Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-17183

HDFS defaults tls cipher to "no encryption" when keystore key is unset or empty

Add voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments


    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.3.4
    • None
    • security
    • None


      It looks like some hdfs servers default the cipher suite to not encrypt traffic when the keystore password is not set or set to an empty string.

      Historically this has probably not often been an issue as java `keytool` refuses to create a keystore with less than 6 characters, so usually people would need to set passwords on the keystores (and hence in the config).

      When using keystores without a password, we noticed that HDFS refuses to load keys from this keystore when `ssl.server.keystore.password` is unset or set to an empty string - and instead of erroring out sets the cipher suite for rpc connections to `TLS_NULL_WITH_NULL_NULL` which is basically TLS but without any encryption.

      The impact varies depending on which communication channel we looked at, what we saw was:

      • JournalNodes seem to happily go along with this and NameNodes equally happily connect to the JournalNodes without any warnings - we do have tls enabled after all
      • NameNodes refuse connections with a handshake exception, so the real world impact of this should hopefully be small, but it does seem like less than ideal behavior.


      So effectively, HDFS cannot use keystores without passwords, as connections cannot be established successfully.



          This comment will be Viewable by All Users Viewable by All Users


            Unassigned Unassigned
            sliebau Sönke Liebau




                Issue deployment