Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.8.0, 2.7.4, 2.6.6
    • Fix Version/s: 2.9.0
    • Component/s: kms
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL clients such as curl stop working. The symptom is NSS error -12286 when running curl -v.

      Instead of forcing the SSL clients to upgrade, we can configure Tomcat to explicitly allow enough weak ciphers so that old SSL clients can work.

        Issue Links

          Activity

          Hide
          jzhuge John Zhuge added a comment - - edited

          Filed a follow-up HADOOP-14141 Store KMS SSL keystore password in catalina.properties.

          Show
          jzhuge John Zhuge added a comment - - edited Filed a follow-up HADOOP-14141 Store KMS SSL keystore password in catalina.properties.
          Hide
          jzhuge John Zhuge added a comment -

          Thanks Lei (Eddy) Xu and Xiao Chen for the review and commit. Thanks Allen Wittenauer and Robert Kanter for the reviews and comments.

          Show
          jzhuge John Zhuge added a comment - Thanks Lei (Eddy) Xu and Xiao Chen for the review and commit. Thanks Allen Wittenauer and Robert Kanter for the reviews and comments.
          Hide
          eddyxu Lei (Eddy) Xu added a comment -

          +1. It LGTM. All checks and tests are green.

          Committed to branch-2.

          Thanks for contributing this, John Zhuge, and thanks for the reviews from Allen Wittenauer, Xiao Chen and Robert Kanter.

          Show
          eddyxu Lei (Eddy) Xu added a comment - +1. It LGTM. All checks and tests are green. Committed to branch-2. Thanks for contributing this, John Zhuge , and thanks for the reviews from Allen Wittenauer , Xiao Chen and Robert Kanter .
          Hide
          xiaochen Xiao Chen added a comment -

          KMS_SILENT changes do not apply to trunk because kms.sh has been re-written

          Oh, right. I knew that....
          I'm fine either way then, since the 3 points are not strong:

          • apply to trunk: not true
          • compatibility: don't think there's anything depending on printing those information except for debugging.
          • cleanness: judgement call

          So +1, and +1 to the HTTPFS equivalent.

          Show
          xiaochen Xiao Chen added a comment - KMS_SILENT changes do not apply to trunk because kms.sh has been re-written Oh, right. I knew that.... I'm fine either way then, since the 3 points are not strong: apply to trunk: not true compatibility: don't think there's anything depending on printing those information except for debugging. cleanness: judgement call So +1, and +1 to the HTTPFS equivalent.
          Hide
          jzhuge John Zhuge added a comment - - edited

          KMS_SILENT changes do not apply to trunk because kms.sh has been re-written and kms-config.sh removed in trunk.

          Show
          jzhuge John Zhuge added a comment - - edited KMS_SILENT changes do not apply to trunk because kms.sh has been re-written and kms-config.sh removed in trunk.
          Hide
          xiaochen Xiao Chen added a comment -

          Thanks John, as chatted offline let's split that to another jira since that will likely apply to trunk as well. And personally not sure whether that change is deemed incompatible by admins or not....

          Show
          xiaochen Xiao Chen added a comment - Thanks John, as chatted offline let's split that to another jira since that will likely apply to trunk as well. And personally not sure whether that change is deemed incompatible by admins or not....
          Hide
          jzhuge John Zhuge added a comment -

          Sure Xiao Chen, I will move KMS_SILENT enhancements to another JIRA, they somewhat improve operational security by hiding some senstive info from console.

          Show
          jzhuge John Zhuge added a comment - Sure Xiao Chen , I will move KMS_SILENT enhancements to another JIRA, they somewhat improve operational security by hiding some senstive info from console.
          Hide
          xiaochen Xiao Chen added a comment -

          I'd prefer to have the KMS_SILENT changes separate for cleanness. +1 pending that. Thanks for the work here John.

          Any comments from Allen Wittenauer ?

          Show
          xiaochen Xiao Chen added a comment - I'd prefer to have the KMS_SILENT changes separate for cleanness. +1 pending that. Thanks for the work here John. Any comments from Allen Wittenauer ?
          Hide
          jzhuge John Zhuge added a comment -

          are those KMS_SILENT changes related here?

          Just random enhancement I threw in

          how is the catalina-default.properties file generated / written? I'm not familiar with tomcat enough to review that file. Any links appreciated.

          I generated the file catalina-default.properties based on the catalina.properties automatically generated by Tomcat if it is missing. Without the default properties, Tomcat would not accept the file with only custom properties.

