[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15893116#comment-15893116
]
John Zhuge commented on HADOOP-14083:
-
Filed a follow-up HDFS-11490 Store KMS SSL keystore password in
catalina.properties.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Fix For: 2.9.0
>
> Attachments: HADOOP-14083.branch-2.001.patch,
> HADOOP-14083.branch-2.002.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15887132#comment-15887132
]
John Zhuge commented on HADOOP-14083:
-
Thanks [~eddyxu] and [~xiaochen] for the review and commit. Thanks [~aw] and
[~rkanter] for the reviews and comments.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Fix For: 2.9.0
>
> Attachments: HADOOP-14083.branch-2.001.patch,
> HADOOP-14083.branch-2.002.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15881036#comment-15881036
]
Xiao Chen commented on HADOOP-14083:
bq. KMS_SILENT changes do not apply to trunk because kms.sh has been re-written
Oh, right. I knew that
I'm fine either way then, since the 3 points are not strong:
- apply to trunk: not true
- compatibility: don't think there's anything depending on printing those
information except for debugging.
- cleanness: judgement call
So +1, and +1 to the HTTPFS equivalent.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch,
> HADOOP-14083.branch-2.002.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15880983#comment-15880983
]
John Zhuge commented on HADOOP-14083:
-
KMS_SILENT changes will not apply to trunk because kms.sh has been re-written
and kms-config.sh removed.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch,
> HADOOP-14083.branch-2.002.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15880975#comment-15880975
]
Xiao Chen commented on HADOOP-14083:
Thanks John, as chatted offline let's split that to another jira since that
will likely apply to trunk as well. And personally not sure whether that change
is deemed incompatible by admins or not :)
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch,
> HADOOP-14083.branch-2.002.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15880960#comment-15880960
]
John Zhuge commented on HADOOP-14083:
-
Sure [~xiaochen], I will move KMS_SILENT enhancements to another JIRA, they
somewhat improve operational security by hiding some senstive info from console.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch,
> HADOOP-14083.branch-2.002.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15880936#comment-15880936
]
Xiao Chen commented on HADOOP-14083:
I'd prefer to have the {{KMS_SILENT}} changes separate for cleanness. +1
pending that. Thanks for the work here John.
Any comments from [~aw] ?
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch,
> HADOOP-14083.branch-2.002.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15880923#comment-15880923
]
John Zhuge commented on HADOOP-14083:
-
bq. are those KMS_SILENT changes related here?
Just random enhancement I threw in
bq. how is the catalina-default.properties file generated / written? I'm not
familiar with tomcat enough to review that file. Any links appreciated.
I generated the file {{catalina-default.properties}} based on the
{{catalina.properties}} automatically generated by Tomcat if it is missing.
Without the default properties, Tomcat would not accept the file with only
custom properties.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch,
> HADOOP-14083.branch-2.002.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15877787#comment-15877787
]
Xiao Chen commented on HADOOP-14083:
Thanks for the patch [~jzhuge]. Seems fine to me overall, just a couple
questions:
- are those {{KMS_SILENT}} changes related here?
