[jira] [Commented] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution

Mon, 09 Jul 2012 13:56:38 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13409836#comment-13409836
 ] 

Daryn Sharp commented on HDFS-2617:
-----------------------------------

I'm interested in learning the details of why kssl is so bad.  I can't find 
much online except early versions of java 6 had an issue, and a solaris kext 
for kssl has had a number of problems.

WEP's usage of RC4 is an egregious example of a bad RC4 implementation.  WPA 
also used RC4 (TKIP) in a more sane manner before WPA2 switched to AES.  As 
best I can tell, the java gss doesn't use a WEP style RC4 impl, and gss also 
supports AES.  Both kssl and spnego are protected via SSL's encryption, and the 
krb tickets are encrypted.  Where is the achille's heel that affects kssl but 
not spnego?
                
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>             Fix For: 2.0.1-alpha
>
>         Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch, 
> HDFS-2617-config.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, 
> HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, hdfs-2617-1.1.patch
>
>
> The current approach to secure and authenticate nn web services is based on 
> Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now 
> that we have one, we can get rid of the non-standard KSSL and use SPNEGO 
> throughout.  This will simplify setup and configuration.  Also, Kerberized 
> SSL is a non-standard approach with its own quirks and dark corners 
> (HDFS-2386).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to