[jira] [Commented] (AMBARI-18910) SSL/TLS protocols should be explicitly enabled and then filtered when Ambari starts up

[Hadoop QA (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AMBARI-18910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15671437#comment-15671437
 ] 

Hadoop QA commented on AMBARI-18910:
------------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest 
attachment 
  
http://issues.apache.org/jira/secure/attachment/12839213/AMBARI-18910_branch-2.5_01.patch
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author 
tags.

    {color:red}-1 tests included{color}.  The patch doesn't appear to include 
any new or modified tests.
                        Please justify why no new tests are needed for this 
patch.
                        Also please list what manual steps were performed to 
verify this patch.

    {color:green}+1 javac{color}.  The applied patch does not increase the 
total number of javac compiler warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase 
the total number of release audit warnings.

    {color:red}-1 core tests{color}.  The patch failed these unit tests in 
ambari-server:

                  
org.apache.ambari.server.controller.metrics.JMXPropertyProviderTest
                  
org.apache.ambari.server.state.svccomphost.ServiceComponentHostTest

Test results: 
https://builds.apache.org/job/Ambari-trunk-test-patch/9301//testReport/
Console output: 
https://builds.apache.org/job/Ambari-trunk-test-patch/9301//console

This message is automatically generated.

> SSL/TLS protocols should be explicitly enabled and then filtered when Ambari 
> starts up
> --------------------------------------------------------------------------------------
>
>                 Key: AMBARI-18910
>                 URL: https://issues.apache.org/jira/browse/AMBARI-18910
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>             Fix For: 2.4.2
>
>         Attachments: AMBARI-18910_branch-2.4_01.patch, 
> AMBARI-18910_branch-2.5_01.patch
>
>
> SSL/TLS protocols should be explicitly enabled and then filtered when Ambari 
> starts up.
> Currently the following protocols are explicitly enabled: 
> * {{SSLv2Hello}}
> * {{TLSv1}}
> {code:title=org/apache/ambari/server/controller/AmbariServer.java:718} 
> factory.setIncludeProtocols(new String[] { "SSLv2Hello","TLSv1"});
> {code}
> However the following protocols should be enabled by default:
> * {{SSLv2Hello}}
> * {{TLSv1}}
> * {{TLSv1.1}}
> * {{TLSv1.2}}
> * {{SSLv3}}
> {code:title=Example} 
> factory.setIncludeProtocols(new String[] 
> {"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});{code}
> Once set, the protocols may be filtered out using the 
> {{security.server.disabled.protocols}} property from the ambari.properties 
> file. For example:
> {code:title=Disables TLSv1, TLSv1.1, and SSLv2Hello}
> security.server.disabled.protocols=TLSv1.1|TLSv1|SSLv2Hello
> {code}
> The availability of a particular protocol may be tested using the OpenSSL 
> s_client facility.
> {noformat:title=Example: Test for TLSv1.2}
> openssl s_client -connect localhost:8440 -tls1_2
> {noformat}
> {noformat:title=Example successful result}
> CONNECTED(00000003)
> depth=0 C = XX, L = Default City, O = Default Company Ltd
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = XX, L = Default City, O = Default Company Ltd
> verify return:1
> ---
> Certificate chain
> 0 s:/C=XX/L=Default City/O=Default Company Ltd
>    i:/C=XX/L=Default City/O=Default Company Ltd
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MII…
> -----END CERTIFICATE-----
> subject=/C=XX/L=Default City/O=Default Company Ltd
> issuer=/C=XX/L=Default City/O=Default Company Ltd
> ---
> No client certificate CA names sent
> Server Temp Key: ECDH, secp521r1, 521 bits
> ---
> SSL handshake has read 2248 bytes and written 441 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID: 
> 5829F75B49C2FED58C60CB7663181B39BCA3AF473F253EDB4BA04D827B9D58BA
>     Session-ID-ctx:
>     Master-Key: 
> 46301FB9B4263547C62F8C793380319DC60A10C1D077C7DAB52D328B12D1FB4B868EE5131CD7F62917C02866196317B8
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1479145307
>     Timeout   : 7200 (sec)
>     Verify return code: 18 (self signed certificate)
> ---
> {noformat}
> {noformat:title=Example failure result}
> CONNECTED(00000003)
> 140518067173192:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
> failure:s3_pkt.c:598:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 0 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : 0000
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1479145122
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
> ---
> {noformat}
> Note: This does not address the agent-side issue of connecting to an Ambari 
> server where TLSv1 is disabled.  See AMBARI-17666.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)