[jira] [Comment Edited] (HDFS-15824) Update to enable TLS >=1.2 as default secure protocols

Sat, 06 Feb 2021 16:10:14 -0800 


    [ 
https://issues.apache.org/jira/browse/HDFS-15824?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280339#comment-17280339
 ] 

Wei-Chiu Chuang edited comment on HDFS-15824 at 2/7/21, 12:09 AM:
------------------------------------------------------------------

Thanks for reporting the issue. I'm pretty sure we use TLS1.2 by default in the 
latest version. What version did you check?
https://github.com/apache/hadoop/blob/6b5d9e2334bec199518e580d4a2863c26518efcb/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java#L75


was (Author: jojochuang):
Thanks for reporting the issue. I'm pretty sure we use TLS1.2 by default in the 
latest version.
https://github.com/apache/hadoop/blob/6b5d9e2334bec199518e580d4a2863c26518efcb/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java#L75

> Update to enable TLS >=1.2 as default secure protocols 
> -------------------------------------------------------
>
>                 Key: HDFS-15824
>                 URL: https://issues.apache.org/jira/browse/HDFS-15824
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: contrib/hdfsproxy
>            Reporter: Vicky Zhang
>            Priority: Major
>
> in file 
> src/contrib/hdfsproxy/src/java/org/apache/hadoop/hdfsproxy/ProxyUtil.java, 
> line 125, the SSL protocol is used in statement:  SSLContext sc = 
> SSLContext.getInstance("SSL");
> *Impact:* 
> An SSL DDoS attack targets the SSL handshake protocol either by sending 
> worthless data to the SSL server which will result in connection issues for 
> legitimate users or by abusing the SSL handshake protocol itself.
> *Suggestions:*
> Upgrade the implementation to the “TLS”, and configure https.protocols JVM 
> option to include TLSv1.2:
> *Useful links:*
> [https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https]
> [https://www.appmarq.com/public/tqi,1039002,CWE-319-Avoid-using-Deprecated-SSL-protocols-to-secure-connection]
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to