[
https://issues.apache.org/jira/browse/HADOOP-12886?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wei-Chiu Chuang updated HADOOP-12886:
-------------------------------------
Attachment: HADOOP-12886.002.patch
Thanks [~zhz] for the initial review.
I posted a new patch with a new test case. This test case uses
{{SSLFactory.createSSLEngine}} to create client and server SSLEngine. The
server excludes some weak cipher suites whereas the client only accepts them.
The test code is relatively long, but it's actually a lightweight test that
exchanges messages between client and server SSLEngine using ByteBuffer, rather
than network socket, or even launching netty for testing, which are much more
heavyweight. It is adapted from Oracle's example
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/samples/sslengine/SSLEngineSimpleDemo.java
and
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html.
> Exclude weak ciphers in SSLFactory through ssl-server.xml
> ---------------------------------------------------------
>
> Key: HADOOP-12886
> URL: https://issues.apache.org/jira/browse/HADOOP-12886
> Project: Hadoop Common
> Issue Type: Improvement
> Affects Versions: 2.7.2
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
> Labels: Netty, datanode, security
> Attachments: HADOOP-12886.001.patch, HADOOP-12886.002.patch
>
>
> HADOOP-12668 added support to exclude weak ciphers in HttpServer2, which is
> good for name nodes. But data node web UI is based on Netty, which uses
> SSLFactory and does not read ssl-server.xml to exclude the ciphers.
> We should also add the same support for Netty for consistency.
> I will attach a full patch later.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
