[ambari] branch branch-2.7 updated: AMBARI-25520. Insecure Transport : Weak SSL Cipher and weak protocol. (#3204) (dvitiuk via dgrinenko)

Wed, 24 Jun 2020 01:18:32 -0700 

This is an automated email from the ASF dual-hosted git repository.

hapylestat pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.7 by this push:
     new a10880a  AMBARI-25520. Insecure Transport : Weak SSL Cipher and weak 
protocol. (#3204) (dvitiuk via dgrinenko)
a10880a is described below

commit a10880a63e6fbef44662ba9f37e87082e9985c64
Author: dvitiiuk <[email protected]>
AuthorDate: Wed Jun 24 11:17:25 2020 +0300

    AMBARI-25520. Insecure Transport : Weak SSL Cipher and weak protocol. 
(#3204) (dvitiuk via dgrinenko)
---
 .../java/org/apache/ambari/server/controller/AmbariServer.java     | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index b8f440a..ee858bf 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -200,6 +200,7 @@ public class AmbariServer {
    */
   public static final EnumSet<DispatcherType> DISPATCHER_TYPES = 
EnumSet.of(DispatcherType.REQUEST);
   private static final int DEFAULT_ACCEPTORS_COUNT = 1;
+  private static final String[] DEPRECATED_SSL_PROTOCOLS = new String[] 
{"TLSv1"};
 
   static {
     Velocity.setProperty("runtime.log.logsystem.log4j.logger", 
VELOCITY_LOG_CATEGORY);
@@ -802,9 +803,9 @@ public class AmbariServer {
    * at server properties)
    */
   private void disableInsecureProtocols(SslContextFactory factory) {
-    // by default all protocols should be available
-    factory.setExcludeProtocols();
-    factory.setIncludeProtocols(new String[] 
{"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});
+    // by default all protocols should be available, excluding TLSv1.0
+    factory.setExcludeProtocols(DEPRECATED_SSL_PROTOCOLS);
+    factory.setIncludeProtocols(new String[] 
{"SSLv2Hello","SSLv3","TLSv1.1","TLSv1.2"});
 
     if (!configs.getSrvrDisabledCiphers().isEmpty()) {
       String[] masks = 
configs.getSrvrDisabledCiphers().split(DISABLED_ENTRIES_SPLITTER);

Reply via email to