jojochuang commented on code in PR #7629: URL: https://github.com/apache/hadoop/pull/7629#discussion_r2049665443
########## hadoop-common-project/hadoop-common/src/main/conf/ssl-server.xml.example: ########## @@ -82,7 +82,43 @@ SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5</value> <description>Optional. The weak security cipher suites that you want excluded - from SSL communication.</description> + from SSL communication. + Both ssl.server.include.cipher.list and ssl.server.exclude.cipher.list can be used simultaneously + to fine-tune the cipher suites utilized by Hadoop services. + If a cipher suite is present in both the inclusion and exclusion lists, it will be denied. + </description> +</property> + +<property> + <name>ssl.server.include.cipher.list</name> + <value>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, Review Comment: https://www.tenable.com/plugins/nessus/156899?utm_source=chatgpt.com According to this site, here is the recommended ciphers TLSv1.3: - 0x13,0x01 TLS13_AES_128_GCM_SHA256 - 0x13,0x02 TLS13_AES_256_GCM_SHA384 - 0x13,0x03 TLS13_CHACHA20_POLY1305_SHA256 TLSv1.2: - 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256 - 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256 - 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384 - 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384 - 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305 - 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