- how is the {{catalina-default.properties}} file generated / written? I'm not
familiar with tomcat enough to review that file. Any links appreciated.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch,
> HADOOP-14083.branch-2.002.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15873639#comment-15873639
]
Hadoop QA commented on HADOOP-14083:
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m
17s{color} | {color:blue} Docker mode activated. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m
0s{color} | {color:red} The patch doesn't appear to include any new or modified
tests. Please justify why no new tests are needed for this patch. Also please
list what manual steps were performed to verify this patch. {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 6m
29s{color} | {color:green} branch-2 passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m
37s{color} | {color:green} branch-2 passed with JDK v1.8.0_121 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m
29s{color} | {color:green} branch-2 passed with JDK v1.7.0_121 {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m
25s{color} | {color:green} branch-2 passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
17s{color} | {color:green} branch-2 passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
14s{color} | {color:green} branch-2 passed with JDK v1.8.0_121 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
17s{color} | {color:green} branch-2 passed with JDK v1.7.0_121 {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
20s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m
31s{color} | {color:green} the patch passed with JDK v1.8.0_121 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 5m
31s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m
30s{color} | {color:green} the patch passed with JDK v1.7.0_121 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m
30s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m
25s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
18s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} shellcheck {color} | {color:green} 0m
9s{color} | {color:green} The patch generated 0 new + 515 unchanged - 3 fixed
= 515 total (was 518) {color} |
| {color:green}+1{color} | {color:green} shelldocs {color} | {color:green} 0m
8s{color} | {color:green} There were no new shelldocs issues. {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m
0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m
0s{color} | {color:green} The patch has no ill-formed XML file. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
14s{color} | {color:green} the patch passed with JDK v1.8.0_121 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
16s{color} | {color:green} the patch passed with JDK v1.7.0_121 {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m
46s{color} | {color:green} hadoop-kms in the patch passed with JDK v1.7.0_121.
{color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
24s{color} | {color:green} The patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 39m 5s{color} |
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Image:yetus/hadoop:b59b8b7 |
| JIRA Issue | HADOOP-14083 |
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12853456/HADOOP-14083.branch-2.002.patch
|
| Optional Tests | asflicense compile javac javadoc mvninstall mvnsite
unit xml shellcheck shelldocs |
| uname | Linux 6f42f8dc0374 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6
15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh
|
| git revision | branch-2 / 8a88e8e |
| Default Java | 1.7.0_121 |
| Multi-JDK versions | /usr/lib/jvm/java-8-oracle:1.8.0_121
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15870480#comment-15870480
]
Robert Kanter commented on HADOOP-14083:
{quote}Good news is, trunk has gotten rid of tomcat and is on jetty now!{quote}
Oh, right. I knew that.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15870473#comment-15870473
]
Allen Wittenauer commented on HADOOP-14083:
---
bq. How can I fix the shellcheck errors for the multi-line string?
It's really shellcheck giving a hint that this is doing something it shouldn't.
There's two key problems with this approach:
1) any space in that string will cause a new option to be formed on the command
line
2) the command line is going to be REALLY long and will likely blow CLI buffers
on some operating systems
Maybe this should just be a change to catalina.properties?
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15870459#comment-15870459
]
Xiao Chen commented on HADOOP-14083:
Good news is, trunk has gotten rid of tomcat and is on jetty now! :)
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15870431#comment-15870431
]
Robert Kanter commented on HADOOP-14083:
In that case, we could have a branch-2 version of the patch which includes the
older ciphers for compatibility, and a trunk version of the patch that does not
for security. That said, we have broken compatibility in the past for security
fixes.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15869544#comment-15869544
]
Xiao Chen commented on HADOOP-14083:
Thanks John for filing a jira and providing a patch, and Allen for discussion.
I agree with Allen that best practice is default to strong, and allow people to
configure.
But from this
[comment|https://issues.apache.org/jira/browse/HADOOP-13812?focusedCommentId=15695443=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15695443]
of HADOOP-13812, clients could break outright after upgrading. HADOOP-13812 is
marked incompatible, but in x.y.z branches to include tomcat security fixes.
So choosing between the two frown-upon's, IMO we should trade off for
compatibility here, and release doc it so security-concerned users are aware.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15869324#comment-15869324
]
John Zhuge commented on HADOOP-14083:
-
[~aw] How can I fix the shellcheck errors for the multi-line string? Just
disable SC2140?
{noformat}
./hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh:72:79: warning:
Word is on the form "A"B"C" (B indicated). Did you mean "ABC" or "A\"B\"C"?
[SC2140]
./hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh:73:79: warning:
Word is on the form "A"B"C" (B indicated). Did you mean "ABC" or "A\"B\"C"?
