Review Request 42770: Ambari Server CA should use sha265 as default message digest algorthm

Mon, 25 Jan 2016 17:14:01 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/42770/
-----------------------------------------------------------

Review request for Ambari, Dmytro Sen, Mahadev Konar, and Yusaku Sako.


Bugs: AMBARI-14778
    https://issues.apache.org/jira/browse/AMBARI-14778


Repository: ambari


Description
-------

The Ambari Server (built-in) CA should use {{SHA265}} as default message digest 
algorithm rather than the no longer trusted {{MD5}} and {{SHA1}} digest 
algorithms.

To do this, change the following line (in both the unix and windows version of 
the file):

#ambari-server/conf/.../ca.config#
```
default_md             = md5 
```
to 
```
default_md             = sha256
```

Note: This directly affects 2-way SSL between Ambari server and the agents due 
to security constraints in newer JVMs, like 
```
openjdk version "1.8.0_71"
OpenJDK Runtime Environment (build 1.8.0_71-b15)
OpenJDK 64-Bit Server VM (build 25.71-b15, mixed mode)
```


The following error in the ambari-agent log may indicate that the agent's SSL 
certificate is signed using MD5:
```
ERROR 2016-01-22 17:01:56,982 Controller.py:186 - Unable to connect to: 
https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 140, 
in registerWithServer
    ret = self.sendRequest(self.registerUrl, data)
  File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line 413, 
in sendRequest
    raise IOError('Request to {0} failed due to {1}'.format(url, 
str(exception)))
IOError: Request to 
https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org 
failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
ERROR 2016-01-22 17:01:56,982 Controller.py:187 - Error:Request to 
https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org 
failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
```

The following error in the ambari-server log (when logging DEBUG messages) 
indicates that the agent's SSL certificate is signed using MD5, which is not 
supported by the underling JVM:
```
22 Jan 2016 21:09:43,577 DEBUG [qtp-ambari-agent-50] HttpParser:1049 -
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
        at 
sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
        at 
sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
        at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
        at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
        at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:465)
        at 
org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386)
        at 
org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
        at 
org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:715)
        at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
        at 
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
        at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
        at 
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
        at 
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
        at 
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at 
sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1909)
        at 
sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
        at 
org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:375)
        ... 12 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation 
failed: java.security.cert.CertPathValidatorException: Algorithm constraints 
check failed: MD5withRSA
        at 
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352)
        at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at 
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
        at 
sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
        at 
sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1896)
        ... 19 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints 
check failed: MD5withRSA
        at 
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
        at 
sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
        at 
sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
        at 
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
        at 
java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
        at 
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347)
        ... 25 more
```


Diffs
-----

  ambari-server/conf/unix/ca.config b80f797 
  ambari-server/conf/windows/ca.config b4dd1c5 

Diff: https://reviews.apache.org/r/42770/diff/


Testing
-------

Manually tested with Oracld JVM 1.7 and 1.8 (with and without JCE installed). 
Also tested with OpenJDK 1.8

No unit tests were updated.


Thanks,

Robert Levas

Reply via email to