          Show
          jzhuge John Zhuge added a comment - are those KMS_SILENT changes related here? Just random enhancement I threw in how is the catalina-default.properties file generated / written? I'm not familiar with tomcat enough to review that file. Any links appreciated. I generated the file catalina-default.properties based on the catalina.properties automatically generated by Tomcat if it is missing. Without the default properties, Tomcat would not accept the file with only custom properties.
          Hide
          xiaochen Xiao Chen added a comment -

          Thanks for the patch John Zhuge. Seems fine to me overall, just a couple questions:

          • are those KMS_SILENT changes related here?
          • how is the catalina-default.properties file generated / written? I'm not familiar with tomcat enough to review that file. Any links appreciated.
          Show
          xiaochen Xiao Chen added a comment - Thanks for the patch John Zhuge . Seems fine to me overall, just a couple questions: are those KMS_SILENT changes related here? how is the catalina-default.properties file generated / written? I'm not familiar with tomcat enough to review that file. Any links appreciated.
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 0m 17s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 6m 29s branch-2 passed
          +1 compile 5m 37s branch-2 passed with JDK v1.8.0_121
          +1 compile 6m 29s branch-2 passed with JDK v1.7.0_121
          +1 mvnsite 0m 25s branch-2 passed
          +1 mvneclipse 0m 17s branch-2 passed
          +1 javadoc 0m 14s branch-2 passed with JDK v1.8.0_121
          +1 javadoc 0m 17s branch-2 passed with JDK v1.7.0_121
          +1 mvninstall 0m 20s the patch passed
          +1 compile 5m 31s the patch passed with JDK v1.8.0_121
          +1 javac 5m 31s the patch passed
          +1 compile 6m 30s the patch passed with JDK v1.7.0_121
          +1 javac 6m 30s the patch passed
          +1 mvnsite 0m 25s the patch passed
          +1 mvneclipse 0m 18s the patch passed
          +1 shellcheck 0m 9s The patch generated 0 new + 515 unchanged - 3 fixed = 515 total (was 518)
          +1 shelldocs 0m 8s There were no new shelldocs issues.
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 xml 0m 0s The patch has no ill-formed XML file.
          +1 javadoc 0m 14s the patch passed with JDK v1.8.0_121
          +1 javadoc 0m 16s the patch passed with JDK v1.7.0_121
          +1 unit 1m 46s hadoop-kms in the patch passed with JDK v1.7.0_121.
          +1 asflicense 0m 24s The patch does not generate ASF License warnings.
          39m 5s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:b59b8b7
          JIRA Issue HADOOP-14083
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12853456/HADOOP-14083.branch-2.002.patch
          Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml shellcheck shelldocs
          uname Linux 6f42f8dc0374 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision branch-2 / 8a88e8e
          Default Java 1.7.0_121
          Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_121 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_121
          shellcheck v0.4.5
          JDK v1.7.0_121 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11656/testReport/
          modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11656/console
          Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 0m 17s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 6m 29s branch-2 passed +1 compile 5m 37s branch-2 passed with JDK v1.8.0_121 +1 compile 6m 29s branch-2 passed with JDK v1.7.0_121 +1 mvnsite 0m 25s branch-2 passed +1 mvneclipse 0m 17s branch-2 passed +1 javadoc 0m 14s branch-2 passed with JDK v1.8.0_121 +1 javadoc 0m 17s branch-2 passed with JDK v1.7.0_121 +1 mvninstall 0m 20s the patch passed +1 compile 5m 31s the patch passed with JDK v1.8.0_121 +1 javac 5m 31s the patch passed +1 compile 6m 30s the patch passed with JDK v1.7.0_121 +1 javac 6m 30s the patch passed +1 mvnsite 0m 25s the patch passed +1 mvneclipse 0m 18s the patch passed +1 shellcheck 0m 9s The patch generated 0 new + 515 unchanged - 3 fixed = 515 total (was 518) +1 shelldocs 0m 8s There were no new shelldocs issues. +1 whitespace 0m 0s The patch has no whitespace issues. +1 xml 0m 0s The patch has no ill-formed XML file. +1 javadoc 0m 14s the patch passed with JDK v1.8.0_121 +1 javadoc 0m 16s the patch passed with JDK v1.7.0_121 +1 unit 1m 46s hadoop-kms in the patch passed with JDK v1.7.0_121. +1 asflicense 0m 24s The patch does not generate ASF License warnings. 39m 5s Subsystem Report/Notes Docker Image:yetus/hadoop:b59b8b7 JIRA Issue HADOOP-14083 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12853456/HADOOP-14083.branch-2.002.patch Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit xml shellcheck shelldocs uname Linux 6f42f8dc0374 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision branch-2 / 8a88e8e Default Java 1.7.0_121 Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_121 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_121 shellcheck v0.4.5 JDK v1.7.0_121 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11656/testReport/ modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11656/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          jzhuge John Zhuge added a comment -