[SC2140]
{noformat}
{code}
71 # export KMS_SSL_CIPHERS=\
72
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,"\
73
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,"\
74
"TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,"\
{code}
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HADOOP-14083.branch-2.001.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15868574#comment-15868574
]
Hadoop QA commented on HADOOP-14083:
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 20m
36s{color} | {color:blue} Docker mode activated. {color} |
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m
0s{color} | {color:red} The patch doesn't appear to include any new or modified
tests. Please justify why no new tests are needed for this patch. Also please
list what manual steps were performed to verify this patch. {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 9m
1s{color} | {color:green} branch-2 passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m
43s{color} | {color:green} branch-2 passed with JDK v1.8.0_121 {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m
35s{color} | {color:green} branch-2 passed with JDK v1.7.0_121 {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m
26s{color} | {color:green} branch-2 passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
19s{color} | {color:green} branch-2 passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
16s{color} | {color:green} branch-2 passed with JDK v1.8.0_121 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
17s{color} | {color:green} branch-2 passed with JDK v1.7.0_121 {color} |
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
20s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 5m
41s{color} | {color:green} the patch passed with JDK v1.8.0_121 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 5m
41s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m
36s{color} | {color:green} the patch passed with JDK v1.7.0_121 {color} |
| {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m
36s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m
25s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m
17s{color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} shellcheck {color} | {color:red} 0m
7s{color} | {color:red} The patch generated 18 new + 518 unchanged - 0 fixed =
536 total (was 518) {color} |
| {color:green}+1{color} | {color:green} shelldocs {color} | {color:green} 0m
8s{color} | {color:green} There were no new shelldocs issues. {color} |
| {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m
0s{color} | {color:green} The patch has no whitespace issues. {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
15s{color} | {color:green} the patch passed with JDK v1.8.0_121 {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
17s{color} | {color:green} the patch passed with JDK v1.7.0_121 {color} |
| {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m
7s{color} | {color:green} hadoop-kms in the patch passed with JDK v1.7.0_121.
{color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
26s{color} | {color:green} The patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 63m 15s{color} |
{color:black} {color} |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Image:yetus/hadoop:b59b8b7 |
| JIRA Issue | HADOOP-14083 |
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12852897/HADOOP-14083.branch-2.001.patch
|
| Optional Tests | asflicense mvnsite unit shellcheck shelldocs compile
javac javadoc mvninstall |
| uname | Linux 6ba85d1b4f68 3.13.0-106-generic #153-Ubuntu SMP Tue Dec 6
15:44:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh
|
| git revision | branch-2 / 323782b |
| Default Java | 1.7.0_121 |
| Multi-JDK versions | /usr/lib/jvm/java-8-oracle:1.8.0_121
/usr/lib/jvm/java-7-openjdk-amd64:1.7.0_121 |
| shellcheck | v0.4.5 |
| shellcheck |
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15868460#comment-15868460
]
Allen Wittenauer commented on HADOOP-14083:
---
I believe our current practice in the rest of the Hadoop code is to default to
strong, but give an option to allow the user to enable weaker ones as necessary.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15868456#comment-15868456
]
John Zhuge commented on HADOOP-14083:
-
Yeah, touch choice between security and backwards compatibility.
I will post a patch so that you can examine the list of ciphers I picked.
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-14083) KMS should support old SSL clients
[
https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15868443#comment-15868443
]
Allen Wittenauer commented on HADOOP-14083:
---
It seems like a really bad idea to support weak SSL ciphers given KMS is for
security. In the specific case of curl, I'm 99% certain that curl's cipher
usage is specifically tied to the version of OpenSSL in use as well as what
options are used on the command line. (This is one of the reasons why many
people build their own versions of curl, etc on systems such as OS X, which are
known to have old versions of OpenSSL installed.)
> KMS should support old SSL clients
> --
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL
> clients such as curl stop working. The symptom is {{NSS error -12286}} when
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to
> explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
