[
https://issues.apache.org/jira/browse/OOZIE-2037?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated OOZIE-2037:
---------------------------------
Attachment: OOZIE-2037.001.patch
{noformat:title=TLSv1.1 before}
[root@rkanter-z ~]# openssl s_client -connect rkanter-z.vpc.cloudera.com:11443
-tls1_1
CONNECTED(00000003)
140367959005000:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1435632446
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
{noformat}
{noformat:title=TLSv1.1 after}
[root@rkanter-z ~]# openssl s_client -connect rkanter-z.vpc.cloudera.com:11443
-tls1_1
CONNECTED(00000003)
depth=0 O = Hadoop, CN = rkanter-z.vpc.cloudera.com
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Hadoop, CN = rkanter-z.vpc.cloudera.com
verify return:1
---
Certificate chain
0 s:/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
i:/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIETS7qeTANBgkqhkiG9w0BAQsFADA2MQ8wDQYDVQQKEwZI
YWRvb3AxIzAhBgNVBAMTGnJrYW50ZXItei52cGMuY2xvdWRlcmEuY29tMB4XDTE1
MDYzMDAyMTEyMloXDTIwMDYyODAyMTEyMlowNjEPMA0GA1UEChMGSGFkb29wMSMw
IQYDVQQDExpya2FudGVyLXoudnBjLmNsb3VkZXJhLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJTYgiIVf4HYvImkQcqdMlMKqghhzipKYk+bdMZ9
1AbBDG77p7RH59s70W8yb49Aumh4cwZ52y/gcEoaljTnf3VlHRtvmCnjm1NIUG/0
pZQrJXjdUUsFf1Z0sKbEfIWuXFba2Nm4pq/vuW8HoteGC/E79YBxCI/TBhKLHkh+
CZkTf2exRuJE8Z0cbA909Aur6+w+AR3ITWEhcluByL8teGW5YpCeIIBJjSHQATUC
iMyiBR/6i/chWzVnnLPy99T1uMa1ZRNjotZJlglRmDakhVkeSiaQFBsXCLOfZrcp
g/I+GRZ8uxO3NvKKd/CgZfV2+2zJyHSPmJuQgjSLmEDsumsCAwEAAaMhMB8wHQYD
VR0OBBYEFNK3QrRXk0rv7RxQ9l8LS4JswMipMA0GCSqGSIb3DQEBCwUAA4IBAQAT
lifqZXjZv9HskMvL8IDB+8XiRYIhkjIzY2y+KzCI96XPRK+963GU+s5IUpZx4v9n
NI2oMHoD+c+JxBlvaz7GRStVYZId9BGzFcXzQf2EgWVB4aywu1XHrAhd5Td80DQ8
zDpX40pqjd5TbpNcGSVVqQFLLrFOwW3/jXU8/culZ7jOzjVTXMixrKOPtR+VFDX8
Me5J/i7mIbMLsZxH27JGdCd7Nxxf0XfUYPqGPjhXu1DGgKzS7vRs31+CWdW2egiD
VCWE42sNC6YsALZIDcToPjoFU+SSZiU1UrWN4KhT1ZW/j0BdUGgHZqzKg0nbtexr
22eFFXK9+5mzm6v1oDYk
-----END CERTIFICATE-----
subject=/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
issuer=/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 1357 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 5592DFAA62CC23EEFDBEF1B642B099E959F64468C542FF139F935E1D55CD754C
Session-ID-ctx:
Master-Key:
F9D91A40D6FF6D4DBB7411840045AEDF70A86701B1C1F4B3FB679B77FC63CE277DBDA92E453D09FD00A10CF0A986A30F
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1435688874
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
{noformat}
{noformat:title=TLSv1.2 before}
[root@rkanter-z ~]# openssl s_client -connect rkanter-z.vpc.cloudera.com:11443
-tls1_2
CONNECTED(00000003)
139991422166856:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1435632454
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
{noformat}
{noformat:title=TLSv1.2 after}
[root@rkanter-z ~]# openssl s_client -connect rkanter-z.vpc.cloudera.com:11443
-tls1_2
CONNECTED(00000003)
depth=0 O = Hadoop, CN = rkanter-z.vpc.cloudera.com
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Hadoop, CN = rkanter-z.vpc.cloudera.com
verify return:1
---
Certificate chain
0 s:/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
i:/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIETS7qeTANBgkqhkiG9w0BAQsFADA2MQ8wDQYDVQQKEwZI
YWRvb3AxIzAhBgNVBAMTGnJrYW50ZXItei52cGMuY2xvdWRlcmEuY29tMB4XDTE1
MDYzMDAyMTEyMloXDTIwMDYyODAyMTEyMlowNjEPMA0GA1UEChMGSGFkb29wMSMw
IQYDVQQDExpya2FudGVyLXoudnBjLmNsb3VkZXJhLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJTYgiIVf4HYvImkQcqdMlMKqghhzipKYk+bdMZ9
1AbBDG77p7RH59s70W8yb49Aumh4cwZ52y/gcEoaljTnf3VlHRtvmCnjm1NIUG/0
pZQrJXjdUUsFf1Z0sKbEfIWuXFba2Nm4pq/vuW8HoteGC/E79YBxCI/TBhKLHkh+
CZkTf2exRuJE8Z0cbA909Aur6+w+AR3ITWEhcluByL8teGW5YpCeIIBJjSHQATUC
iMyiBR/6i/chWzVnnLPy99T1uMa1ZRNjotZJlglRmDakhVkeSiaQFBsXCLOfZrcp
g/I+GRZ8uxO3NvKKd/CgZfV2+2zJyHSPmJuQgjSLmEDsumsCAwEAAaMhMB8wHQYD
VR0OBBYEFNK3QrRXk0rv7RxQ9l8LS4JswMipMA0GCSqGSIb3DQEBCwUAA4IBAQAT
lifqZXjZv9HskMvL8IDB+8XiRYIhkjIzY2y+KzCI96XPRK+963GU+s5IUpZx4v9n
NI2oMHoD+c+JxBlvaz7GRStVYZId9BGzFcXzQf2EgWVB4aywu1XHrAhd5Td80DQ8
zDpX40pqjd5TbpNcGSVVqQFLLrFOwW3/jXU8/culZ7jOzjVTXMixrKOPtR+VFDX8
Me5J/i7mIbMLsZxH27JGdCd7Nxxf0XfUYPqGPjhXu1DGgKzS7vRs31+CWdW2egiD
VCWE42sNC6YsALZIDcToPjoFU+SSZiU1UrWN4KhT1ZW/j0BdUGgHZqzKg0nbtexr
22eFFXK9+5mzm6v1oDYk
-----END CERTIFICATE-----
subject=/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
issuer=/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 1391 bytes and written 499 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 5592DFBECB826C9D965A89352940F808D7578D378E2E2CB23AADA58551BD21BB
Session-ID-ctx:
Master-Key:
9FC6798DBC00EFEA2833815105A46153FCDDD732AA35697B2F07BF02BFDEE1DC0BB1FE2544A1118EE18DA667FC28D3AF
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1435688894
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
{noformat}
> Add TLSv1.1,TLSv1.2
> -------------------
>
> Key: OOZIE-2037
> URL: https://issues.apache.org/jira/browse/OOZIE-2037
> Project: Oozie
> Issue Type: Sub-task
> Components: security
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Labels: newbie
> Attachments: OOZIE-2037.001.patch
>
>
> OOZIE-2034 required us to specifically list the versions of TLS that Oozie
> supports. Java 7 supports TLSv1.1 and TLSv1.2, so we should add them to the
> list.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
