Re: Review Request 53816: SSL/TLS protocols should be explicitly enabled and then filtered when Ambari starts up

Wed, 16 Nov 2016 11:00:50 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53816/#review156105
-----------------------------------------------------------


Ship it!




Ship It!

- Robert Nettleton


On Nov. 16, 2016, 6:47 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53816/
> -----------------------------------------------------------
> 
> (Updated Nov. 16, 2016, 6:47 p.m.)
> 
> 
> Review request for Ambari, Alejandro Fernandez, Jonathan Hurley, Nate Cole, 
> UnlaliExantEP UnlaliExantEP, and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-18910
>     https://issues.apache.org/jira/browse/AMBARI-18910
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> SSL/TLS protocols should be explicitly enabled and then filtered when Ambari 
> starts up.
> 
> Currently the following protocols are explicitly enabled: 
> * `SSLv2Hello`
> * `TLSv1`
> 
> # org/apache/ambari/server/controller/AmbariServer.java:718} 
> ```
> factory.setIncludeProtocols(new String[] { "SSLv2Hello","TLSv1"});
> ```
> 
> However the following protocols should be enabled by default:
> - `SSLv2Hello`
> - `TLSv1`
> - `TLSv1.1`
> - `TLSv1.2`
> - `SSLv3`
> 
> # Example
> ```
> factory.setIncludeProtocols(new String[] 
> {"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});
> ```
> 
> Once set, the protocols may be filtered out using the 
> `security.server.disabled.protocols` property from the ambari.properties 
> file. For example:
> # Disables TLSv1, TLSv1.1, and SSLv2Hello}
> ```
> security.server.disabled.protocols=TLSv1.1|TLSv1|SSLv2Hello
> ```
> 
> 
> The availability of a particular protocol may be tested using the OpenSSL 
> s_client facility.
> 
> # Example: Test for TLSv1.2
> ```
> openssl s_client -connect localhost:8440 -tls1_2
> ```
> 
> # Example successful result
> ```
> CONNECTED(00000003)
> depth=0 C = XX, L = Default City, O = Default Company Ltd
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = XX, L = Default City, O = Default Company Ltd
> verify return:1
> ---
> Certificate chain
> 0 s:/C=XX/L=Default City/O=Default Company Ltd
>    i:/C=XX/L=Default City/O=Default Company Ltd
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIā€¦
> -----END CERTIFICATE-----
> subject=/C=XX/L=Default City/O=Default Company Ltd
> issuer=/C=XX/L=Default City/O=Default Company Ltd
> ---
> No client certificate CA names sent
> Server Temp Key: ECDH, secp521r1, 521 bits
> ---
> SSL handshake has read 2248 bytes and written 441 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID: 
> 5829F75B49C2FED58C60CB7663181B39BCA3AF473F253EDB4BA04D827B9D58BA
>     Session-ID-ctx:
>     Master-Key: 
> 46301FB9B4263547C62F8C793380319DC60A10C1D077C7DAB52D328B12D1FB4B868EE5131CD7F62917C02866196317B8
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1479145307
>     Timeout   : 7200 (sec)
>     Verify return code: 18 (self signed certificate)
> ---
> ```
> 
> # Example failure result
> ```
> CONNECTED(00000003)
> 140518067173192:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
> failure:s3_pkt.c:598:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 0 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : 0000
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     Start Time: 1479145122
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
> ---
> ```
> 
> 
> Note: This does not address the agent-side issue of connecting to an Ambari 
> server where TLSv1 is disabled.  See AMBARI-17666.
> 
> 
> Diffs
> -----
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
>  193d677 
> 
> Diff: https://reviews.apache.org/r/53816/diff/
> 
> 
> Testing
> -------
> 
> Manually tested using OpenSSL s_client.
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Reply via email to