K0K0V0K opened a new pull request, #7629:
URL: https://github.com/apache/hadoop/pull/7629
### Description of PR
Currently, we have a feature to exclude weak ciphers from HttpServer2 and
SSLFactory using the ssl.server.exclude.cipher.list property. With this
feature, we can also define an inclusion list of ciphers using the
ssl.server.include.cipher.list property. If the inclusion list is populated,
any cipher not present in the list will not be allowed. If a cipher is present
in both the exclusion and inclusion lists, it will be excluded. Note that
SSLFactory does not support regex-based cipher patterns, unlike HttpServer2.
### How was this patch tested?
I created a cluster (java8) and set ssl-server.xml like
```
<property>
<name>ssl.server.include.cipher.list</name>
<value>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</value>
<final>true</final>
</property>
```
then run the following command successfully
`openssl s_client -connect ccycloud-1.bkosztolnik.root.comops.site:8090
-cipher ECDHE-RSA-AES256-GCM-SHA384`
Than modify the config
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_EMPTY_RENEGOTIATION_INFO_SCSV ->
ssl command still works
TLS_EMPTY_RENEGOTIATION_INFO_SCSV -> ssl command fails to handshake
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
