GitHub user vanzin opened a pull request:

    https://github.com/apache/spark/pull/20723

    [SPARK-23538][core] Remove custom configuration for SSL client.

    These options were used to configure the built-in JRE SSL libraries
    when downloading files from HTTPS servers. But because they were also
    used to set up the now (long) removed internal HTTPS file server,
    their default configuration chose convenience over security by having
    overly lenient settings.
    
    This change removes the configuration options that affect the JRE SSL
    libraries. The JRE trust store can still be configured via system
    properties (or globally in the JRE security config). The only lost
    functionality is not being able to disable the default hostname
    verifier when using spark-submit, which should be fine since Spark
    itself is not using https for any internal functionality anymore.
    
    I also removed the HTTP-related code from the REPL class loader, since
    we haven't had a HTTP server for REPL-generated classes for a while.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/vanzin/spark SPARK-23538

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/spark/pull/20723.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #20723
    
----
commit c83611eca573f3f460790f4fde7bea7ef7887839
Author: Marcelo Vanzin <vanzin@...>
Date:   2018-03-02T21:43:48Z

    [SPARK-23538][core] Remove custom configuration for SSL client.
    
    These options were used to configure the built-in JRE SSL libraries
    when downloading files from HTTPS servers. But because they were also
    used to set up the now (long) removed internal HTTPS file server,
    their default configuration chose convenience over security by having
    overly lenient settings.
    
    This change removes the configuration options that affect the JRE SSL
    libraries. The JRE trust store can still be configured via system
    properties (or globally in the JRE security config). The only lost
    functionality is not being able to disable the default hostname
    verifier when using spark-submit, which should be fine since Spark
    itself is not using https for any internal functionality anymore.
    
    I also removed the HTTP-related code from the REPL class loader, since
    we haven't had a HTTP server for REPL-generated classes for a while.

----


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org

Reply via email to