----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/42770/#review116342 -----------------------------------------------------------
Ship it! Ship It! - Dmytro Sen On Янв. 26, 2016, 1:13 д.п., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/42770/ > ----------------------------------------------------------- > > (Updated Янв. 26, 2016, 1:13 д.п.) > > > Review request for Ambari, Dmytro Sen, Mahadev Konar, and Yusaku Sako. > > > Bugs: AMBARI-14778 > https://issues.apache.org/jira/browse/AMBARI-14778 > > > Repository: ambari > > > Description > ------- > > The Ambari Server (built-in) CA should use {{SHA265}} as default message > digest algorithm rather than the no longer trusted {{MD5}} and {{SHA1}} > digest algorithms. > > To do this, change the following line (in both the unix and windows version > of the file): > > #ambari-server/conf/.../ca.config# > ``` > default_md = md5 > ``` > to > ``` > default_md = sha256 > ``` > > Note: This directly affects 2-way SSL between Ambari server and the agents > due to security constraints in newer JVMs, like > ``` > openjdk version "1.8.0_71" > OpenJDK Runtime Environment (build 1.8.0_71-b15) > OpenJDK 64-Bit Server VM (build 25.71-b15, mixed mode) > ``` > > > The following error in the ambari-agent log may indicate that the agent's SSL > certificate is signed using MD5: > ``` > ERROR 2016-01-22 17:01:56,982 Controller.py:186 - Unable to connect to: > https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org > Traceback (most recent call last): > File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line > 140, in registerWithServer > ret = self.sendRequest(self.registerUrl, data) > File "/usr/lib/python2.6/site-packages/ambari_agent/Controller.py", line > 413, in sendRequest > raise IOError('Request to {0} failed due to {1}'.format(url, > str(exception))) > IOError: Request to > https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org > failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol > ERROR 2016-01-22 17:01:56,982 Controller.py:187 - Error:Request to > https://c6501.ambari.apache.org:8441/agent/v1/register/c6502.ambari.apache.org > failed due to [Errno 8] _ssl.c:492: EOF occurred in violation of protocol > ``` > > The following error in the ambari-server log (when logging DEBUG messages) > indicates that the agent's SSL certificate is signed using MD5, which is not > supported by the underling JVM: > ``` > 22 Jan 2016 21:09:43,577 DEBUG [qtp-ambari-agent-50] HttpParser:1049 - > javax.net.ssl.SSLHandshakeException: General SSLEngine problem > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) > at > sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) > at > sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) > at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) > at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:465) > at > org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386) > at > org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) > at > org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:715) > at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044) > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) > at > org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) > at > org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) > at > org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) > at > org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696) > at > org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53) > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) > at > org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > at > sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1909) > at > sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) > at > org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:375) > ... 12 more > Caused by: sun.security.validator.ValidatorException: PKIX path validation > failed: java.security.cert.CertPathValidatorException: Algorithm constraints > check failed: MD5withRSA > at > sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249) > at sun.security.validator.Validator.validate(Validator.java:260) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) > at > sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) > at > sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1896) > ... 19 more > Caused by: java.security.cert.CertPathValidatorException: Algorithm > constraints check failed: MD5withRSA > at > sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) > at > sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219) > at > sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) > at > sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) > at > java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) > at > sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347) > ... 25 more > ``` > > > Diffs > ----- > > ambari-server/conf/unix/ca.config b80f797 > ambari-server/conf/windows/ca.config b4dd1c5 > > Diff: https://reviews.apache.org/r/42770/diff/ > > > Testing > ------- > > Manually tested with Oracld JVM 1.7 and 1.8 (with and without JCE installed). > Also tested with OpenJDK 1.8 > > No unit tests were updated. > > > Thanks, > > Robert Levas > >
