Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-18910

SSL/TLS protocols should be explicitly enabled and then filtered when Ambari starts up

Log workAgile BoardRank to TopRank to BottomAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 2.4.0
    • 2.4.2
    • ambari-server
    • None

    Description

      SSL/TLS protocols should be explicitly enabled and then filtered when Ambari starts up.

      Currently the following protocols are explicitly enabled:

      • SSLv2Hello
      • TLSv1
      org/apache/ambari/server/controller/AmbariServer.java:718
       
      factory.setIncludeProtocols(new String[] { "SSLv2Hello","TLSv1"});
      

      However the following protocols should be enabled by default:

      • SSLv2Hello
      • TLSv1
      • TLSv1.1
      • TLSv1.2
      • SSLv3
      Example
       
      factory.setIncludeProtocols(new String[] {"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});

      Once set, the protocols may be filtered out using the security.server.disabled.protocols property from the ambari.properties file. For example:

      Disables TLSv1, TLSv1.1, and SSLv2Hello
      security.server.disabled.protocols=TLSv1.1|TLSv1|SSLv2Hello
      

      The availability of a particular protocol may be tested using the OpenSSL s_client facility.

      Example: Test for TLSv1.2
      openssl s_client -connect localhost:8440 -tls1_2
      
      Example successful result
      CONNECTED(00000003)
      depth=0 C = XX, L = Default City, O = Default Company Ltd
      verify error:num=18:self signed certificate
      verify return:1
      depth=0 C = XX, L = Default City, O = Default Company Ltd
      verify return:1
      ---
      Certificate chain
      0 s:/C=XX/L=Default City/O=Default Company Ltd
         i:/C=XX/L=Default City/O=Default Company Ltd
      ---
      Server certificate
      -----BEGIN CERTIFICATE-----
      MIIā€¦
      -----END CERTIFICATE-----
      subject=/C=XX/L=Default City/O=Default Company Ltd
      issuer=/C=XX/L=Default City/O=Default Company Ltd
      ---
      No client certificate CA names sent
      Server Temp Key: ECDH, secp521r1, 521 bits
      ---
      SSL handshake has read 2248 bytes and written 441 bytes
      ---
      New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
      Server public key is 4096 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      SSL-Session:
          Protocol  : TLSv1.2
          Cipher    : ECDHE-RSA-AES256-GCM-SHA384
          Session-ID: 5829F75B49C2FED58C60CB7663181B39BCA3AF473F253EDB4BA04D827B9D58BA
          Session-ID-ctx:
          Master-Key: 46301FB9B4263547C62F8C793380319DC60A10C1D077C7DAB52D328B12D1FB4B868EE5131CD7F62917C02866196317B8
          Key-Arg   : None
          Krb5 Principal: None
          PSK identity: None
          PSK identity hint: None
          Start Time: 1479145307
          Timeout   : 7200 (sec)
          Verify return code: 18 (self signed certificate)
      ---
      
      Example failure result
      CONNECTED(00000003)
      140518067173192:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
      ---
      no peer certificate available
      ---
      No client certificate CA names sent
      ---
      SSL handshake has read 0 bytes and written 0 bytes
      ---
      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      SSL-Session:
          Protocol  : TLSv1.2
          Cipher    : 0000
          Session-ID:
          Session-ID-ctx:
          Master-Key:
          Key-Arg   : None
          Krb5 Principal: None
          PSK identity: None
          PSK identity hint: None
          Start Time: 1479145122
          Timeout   : 7200 (sec)
          Verify return code: 0 (ok)
      ---
      

      Note: This does not address the agent-side issue of connecting to an Ambari server where TLSv1 is disabled. See AMBARI-17666.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            rlevas Robert Levas Assign to me
            rlevas Robert Levas
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment