[
https://issues.apache.org/jira/browse/HDFS-7391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14208172#comment-14208172
]
Dave Thompson commented on HDFS-7391:
-------------------------------------
For clarifications you are not suggesting turning on SSLv2, which has
been deprecated for 18 years, for reasons discussed in RFC6176.
Rather, you are suggesting turning on the backwards compatible Client-Hello,
that was introduced in 1996 for transition, for clients that didn't know
if they were connecting to an SSLv2 or SSLv3 server.
A bit surprised that there exists hadoop clients that find this necessary.
Java 6 with openssl 0.9.8x, I believe will support up to SSLv3.1 (TLS 1.0),
which I've used as a server... I can't speak to client configurability.
My primary concern would be that in enabling acceptance of SSLv2 Client-Hello,
that assurances/confirmation be made that a resulting SSLv2.0 session
is not allowed.
> Renable SSLv2Hello in HttpFS
> ----------------------------
>
> Key: HDFS-7391
> URL: https://issues.apache.org/jira/browse/HDFS-7391
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: webhdfs
> Affects Versions: 2.6.0, 2.5.2
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Blocker
> Attachments: HDFS-7391-branch-2.5.patch, HDFS-7391.patch
>
>
> We should re-enable "SSLv2Hello", which is required for older clients (e.g.
> Java 6 with openssl 0.9.8x) so they can't connect without it. Just to be
> clear, it does not mean SSLv2, which is insecure.
> I couldn't simply do an addendum patch on HDFS-7274 because it's already been
> closed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
