-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53816/
-----------------------------------------------------------
Review request for Ambari, Alejandro Fernandez, Jonathan Hurley, Nate Cole,
UnlaliExantEP UnlaliExantEP, and Vitalyi Brodetskyi.
Bugs: AMBARI-18910
https://issues.apache.org/jira/browse/AMBARI-18910
Repository: ambari
Description
-------
SSL/TLS protocols should be explicitly enabled and then filtered when Ambari
starts up.
Currently the following protocols are explicitly enabled:
* `SSLv2Hello`
* `TLSv1`
# org/apache/ambari/server/controller/AmbariServer.java:718}
```
factory.setIncludeProtocols(new String[] { "SSLv2Hello","TLSv1"});
```
However the following protocols should be enabled by default:
- `SSLv2Hello`
- `TLSv1`
- `TLSv1.1`
- `TLSv1.2`
- `SSLv3`
# Example
```
factory.setIncludeProtocols(new String[]
{"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});
```
Once set, the protocols may be filtered out using the
`security.server.disabled.protocols` property from the ambari.properties file.
For example:
# Disables TLSv1, TLSv1.1, and SSLv2Hello}
```
security.server.disabled.protocols=TLSv1.1|TLSv1|SSLv2Hello
```
The availability of a particular protocol may be tested using the OpenSSL
s_client facility.
# Example: Test for TLSv1.2
```
openssl s_client -connect localhost:8440 -tls1_2
```
# Example successful result
```
CONNECTED(00000003)
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify return:1
---
Certificate chain
0 s:/C=XX/L=Default City/O=Default Company Ltd
i:/C=XX/L=Default City/O=Default Company Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIā¦
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd
issuer=/C=XX/L=Default City/O=Default Company Ltd
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 2248 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5829F75B49C2FED58C60CB7663181B39BCA3AF473F253EDB4BA04D827B9D58BA
Session-ID-ctx:
Master-Key:
46301FB9B4263547C62F8C793380319DC60A10C1D077C7DAB52D328B12D1FB4B868EE5131CD7F62917C02866196317B8
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1479145307
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
```
# Example failure result
```
CONNECTED(00000003)
140518067173192:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1479145122
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
```
Note: This does not address the agent-side issue of connecting to an Ambari
server where TLSv1 is disabled. See AMBARI-17666.
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
193d677
Diff: https://reviews.apache.org/r/53816/diff/
Testing
-------
Manually tested using OpenSSL s_client.
Thanks,
Robert Levas
