers in SSLFactory through ssl-server.xml

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              SINGHVJD Vijay Singh
              SINGHVJD Vijay Singh
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 24h
                  24h
                  Remaining:
                  Remaining Estimate - 24h
                  24h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified