[jira] [Commented] (RANGER-1500) Add support to exclude/disable SSL protocols.
[ https://issues.apache.org/jira/browse/RANGER-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15998686#comment-15998686 ] Gautam Borad commented on RANGER-1500: -- Committed to master : 58116e0118909b7ef495c3721575ba866a919c3a Committed to ranger-0.7 : 07fc810408d1b5772925357413795dd7d93bdc8e > Add support to exclude/disable SSL protocols. > - > > Key: RANGER-1500 > URL: https://issues.apache.org/jira/browse/RANGER-1500 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 0.7.0 >Reporter: Ayub Pathan >Assignee: bhavik patel >Priority: Critical > Fix For: 1.0.0, 0.7.1 > > Attachments: RANGER-1500-1.patch, RANGER-1500-2.patch, > RANGER-1500-3.patch, RANGER-1500.patch > > > Add support to disable/exclude weaker SSL protocols like TLSv1, TLSv1.1 for > ranger. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (RANGER-1500) Add support to exclude/disable SSL protocols.
[ https://issues.apache.org/jira/browse/RANGER-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15960351#comment-15960351 ] Colm O hEigeartaigh commented on RANGER-1500: - For 0.7.1 at least, we should probably support TLS v1 + TLSv1.1 as well. The goal should be to exclude SSLv3. It would be good to add tests for the different protocols so that we can have confidence in any configuration changes. > Add support to exclude/disable SSL protocols. > - > > Key: RANGER-1500 > URL: https://issues.apache.org/jira/browse/RANGER-1500 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 0.7.0 >Reporter: Ayub Khan >Priority: Critical > Fix For: 1.0.0, 0.7.1 > > > Add support to disable/exclude weaker SSL protocols like TLSv1, TLSv1.1 for > ranger. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (RANGER-1500) Add support to exclude/disable SSL protocols.
[ https://issues.apache.org/jira/browse/RANGER-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15959382#comment-15959382 ] Ayub Khan commented on RANGER-1500: --- Looking at the ranger code, understood that tomcat catalina connector is used for SSL configuration. Below is my understanding: HTTPS connector parameter sslProtocol defines which SSL/TLS protocols are enabled by default. e.g. for Oracle JDK 7: 1) setProtocol="TLS" will enable SSLv3 and TLSv1 2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2 3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1 4) setProtocol="TLSv1" will enable SSLv3 and TLSv1 5) setProtocol="SSL" will enable SSLv3 and TLSv1 6) setProtocol="SSLv3" will enable SSLv3 and TLSv1 7) setProtocol="SSLv2" won't work Note that even if some protocol is not enabled by default, it can be enabled by specifying sslEnabledProtocols parameter. So in the ranger code, in order to restrict available protocols only to TLSv1.2, simple fix is to change sslEnabledProtocols parameter value from "SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2" to "TLSv1.2" here(https://github.com/apache/ranger/blob/ranger-0.7/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java#L151). The configuration looks like this after doing above changes : sslProtocol="SSL" sslEnabledProtocols="TLSv1.2". Is my understanding correct? > Add support to exclude/disable SSL protocols. > - > > Key: RANGER-1500 > URL: https://issues.apache.org/jira/browse/RANGER-1500 > Project: Ranger > Issue Type: Bug > Components: Ranger >Affects Versions: 0.7.0 >Reporter: Ayub Khan >Priority: Critical > Fix For: 1.0.0, 0.7.1 > > > Add support to disable/exclude weaker SSL protocols like TLSv1, TLSv1.1 for > ranger. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
