K0K0V0K commented on code in PR #7629:
URL: https://github.com/apache/hadoop/pull/7629#discussion_r2049377310
##########
hadoop-common-project/hadoop-common/src/main/conf/ssl-server.xml.example:
##########
@@ -85,4 +85,32 @@
from SSL communication.</description>
</property>
+<property>
+ <name>ssl.server.include.cipher.list</name>
+ <value>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+ TLS_EMPTY_RENEGOTIATION_INFO_SCSV</value>
+ <description>Optional. If the inclusion list is populated,
Review Comment:
Both **ssl.server.include.cipher.list** and
**ssl.server.exclude.cipher.list** can be used simultaneously to fine-tune the
cipher suites utilized by Hadoop services.
- If a cipher suite is present in both the inclusion and exclusion lists, it
will be denied.
- If a cipher suite is specified in the inclusion list and also matches a
regular expression in the exclusion list, its acceptance depends on the
specific service implementation:
- In SSLFactory (used by services like DatanodeHttpServer), the cipher
suite will be allowed.
- In HttpServer2 (used by services like NameNodeHttpServer), the cipher
suite will be denied.
Example Configuration:
```
ssl.server.include.cipher.list = TLS_EMPTY_RENEGOTIATION_INFO_SCSV
ssl.server.exclude.cipher.list = ^.*SCSV$
```
Resulting Behavior:
- DatanodeHttpServer will accept TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
- NameNodeHttpServer will deny TLS_EMPTY_RENEGOTIATION_INFO_SCSV.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
