[jira] [Commented] (HADOOP-12668) Modify HDFS embeded jetty server logic in HttpServer2.java to exclude weak Ciphers through ssl-server.conf

Wed, 13 Jan 2016 15:08:19 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097231#comment-15097231
 ] 

Vijay Singh commented on HADOOP-12668:
--------------------------------------

Thanks for the feedback. I will include the property for both to include and 
exclude ciphers. Since all these services are based on jetty  and since jetty 
first covers included ciphers followed by excluded ciphers causing the excluded 
ciphers to take precedence and override included ciphers selection in case of 
conflict, similar behavior will be observed in hadoop services as well.
Please refer the following link for jetty cipher selection behavior. 
https://wiki.eclipse.org/Jetty/Howto/CipherSuites
Please read Disabling Cipher Suites Section for verifying jetty behavior. I 
will work on this request and submit the updated patch tonight.

> Modify HDFS embeded jetty server logic in HttpServer2.java to exclude weak 
> Ciphers through ssl-server.conf
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-12668
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12668
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.7.1
>            Reporter: Vijay Singh
>            Assignee: Vijay Singh
>            Priority: Critical
>              Labels: common, ha, hadoop, hdfs, security
>         Attachments: Hadoop-12668.006.patch
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Currently Embeded jetty Server used across all hadoop services is configured 
> through ssl-server.xml file from their respective configuration section. 
> However, the SSL/TLS protocol being used for this jetty servers can be 
> downgraded to weak cipher suites. This code changes aims to add following 
> functionality:
> 1) Add logic in hadoop common (HttpServer2.java and associated interfaces) to 
> spawn jetty servers with ability to exclude weak cipher suites. I propose we 
> make this though ssl-server.xml and hence each service can choose to disable 
> specific ciphers.
> 2) Modify DFSUtil.java used by HDFS code to supply new parameter 
> ssl.server.exclude.cipher.list for hadoop-common code, so it can exclude the 
> ciphers supplied through this key.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to