Repository: hadoop Updated Branches: refs/heads/branch-2 720de7eb4 -> 160aebcae
HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha) (cherry picked from commit 3c5f5af1184e85158dec962df0b0bc2be8d0d1e3) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/160aebca Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/160aebca Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/160aebca Branch: refs/heads/branch-2 Commit: 160aebcae2d2510ecc2f2982db01a1815d8b5297 Parents: 720de7e Author: Karthik Kambatla <ka...@apache.org> Authored: Tue Oct 28 18:03:00 2014 -0700 Committer: Karthik Kambatla <ka...@apache.org> Committed: Tue Oct 28 18:08:00 2014 -0700 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 2 ++ .../java/org/apache/hadoop/security/ssl/SSLFactory.java | 12 +++++++++++- .../hadoop-common/src/main/resources/core-default.xml | 8 ++++++++ .../src/site/apt/EncryptedShuffle.apt.vm | 2 ++ 4 files changed, 23 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/160aebca/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 4a2d165..11df1ff 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -671,6 +671,8 @@ Release 2.6.0 - UNRELEASED HADOOP-11217. Disable SSLv3 in KMS. (Robert Kanter via kasha) + HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha) + Release 2.5.1 - 2014-09-05 INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/160aebca/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java index 404b007..bbea33b 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java @@ -66,6 +66,10 @@ public class SSLFactory implements ConnectionConfigurator { public static final String KEYSTORES_FACTORY_CLASS_KEY = "hadoop.ssl.keystores.factory.class"; + public static final String SSL_ENABLED_PROTOCOLS = + "hadoop.ssl.enabled.protocols"; + public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1"; + private Configuration conf; private Mode mode; private boolean requireClientCert; @@ -73,6 +77,8 @@ public class SSLFactory implements ConnectionConfigurator { private HostnameVerifier hostnameVerifier; private KeyStoresFactory keystoresFactory; + private String[] enabledProtocols = null; + /** * Creates an SSLFactory. * @@ -94,6 +100,9 @@ public class SSLFactory implements ConnectionConfigurator { = conf.getClass(KEYSTORES_FACTORY_CLASS_KEY, FileBasedKeyStoresFactory.class, KeyStoresFactory.class); keystoresFactory = ReflectionUtils.newInstance(klass, sslConf); + + enabledProtocols = conf.getStrings(SSL_ENABLED_PROTOCOLS, + DEFAULT_SSL_ENABLED_PROTOCOLS); } private Configuration readSSLConfiguration(Mode mode) { @@ -122,7 +131,7 @@ public class SSLFactory implements ConnectionConfigurator { context = SSLContext.getInstance("TLS"); context.init(keystoresFactory.getKeyManagers(), keystoresFactory.getTrustManagers(), null); - + context.getDefaultSSLParameters().setProtocols(enabledProtocols); hostnameVerifier = getHostnameVerifier(conf); } @@ -185,6 +194,7 @@ public class SSLFactory implements ConnectionConfigurator { sslEngine.setUseClientMode(false); sslEngine.setNeedClientAuth(requireClientCert); } + sslEngine.setEnabledProtocols(enabledProtocols); return sslEngine; } http://git-wip-us.apache.org/repos/asf/hadoop/blob/160aebca/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml index a23a7fa..4ba2e5a 100644 --- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml +++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml @@ -1366,6 +1366,14 @@ for ldap providers in the same way as above does. </property> <property> + <name>hadoop.ssl.enabled.protocols</name> + <value>TLSv1</value> + <description> + Protocols supported by the ssl. + </description> +</property> + +<property> <name>hadoop.jetty.logs.serve.aliases</name> <value>true</value> <description> http://git-wip-us.apache.org/repos/asf/hadoop/blob/160aebca/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm ---------------------------------------------------------------------- diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm index e766cbc..da412df 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm @@ -54,6 +54,8 @@ Hadoop MapReduce Next Generation - Encrypted Shuffle *--------------------------------------+---------------------+-----------------+ | <<<hadoop.ssl.client.conf>>> | <<<ss-client.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory | *--------------------------------------+---------------------+-----------------+ +| <<<hadoop.ssl.enabled.protocols>>> | <<<TLSv1>>> | The supported SSL protocols (JDK6 can use <<TLSv1>>, JDK7+ can use <<TLSv1,TLSv1.1,TLSv1.2>>) | +*--------------------------------------+---------------------+-----------------+ <<IMPORTANT:>> Currently requiring client certificates should be set to false. Refer the {{{ClientCertificates}Client Certificates}} section for details.