[jira] [Commented] (HADOOP-13812) Upgrade Tomcat to 6.0.47

Fri, 25 Nov 2016 01:54:11 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-13812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15695443#comment-15695443
 ] 

John Zhuge commented on HADOOP-13812:
-------------------------------------

Here is the SSL issue encountered when I test either HttpFS or KMS REST API 
over SSL:
{noformat}
$ curl --negotiate -i -v -k -L -u: 
https://jzhuge-tomcat-ssl-1.gce.cloudera.com:14000/webhdfs/v1?op=liststatus
* About to connect() to jzhuge-tomcat-ssl-1.gce.cloudera.com port 14000 (#0)
*   Trying 172.31.8.185... connected
* Connected to jzhuge-tomcat-ssl-1.gce.cloudera.com (172.31.8.185) port 14000 
(#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* NSS error -12286
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
{noformat}

It is caused by this commit in Tomcat 6.0.46 
https://github.com/apache/tomcat60/commit/d8767c0a751bdd261b9f33dbe74e2428f5645601#diff-275f38188d4d9c830969f8889fb6f3fc
 which filters out known weak ciphers from the default list:
{code:java}
            // Remove kRSA ciphers when running on Java 7 or above. Can't
            // remove them for Java 6 since they are likely to be the only
            // ones left
            if (JreCompat.isJre7Available() &&
                    (cipher.toUpperCase(Locale.ENGLISH).startsWith("TLS_RSA_") 
||
                     
cipher.toUpperCase(Locale.ENGLISH).startsWith("SSL_RSA_"))) {
                log.debug(sm.getString("jsse.excludeDefaultCipher", cipher));
                continue;
            }
{code}



> Upgrade Tomcat to 6.0.47
> ------------------------
>
>                 Key: HADOOP-13812
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13812
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.6.0
>            Reporter: John Zhuge
>            Assignee: John Zhuge
>            Priority: Blocker
>
> KMS and HttpFS currently uses Tomcat 6.0.44, propose to upgrade to the latest 
> version is 6.0.47.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to