          Patch branch-2.002

          • Use file catalina.properties to transfer KMS properties instead of env CATALINA_OPTS
          • Create catalina-default.properties to store default Tomcat properties
          • Update doc

          TODO

          • Discuss Allen's idea of strong security by default

          Follow up in a new JIRA

          • Refactor KMS scripts based on catalina.properties technique

          Testing done

          Show
          jzhuge John Zhuge added a comment - Patch branch-2.002 Use file catalina.properties to transfer KMS properties instead of env CATALINA_OPTS Create catalina-default.properties to store default Tomcat properties Update doc TODO Discuss Allen's idea of strong security by default Follow up in a new JIRA Refactor KMS scripts based on catalina.properties technique Testing done Run https://github.com/jzhuge/hadoop-bats-tests/blob/master/kms.bats in insecure and SSL single node setup Run sslscan to verify ciphers in the following test cases: No KMS_SSL_CIPHERS, to allow KMS default ciphers KMS_SSL_CIPHERS=“TLS_RSA_WITH_AES_128_CBC_SHA256“, to allow this cipher only
          Hide
          rkanter Robert Kanter added a comment -

          Good news is, trunk has gotten rid of tomcat and is on jetty now!

          Oh, right. I knew that.

          Show
          rkanter Robert Kanter added a comment - Good news is, trunk has gotten rid of tomcat and is on jetty now! Oh, right. I knew that.
          Hide
          aw Allen Wittenauer added a comment -

          How can I fix the shellcheck errors for the multi-line string?

          It's really shellcheck giving a hint that this is doing something it shouldn't. There's two key problems with this approach:

          1) any space in that string will cause a new option to be formed on the command line

          2) the command line is going to be REALLY long and will likely blow CLI buffers on some operating systems

          Maybe this should just be a change to catalina.properties?

          Show
          aw Allen Wittenauer added a comment - How can I fix the shellcheck errors for the multi-line string? It's really shellcheck giving a hint that this is doing something it shouldn't. There's two key problems with this approach: 1) any space in that string will cause a new option to be formed on the command line 2) the command line is going to be REALLY long and will likely blow CLI buffers on some operating systems Maybe this should just be a change to catalina.properties?
          Hide
          xiaochen Xiao Chen added a comment -

          Good news is, trunk has gotten rid of tomcat and is on jetty now!

          Show
          xiaochen Xiao Chen added a comment - Good news is, trunk has gotten rid of tomcat and is on jetty now!
          Hide
          rkanter Robert Kanter added a comment -

          In that case, we could have a branch-2 version of the patch which includes the older ciphers for compatibility, and a trunk version of the patch that does not for security. That said, we have broken compatibility in the past for security fixes.

          Show
          rkanter Robert Kanter added a comment - In that case, we could have a branch-2 version of the patch which includes the older ciphers for compatibility, and a trunk version of the patch that does not for security. That said, we have broken compatibility in the past for security fixes.
          Hide
          xiaochen Xiao Chen added a comment -

          Thanks John for filing a jira and providing a patch, and Allen for discussion.

          I agree with Allen that best practice is default to strong, and allow people to configure.

          But from this comment of HADOOP-13812, clients could break outright after upgrading. HADOOP-13812 is marked incompatible, but in x.y.z branches to include tomcat security fixes.

          So choosing between the two frown-upon's, IMO we should trade off for compatibility here, and release doc it so security-concerned users are aware.

          Show
          xiaochen Xiao Chen added a comment - Thanks John for filing a jira and providing a patch, and Allen for discussion. I agree with Allen that best practice is default to strong, and allow people to configure. But from this comment of HADOOP-13812 , clients could break outright after upgrading. HADOOP-13812 is marked incompatible, but in x.y.z branches to include tomcat security fixes. So choosing between the two frown-upon's, IMO we should trade off for compatibility here, and release doc it so security-concerned users are aware.
          Hide
          jzhuge John Zhuge added a comment -

          Allen Wittenauer How can I fix the shellcheck errors for the multi-line string? Just disable SC2140?

