[jira] [Commented] (HDFS-2617) Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution

[Aaron T. Myers (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HDFS-2617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13417750#comment-13417750
 ] 

Aaron T. Myers commented on HDFS-2617:
--------------------------------------

The trouble with KSSL is not in KSSL itself, it's because of a JDK bug that 
Joey mentioned: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6946669

This bug unfortunately requires that the Kerberos authentication part of the 
KSSL connection use DES encryption for the Kerberos tickets. Pretty much 
everyone agrees that DES is unacceptably weak, which is also why MIT KRB5 has 
been phasing out support for it.

bq. Also, why can't we simply change/remove the hardcoded cipher?

The cipher you're referring to isn't the issue, and in fact is hard-coded to 
3DES, whose strength I don't think folks here are concerned about. That cipher 
is used to encrypt the traffic via SSL after the Kerberos handshake has 
completed.

If you enable Java SSL/KRB5 debug output when performing an NN checkpoint, 
you'll see that DES is used for the Kerberos handshake, and thereafter 3DES for 
the SSL encryption.
                
> Replaced Kerberized SSL for image transfer and fsck with SPNEGO-based solution
> ------------------------------------------------------------------------------
>
>                 Key: HDFS-2617
>                 URL: https://issues.apache.org/jira/browse/HDFS-2617
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jakob Homan
>            Assignee: Jakob Homan
>             Fix For: 2.1.0-alpha
>
>         Attachments: HDFS-2617-a.patch, HDFS-2617-b.patch, 
> HDFS-2617-branch-1.patch, HDFS-2617-config.patch, HDFS-2617-trunk.patch, 
> HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, HDFS-2617-trunk.patch, 
> hdfs-2617-1.1.patch
>
>
> The current approach to secure and authenticate nn web services is based on 
> Kerberized SSL and was developed when a SPNEGO solution wasn't available. Now 
> that we have one, we can get rid of the non-standard KSSL and use SPNEGO 
> throughout.  This will simplify setup and configuration.  Also, Kerberized 
> SSL is a non-standard approach with its own quirks and dark corners 
> (HDFS-2386).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira