> On Nov. 16, 2016, 1:49 p.m., Sumit Mohanty wrote: > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java, > > line 772 > > <https://reviews.apache.org/r/53816/diff/1/?file=1565266#file1565266line772> > > > > Comment for later - should this list be configurable?
This is configurable by being able to turn them off via `security.server.disabled.protocols` to maintain backwards compatibility. Related to this, the JVM has a way to enable and disble these protocol via the java.security file. For example for later versions of Java, SSLv3 is turned off in the VM and thus will need to be turned on for Ambari to use it even with the change in this patch. See http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html. - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/53816/#review156102 ----------------------------------------------------------- On Nov. 16, 2016, 1:47 p.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/53816/ > ----------------------------------------------------------- > > (Updated Nov. 16, 2016, 1:47 p.m.) > > > Review request for Ambari, Alejandro Fernandez, Jonathan Hurley, Nate Cole, > UnlaliExantEP UnlaliExantEP, and Vitalyi Brodetskyi. > > > Bugs: AMBARI-18910 > https://issues.apache.org/jira/browse/AMBARI-18910 > > > Repository: ambari > > > Description > ------- > > SSL/TLS protocols should be explicitly enabled and then filtered when Ambari > starts up. > > Currently the following protocols are explicitly enabled: > * `SSLv2Hello` > * `TLSv1` > > # org/apache/ambari/server/controller/AmbariServer.java:718} > ``` > factory.setIncludeProtocols(new String[] { "SSLv2Hello","TLSv1"}); > ``` > > However the following protocols should be enabled by default: > - `SSLv2Hello` > - `TLSv1` > - `TLSv1.1` > - `TLSv1.2` > - `SSLv3` > > # Example > ``` > factory.setIncludeProtocols(new String[] > {"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"}); > ``` > > Once set, the protocols may be filtered out using the > `security.server.disabled.protocols` property from the ambari.properties > file. For example: > # Disables TLSv1, TLSv1.1, and SSLv2Hello} > ``` > security.server.disabled.protocols=TLSv1.1|TLSv1|SSLv2Hello > ``` > > > The availability of a particular protocol may be tested using the OpenSSL > s_client facility. > > # Example: Test for TLSv1.2 > ``` > openssl s_client -connect localhost:8440 -tls1_2 > ``` > > # Example successful result > ``` > CONNECTED(00000003) > depth=0 C = XX, L = Default City, O = Default Company Ltd > verify error:num=18:self signed certificate > verify return:1 > depth=0 C = XX, L = Default City, O = Default Company Ltd > verify return:1 > --- > Certificate chain > 0 s:/C=XX/L=Default City/O=Default Company Ltd > i:/C=XX/L=Default City/O=Default Company Ltd > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIā¦ > -----END CERTIFICATE----- > subject=/C=XX/L=Default City/O=Default Company Ltd > issuer=/C=XX/L=Default City/O=Default Company Ltd > --- > No client certificate CA names sent > Server Temp Key: ECDH, secp521r1, 521 bits > --- > SSL handshake has read 2248 bytes and written 441 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 4096 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > 5829F75B49C2FED58C60CB7663181B39BCA3AF473F253EDB4BA04D827B9D58BA > Session-ID-ctx: > Master-Key: > 46301FB9B4263547C62F8C793380319DC60A10C1D077C7DAB52D328B12D1FB4B868EE5131CD7F62917C02866196317B8 > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1479145307 > Timeout : 7200 (sec) > Verify return code: 18 (self signed certificate) > --- > ``` > > # Example failure result > ``` > CONNECTED(00000003) > 140518067173192:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:598: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 0 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1479145122 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > --- > ``` > > > Note: This does not address the agent-side issue of connecting to an Ambari > server where TLSv1 is disabled. See AMBARI-17666. > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java > 193d677 > > Diff: https://reviews.apache.org/r/53816/diff/ > > > Testing > ------- > > Manually tested using OpenSSL s_client. > > > Thanks, > > Robert Levas > >