          ./hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh:72:79: warning: Word is on the form "A"B"C" (B indicated). Did you mean "ABC" or "A\"B\"C"? [SC2140]
          ./hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh:73:79: warning: Word is on the form "A"B"C" (B indicated). Did you mean "ABC" or "A\"B\"C"? [SC2140]
          
          71	#  export KMS_SSL_CIPHERS=\
          72	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,"\
          73	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,"\
          74	"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,"\
          
          Show
          jzhuge John Zhuge added a comment - Allen Wittenauer How can I fix the shellcheck errors for the multi-line string? Just disable SC2140? ./hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh:72:79: warning: Word is on the form "A"B"C" (B indicated). Did you mean "ABC" or "A\"B\"C"? [SC2140] ./hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh:73:79: warning: Word is on the form "A"B"C" (B indicated). Did you mean "ABC" or "A\"B\"C"? [SC2140] 71 # export KMS_SSL_CIPHERS=\ 72 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," \ 73 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," \ 74 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," \
          Hide
          hadoopqa Hadoop QA added a comment -
          -1 overall



          Vote Subsystem Runtime Comment
          0 reexec 20m 36s Docker mode activated.
          +1 @author 0m 0s The patch does not contain any @author tags.
          -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
          +1 mvninstall 9m 1s branch-2 passed
          +1 compile 5m 43s branch-2 passed with JDK v1.8.0_121
          +1 compile 6m 35s branch-2 passed with JDK v1.7.0_121
          +1 mvnsite 0m 26s branch-2 passed
          +1 mvneclipse 0m 19s branch-2 passed
          +1 javadoc 0m 16s branch-2 passed with JDK v1.8.0_121
          +1 javadoc 0m 17s branch-2 passed with JDK v1.7.0_121
          +1 mvninstall 0m 20s the patch passed
          +1 compile 5m 41s the patch passed with JDK v1.8.0_121
          +1 javac 5m 41s the patch passed
          +1 compile 6m 36s the patch passed with JDK v1.7.0_121
          +1 javac 6m 36s the patch passed
          +1 mvnsite 0m 25s the patch passed
          +1 mvneclipse 0m 17s the patch passed
          -1 shellcheck 0m 7s The patch generated 18 new + 518 unchanged - 0 fixed = 536 total (was 518)
          +1 shelldocs 0m 8s There were no new shelldocs issues.
          +1 whitespace 0m 0s The patch has no whitespace issues.
          +1 javadoc 0m 15s the patch passed with JDK v1.8.0_121
          +1 javadoc 0m 17s the patch passed with JDK v1.7.0_121
          +1 unit 2m 7s hadoop-kms in the patch passed with JDK v1.7.0_121.
          +1 asflicense 0m 26s The patch does not generate ASF License warnings.
          63m 15s



          Subsystem Report/Notes
          Docker Image:yetus/hadoop:b59b8b7
          JIRA Issue HADOOP-14083
          JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12852897/HADOOP-14083.branch-2.001.patch
          Optional Tests asflicense mvnsite unit shellcheck shelldocs compile javac javadoc mvninstall
          uname Linux 6ba85d1b4f68 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
          Build tool maven
          Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
          git revision branch-2 / 323782b
          Default Java 1.7.0_121
          Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_121 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_121
          shellcheck v0.4.5
          shellcheck https://builds.apache.org/job/PreCommit-HADOOP-Build/11635/artifact/patchprocess/diff-patch-shellcheck.txt
          JDK v1.7.0_121 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11635/testReport/
          modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms
          Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11635/console
          Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org

          This message was automatically generated.

