[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients

2017-03-01 Thread John Zhuge (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

John Zhuge updated HDFS-11418:
--
   Resolution: Fixed
Fix Version/s: 2.9.0
   Status: Resolved  (was: Patch Available)

Committed to branch-2.

Thanks [~xiaochen] and [~eddyxu] for the review!

Filed HDFS-11485 "HttpFS should warn about weak ssl ciphers" to follow up 
Eddy's suggestion.

> HttpFS should support old SSL clients
> -
>
> Key: HDFS-11418
> URL: https://issues.apache.org/jira/browse/HDFS-11418
> Project: Hadoop HDFS
>  Issue Type: Improvement
>  Components: httpfs
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Fix For: 2.9.0
>
> Attachments: HDFS-11418.branch-2.001.patch, 
> HDFS-11418.branch-2.002.patch, HDFS-11418.branch-2.003.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL 
> clients such as curl stop working. The symptom is {{NSS error -12286}} when 
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to 
> explicitly allow enough weak ciphers so that old SSL clients can work.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients

2017-03-01 Thread John Zhuge (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

John Zhuge updated HDFS-11418:
--
Attachment: HDFS-11418.branch-2.003.patch

Patch branch-2.003
* Fix the issue similar to HADOOP-14131

> HttpFS should support old SSL clients
> -
>
> Key: HDFS-11418
> URL: https://issues.apache.org/jira/browse/HDFS-11418
> Project: Hadoop HDFS
>  Issue Type: Improvement
>  Components: httpfs
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HDFS-11418.branch-2.001.patch, 
> HDFS-11418.branch-2.002.patch, HDFS-11418.branch-2.003.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL 
> clients such as curl stop working. The symptom is {{NSS error -12286}} when 
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to 
> explicitly allow enough weak ciphers so that old SSL clients can work.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients

2017-03-01 Thread John Zhuge (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

John Zhuge updated HDFS-11418:
--
Target Version/s: 2.9.0  (was: 2.8.0, 2.7.4, 2.6.6)

> HttpFS should support old SSL clients
> -
>
> Key: HDFS-11418
> URL: https://issues.apache.org/jira/browse/HDFS-11418
> Project: Hadoop HDFS
>  Issue Type: Improvement
>  Components: httpfs
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HDFS-11418.branch-2.001.patch, 
> HDFS-11418.branch-2.002.patch, HDFS-11418.branch-2.003.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL 
> clients such as curl stop working. The symptom is {{NSS error -12286}} when 
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to 
> explicitly allow enough weak ciphers so that old SSL clients can work.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients

2017-03-01 Thread John Zhuge (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

John Zhuge updated HDFS-11418:
--
Status: Patch Available  (was: Open)

> HttpFS should support old SSL clients
> -
>
> Key: HDFS-11418
> URL: https://issues.apache.org/jira/browse/HDFS-11418
> Project: Hadoop HDFS
>  Issue Type: Improvement
>  Components: httpfs
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HDFS-11418.branch-2.001.patch, 
> HDFS-11418.branch-2.002.patch, HDFS-11418.branch-2.003.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL 
> clients such as curl stop working. The symptom is {{NSS error -12286}} when 
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to 
> explicitly allow enough weak ciphers so that old SSL clients can work.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients

2017-02-27 Thread John Zhuge (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

John Zhuge updated HDFS-11418:
--
Status: Open  (was: Patch Available)

> HttpFS should support old SSL clients
> -
>
> Key: HDFS-11418
> URL: https://issues.apache.org/jira/browse/HDFS-11418
> Project: Hadoop HDFS
>  Issue Type: Improvement
>  Components: httpfs
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HDFS-11418.branch-2.001.patch, 
> HDFS-11418.branch-2.002.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL 
> clients such as curl stop working. The symptom is {{NSS error -12286}} when 
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to 
> explicitly allow enough weak ciphers so that old SSL clients can work.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients

2017-02-19 Thread John Zhuge (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

John Zhuge updated HDFS-11418:
--
Attachment: HDFS-11418.branch-2.002.patch

Patch branch-2.002
- Use file catalina.properties to transfer HttpFS properties instead of env 
CATALINA_OPTS
- Create catalina-default.properties to store default Tomcat properties
- Update doc

TODO
- Discuss Allen's idea of strong security by default

Follow up in a new JIRA
- Refactor HttpFS scripts based on catalina.properties technique

Testing done
- Run https://github.com/jzhuge/hadoop-bats-tests/blob/master/httpfs.bats in 
insecure and SSL single node setup
- Run sslscan to verify ciphers in the following test cases:
-- No HTTPFS_SSL_CIPHERS, to allow HttpFS default ciphers
-- HTTPFS_SSL_CIPHERS=“TLS_RSA_WITH_AES_128_CBC_SHA256“, to allow this 
cipher only

> HttpFS should support old SSL clients
> -
>
> Key: HDFS-11418
> URL: https://issues.apache.org/jira/browse/HDFS-11418
> Project: Hadoop HDFS
>  Issue Type: Improvement
>  Components: httpfs
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HDFS-11418.branch-2.001.patch, 
> HDFS-11418.branch-2.002.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL 
> clients such as curl stop working. The symptom is {{NSS error -12286}} when 
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to 
> explicitly allow enough weak ciphers so that old SSL clients can work.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients

2017-02-15 Thread John Zhuge (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

John Zhuge updated HDFS-11418:
--
Attachment: HDFS-11418.branch-2.001.patch

Patch branch-2.001
* Add env HTTPFS_SSL_CIPHERS, default to a list of selected ciphers
* Configure Tomcat to accept a list of ciphers

TODO
* Discuss Allen's idea of strong security by default

Testing done
* hadoop-hdfs-httpfs unit tests
* Verify HTTPFS_SSL_CIPHERS value on stdout during httpfs startup
* Run https://github.com/jzhuge/hadoop-bats-tests/blob/master/httpfs.bats in 
insecure, SSL, and SSL+Kerberos single node setup
* Sslcan result should include only listed ciphers
* On Centos 6.6, run the following curl command. Expect {{NSS error -12286}} 
without the fix.
{noformat}
curl -v -k --negotiate -u: -sS 
'https://HTTPFS_HOST:14000/webhdfs/v1/?op=liststatus'
{noformat}

> HttpFS should support old SSL clients
> -
>
> Key: HDFS-11418
> URL: https://issues.apache.org/jira/browse/HDFS-11418
> Project: Hadoop HDFS
>  Issue Type: Improvement
>  Components: httpfs
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HDFS-11418.branch-2.001.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL 
> clients such as curl stop working. The symptom is {{NSS error -12286}} when 
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to 
> explicitly allow enough weak ciphers so that old SSL clients can work.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients

2017-02-15 Thread John Zhuge (JIRA) 

 [ 
https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

John Zhuge updated HDFS-11418:
--
Status: Patch Available  (was: Open)

> HttpFS should support old SSL clients
> -
>
> Key: HDFS-11418
> URL: https://issues.apache.org/jira/browse/HDFS-11418
> Project: Hadoop HDFS
>  Issue Type: Improvement
>  Components: httpfs
>Affects Versions: 2.8.0, 2.7.4, 2.6.6
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Minor
> Attachments: HDFS-11418.branch-2.001.patch
>
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL 
> clients such as curl stop working. The symptom is {{NSS error -12286}} when 
> running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to 
> explicitly allow enough weak ciphers so that old SSL clients can work.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

-
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org