[
https://issues.apache.org/jira/browse/TEZ-4096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16967986#comment-16967986
]
Eric Yang commented on TEZ-4096:
--------------------------------
[~jeagles] I don't recommend to add this feature into Hadoop. Ssl-client.xml
is one of those weak spot in Hadoop that allows application user to override
system admin in truststore certificate management. This allows POODLE like
attack to downgrade encryption used by weak certificate. Ssl-client.xml should
not be used on production system IMHO.
> SSLFactory should make an attempt to add ssl config resources as "Path"
> -----------------------------------------------------------------------
>
> Key: TEZ-4096
> URL: https://issues.apache.org/jira/browse/TEZ-4096
> Project: Apache Tez
> Issue Type: Improvement
> Reporter: Rajesh Balamohan
> Priority: Major
> Attachments: TEZ-4096.1.patch, TEZ-4096.2.patch
>
>
> SSLFactory uses "String" instead of "Path" for adding "ssl-client.xml". When
> addResource is invoked with string, {{Configuration}} tries to find it in
> classloader and does not load the file correctly.
> [https://github.com/apache/tez/blob/master/tez-runtime-library/src/main/java/org/apache/tez/http/SSLFactory.java#L107]
> Conf:
> [https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/conf/Configuration.java#L3064]
> This creates issue when ssl-client.xml is located in different path other
> than the classpath.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