          Show
          hadoopqa Hadoop QA added a comment - -1 overall Vote Subsystem Runtime Comment 0 reexec 20m 36s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. -1 test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 mvninstall 9m 1s branch-2 passed +1 compile 5m 43s branch-2 passed with JDK v1.8.0_121 +1 compile 6m 35s branch-2 passed with JDK v1.7.0_121 +1 mvnsite 0m 26s branch-2 passed +1 mvneclipse 0m 19s branch-2 passed +1 javadoc 0m 16s branch-2 passed with JDK v1.8.0_121 +1 javadoc 0m 17s branch-2 passed with JDK v1.7.0_121 +1 mvninstall 0m 20s the patch passed +1 compile 5m 41s the patch passed with JDK v1.8.0_121 +1 javac 5m 41s the patch passed +1 compile 6m 36s the patch passed with JDK v1.7.0_121 +1 javac 6m 36s the patch passed +1 mvnsite 0m 25s the patch passed +1 mvneclipse 0m 17s the patch passed -1 shellcheck 0m 7s The patch generated 18 new + 518 unchanged - 0 fixed = 536 total (was 518) +1 shelldocs 0m 8s There were no new shelldocs issues. +1 whitespace 0m 0s The patch has no whitespace issues. +1 javadoc 0m 15s the patch passed with JDK v1.8.0_121 +1 javadoc 0m 17s the patch passed with JDK v1.7.0_121 +1 unit 2m 7s hadoop-kms in the patch passed with JDK v1.7.0_121. +1 asflicense 0m 26s The patch does not generate ASF License warnings. 63m 15s Subsystem Report/Notes Docker Image:yetus/hadoop:b59b8b7 JIRA Issue HADOOP-14083 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12852897/HADOOP-14083.branch-2.001.patch Optional Tests asflicense mvnsite unit shellcheck shelldocs compile javac javadoc mvninstall uname Linux 6ba85d1b4f68 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6 15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision branch-2 / 323782b Default Java 1.7.0_121 Multi-JDK versions /usr/lib/jvm/java-8-oracle:1.8.0_121 /usr/lib/jvm/java-7-openjdk-amd64:1.7.0_121 shellcheck v0.4.5 shellcheck https://builds.apache.org/job/PreCommit-HADOOP-Build/11635/artifact/patchprocess/diff-patch-shellcheck.txt JDK v1.7.0_121 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/11635/testReport/ modules C: hadoop-common-project/hadoop-kms U: hadoop-common-project/hadoop-kms Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/11635/console Powered by Apache Yetus 0.5.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
          Hide
          jzhuge John Zhuge added a comment -

          Patch branch-2.001

          • Add env KMS_SSL_CIPHERS, default to a list of selected ciphers
          • Configure Tomcat to accept a list of ciphers

          TODO

          • Discuss Allen's idea of strong security by default

          Testing done

          • hadoop-kms unit tests
          • Verify KMS_SSL_CIPHERS value on stdout during kms startup
          • Run https://github.com/jzhuge/hadoop-bats-tests/blob/master/kms.bats in insecure, SSL, and SSL+Kerberos single node setup
          • Sslcan result should include only listed ciphers
          • On Centos 6.6, run the following curl command. Expect NSS error -12286 without the fix.
            curl -v -k [--negotiate] -u: -sS 'https:/<kms_host>:16000/kms/v1/keys/names'
            
          Show
          jzhuge John Zhuge added a comment - Patch branch-2.001 Add env KMS_SSL_CIPHERS, default to a list of selected ciphers Configure Tomcat to accept a list of ciphers TODO Discuss Allen's idea of strong security by default Testing done hadoop-kms unit tests Verify KMS_SSL_CIPHERS value on stdout during kms startup Run https://github.com/jzhuge/hadoop-bats-tests/blob/master/kms.bats in insecure, SSL, and SSL+Kerberos single node setup Sslcan result should include only listed ciphers On Centos 6.6, run the following curl command. Expect NSS error -12286 without the fix. curl -v -k [--negotiate] -u: -sS 'https:/<kms_host>:16000/kms/v1/keys/names'
          Hide
          aw Allen Wittenauer added a comment -

          I believe our current practice in the rest of the Hadoop code is to default to strong, but give an option to allow the user to enable weaker ones as necessary.

          Show
          aw Allen Wittenauer added a comment - I believe our current practice in the rest of the Hadoop code is to default to strong, but give an option to allow the user to enable weaker ones as necessary.
          Hide
          jzhuge John Zhuge added a comment - - edited

          Yeah, tough choice between security and backwards compatibility.

          I will post a patch so that you can examine the list of ciphers I picked.

          Show
          jzhuge John Zhuge added a comment - - edited Yeah, tough choice between security and backwards compatibility. I will post a patch so that you can examine the list of ciphers I picked.
          Hide
          aw Allen Wittenauer added a comment -

          It seems like a really bad idea to support weak SSL ciphers given KMS is for security. In the specific case of curl, I'm 99% certain that curl's cipher usage is specifically tied to the version of OpenSSL in use as well as what options are used on the command line. (This is one of the reasons why many people build their own versions of curl, etc on systems such as OS X, which are known to have old versions of OpenSSL installed.)

          Show
          aw Allen Wittenauer added a comment - It seems like a really bad idea to support weak SSL ciphers given KMS is for security. In the specific case of curl, I'm 99% certain that curl's cipher usage is specifically tied to the version of OpenSSL in use as well as what options are used on the command line. (This is one of the reasons why many people build their own versions of curl, etc on systems such as OS X, which are known to have old versions of OpenSSL installed.)

            People

            • Assignee:
              jzhuge John Zhuge
              Reporter:
              jzhuge John Zhuge
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development