[ https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
John Zhuge updated HDFS-11418: ------------------------------ Attachment: HDFS-11418.branch-2.001.patch Patch branch-2.001 * Add env HTTPFS_SSL_CIPHERS, default to a list of selected ciphers * Configure Tomcat to accept a list of ciphers TODO * Discuss Allen's idea of strong security by default Testing done * hadoop-hdfs-httpfs unit tests * Verify HTTPFS_SSL_CIPHERS value on stdout during httpfs startup * Run https://github.com/jzhuge/hadoop-bats-tests/blob/master/httpfs.bats in insecure, SSL, and SSL+Kerberos single node setup * Sslcan result should include only listed ciphers * On Centos 6.6, run the following curl command. Expect {{NSS error -12286}} without the fix. {noformat} curl -v -k --negotiate -u: -sS 'https://HTTPFS_HOST:14000/webhdfs/v1/?op=liststatus' {noformat} > HttpFS should support old SSL clients > ------------------------------------- > > Key: HDFS-11418 > URL: https://issues.apache.org/jira/browse/HDFS-11418 > Project: Hadoop HDFS > Issue Type: Improvement > Components: httpfs > Affects Versions: 2.8.0, 2.7.4, 2.6.6 > Reporter: John Zhuge > Assignee: John Zhuge > Priority: Minor > Attachments: HDFS-11418.branch-2.001.patch > > > HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL > clients such as curl stop working. The symptom is {{NSS error -12286}} when > running {{curl -v}}. > Instead of forcing the SSL clients to upgrade, we can configure Tomcat to > explicitly allow enough weak ciphers so that old SSL clients can work. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org