GitHub user vanzin opened a pull request: https://github.com/apache/spark/pull/20723
[SPARK-23538][core] Remove custom configuration for SSL client. These options were used to configure the built-in JRE SSL libraries when downloading files from HTTPS servers. But because they were also used to set up the now (long) removed internal HTTPS file server, their default configuration chose convenience over security by having overly lenient settings. This change removes the configuration options that affect the JRE SSL libraries. The JRE trust store can still be configured via system properties (or globally in the JRE security config). The only lost functionality is not being able to disable the default hostname verifier when using spark-submit, which should be fine since Spark itself is not using https for any internal functionality anymore. I also removed the HTTP-related code from the REPL class loader, since we haven't had a HTTP server for REPL-generated classes for a while. You can merge this pull request into a Git repository by running: $ git pull https://github.com/vanzin/spark SPARK-23538 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/spark/pull/20723.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #20723 ---- commit c83611eca573f3f460790f4fde7bea7ef7887839 Author: Marcelo Vanzin <vanzin@...> Date: 2018-03-02T21:43:48Z [SPARK-23538][core] Remove custom configuration for SSL client. These options were used to configure the built-in JRE SSL libraries when downloading files from HTTPS servers. But because they were also used to set up the now (long) removed internal HTTPS file server, their default configuration chose convenience over security by having overly lenient settings. This change removes the configuration options that affect the JRE SSL libraries. The JRE trust store can still be configured via system properties (or globally in the JRE security config). The only lost functionality is not being able to disable the default hostname verifier when using spark-submit, which should be fine since Spark itself is not using https for any internal functionality anymore. I also removed the HTTP-related code from the REPL class loader, since we haven't had a HTTP server for REPL-generated classes for a while. ---- --- --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org