Description
Risk/Issue summary finding
Weak TLS Protocols Supported
Risk/Issue summary description/detail
The Spark web portals support the use of weak TLS protocols (TLSv1.0).
Transport Layer Security (TLS) is the ITEF standard cryptographic protocol for secure communications. It provides authentication, confidentiality and integrity between the client and the server. While the successor of SSL, TLSv1.0 has been superseded by versions 1.1 and 1.2, and is vulnerable to a variety of downgrade attacks due to its close implementation with SSLv3.
Business impact / attack scenario
Vulnerabilities in the Transport Layer Security protocols and ciphers can allow attackers to decrypt and view sensitive information transferred between the server and the client. They need to be positioned between the client and server in order to intercept messages.
Recommendation
Use TLSv1.2 with strong cipher suites (=> 128 bits) for all communications between the client and server.
spark-defaults.conf of below applied:
spark.ssl.enabled true
spark.ssl.keyStore /home/ec2-user/spark_home/conf/redact.jks
spark.ssl.trustStore /home/ec2-user/spark_home/conf/redact-trust-nonprd.jks
spark.ssl.enabledAlgorithms ECDHE-RSA-AES256-SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
spark.ssl.protocol TLSv1.2
spark.ssl.trustStoreType JKS