[HDFS-7274] Disable SSLv3 in HttpFS - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.6.0
Fix Version/s: 2.6.0, 2.5.2
Component/s: webhdfs
Labels:
None

Hadoop Flags:

Reviewed

Description

We should disable SSLv3 in HttpFS to protect against the POODLEbleed vulnerability.
See CVE-2014-3566

We have sslProtocol="TLS" set to only allow TLS in ssl-server.xml, but when I checked, I could still connect with SSLv3. There documentation is somewhat unclear in the tomcat configs between sslProtocol, sslProtocols, and sslEnabledProtocols and what each value they take does exactly. From what I can gather, sslProtocol="TLS" actually includes SSLv3 and the only way to fix this is to explicitly list which TLS versions we support.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HDFS-7274.patch
23/Oct/14 18:08
0.8 kB
Robert Kanter
HDFS-7274.patch
21/Oct/14 22:00
0.8 kB
Robert Kanter

Issue Links

is required by

HDFS-7391 Renable SSLv2Hello in HttpFS

Closed

relates to

HADOOP-11217 Disable SSLv3 in KMS

Closed

HADOOP-11243 SSLFactory shouldn't allow SSLv3

Closed

HDFS-7275 Add TLSv1.1,TLSv1.2 to HttpFS

Closed

Activity

People

Assignee:: Robert Kanter

Reporter:: Robert Kanter

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 21/Oct/14 21:36

Updated:: 13/Nov/14 20:56

Resolved:: 29/Oct/14 00:40