[ambari] branch trunk updated: AMBARI-25520: Insecure Transport : Weak SSL Cipher and weak protocol (#3533)

Mon, 21 Nov 2022 07:40:37 -0800 

This is an automated email from the ASF dual-hosted git repository.

wuzhiguo pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/trunk by this push:
     new db5b0b79e5 AMBARI-25520: Insecure Transport : Weak SSL Cipher and weak 
protocol (#3533)
db5b0b79e5 is described below

commit db5b0b79e54aa3c8a9debac04bbc636ab9dbdc69
Author: Zhiguo Wu <[email protected]>
AuthorDate: Mon Nov 21 23:40:26 2022 +0800

    AMBARI-25520: Insecure Transport : Weak SSL Cipher and weak protocol (#3533)
---
 .../java/org/apache/ambari/server/controller/AmbariServer.java     | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index accdd97868..5dbf372dc9 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -200,6 +200,7 @@ public class AmbariServer {
    */
   public static final EnumSet<DispatcherType> DISPATCHER_TYPES = 
EnumSet.of(DispatcherType.REQUEST);
   private static final int DEFAULT_ACCEPTORS_COUNT = 1;
+  private static final String[] DEPRECATED_SSL_PROTOCOLS = new String[] 
{"TLSv1"};
 
   static {
     Velocity.setProperty("runtime.log.logsystem.log4j.logger", 
VELOCITY_LOG_CATEGORY);
@@ -802,9 +803,9 @@ public class AmbariServer {
    * at server properties)
    */
   private void disableInsecureProtocols(SslContextFactory factory) {
-    // by default all protocols should be available
-    factory.setExcludeProtocols();
-    factory.setIncludeProtocols(new String[] 
{"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});
+    // by default all protocols should be available, excluding TLSv1.0
+    factory.setExcludeProtocols(DEPRECATED_SSL_PROTOCOLS);
+    factory.setIncludeProtocols(new String[] 
{"SSLv2Hello","SSLv3","TLSv1.1","TLSv1.2"});
 
     if (!configs.getSrvrDisabledCiphers().isEmpty()) {
       String[] masks = 
configs.getSrvrDisabledCiphers().split(DISABLED_ENTRIES_SPLITTER);


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to