[
https://issues.apache.org/jira/browse/HADOOP-12886?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wei-Chiu Chuang updated HADOOP-12886:
-------------------------------------
Attachment: HADOOP-12886.001.patch
Rev01: initial patch for SSLFactory to exclude cipher suites listed listed in
ssl-server.xml.
I have tested this patch on a CDH cluster, and this is the result of opening an
SSL connection using excluded cipher suites to a data node web URL:
{noformat}
openssl s_client -connect weichiu-cipher-2.vpc.cloudera.com:20004 -cipher
RC4-SHA
CONNECTED(00000003)
139952247441224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 99 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
{noformat}
I'll include test cases in the next revision.
> Exclude weak ciphers in SSLFactory through ssl-server.xml
> ---------------------------------------------------------
>
> Key: HADOOP-12886
> URL: https://issues.apache.org/jira/browse/HADOOP-12886
> Project: Hadoop Common
> Issue Type: Improvement
> Affects Versions: 2.7.2
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
> Labels: Netty, datanode, security
> Attachments: HADOOP-12886.001.patch
>
>
> HADOOP-12668 added support to exclude weak ciphers in HttpServer2, which is
> good for name nodes. But data node web UI is based on Netty, which uses
> SSLFactory and does not read ssl-server.xml to exclude the ciphers.
> We should also add the same support for Netty for consistency.
> I will attach a full patch later.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
