[
https://issues.apache.org/jira/browse/HDFS-15824?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17282179#comment-17282179
]
Vicky Zhang commented on HDFS-15824:
------------------------------------
[~aajisaka] and [~kihwal] Thanks for the clarification. we will further
improve our algorithm to handle these cases.
Would you mind kindly providing some suggestions for our vulnerability report?
(appreciate any feedback from your side)
* Does the report content make sense to you?
* Are there any types of bugs/security vulnerabilities you want the detection
tools to pay more attention to?
> Update to enable TLS >=1.2 as default secure protocols
> -------------------------------------------------------
>
> Key: HDFS-15824
> URL: https://issues.apache.org/jira/browse/HDFS-15824
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: contrib/hdfsproxy
> Reporter: Vicky Zhang
> Priority: Major
>
> in file
> src/contrib/hdfsproxy/src/java/org/apache/hadoop/hdfsproxy/ProxyUtil.java,
> line 125, the SSL protocol is used in statement: SSLContext sc =
> SSLContext.getInstance("SSL");
> *Impact:*
> An SSL DDoS attack targets the SSL handshake protocol either by sending
> worthless data to the SSL server which will result in connection issues for
> legitimate users or by abusing the SSL handshake protocol itself.
> *Suggestions:*
> Upgrade the implementation to the “TLS”, and configure https.protocols JVM
> option to include TLSv1.2:
> *Useful links:*
> [https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https]
> [https://www.appmarq.com/public/tqi,1039002,CWE-319-Avoid-using-Deprecated-SSL-protocols-to-secure-connection]
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
