[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients
[ https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] John Zhuge updated HDFS-11418: -- Resolution: Fixed Fix Version/s: 2.9.0 Status: Resolved (was: Patch Available) Committed to branch-2. Thanks [~xiaochen] and [~eddyxu] for the review! Filed HDFS-11485 "HttpFS should warn about weak ssl ciphers" to follow up Eddy's suggestion. > HttpFS should support old SSL clients > - > > Key: HDFS-11418 > URL: https://issues.apache.org/jira/browse/HDFS-11418 > Project: Hadoop HDFS > Issue Type: Improvement > Components: httpfs >Affects Versions: 2.8.0, 2.7.4, 2.6.6 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Minor > Fix For: 2.9.0 > > Attachments: HDFS-11418.branch-2.001.patch, > HDFS-11418.branch-2.002.patch, HDFS-11418.branch-2.003.patch > > > HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL > clients such as curl stop working. The symptom is {{NSS error -12286}} when > running {{curl -v}}. > Instead of forcing the SSL clients to upgrade, we can configure Tomcat to > explicitly allow enough weak ciphers so that old SSL clients can work. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients
[ https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] John Zhuge updated HDFS-11418: -- Attachment: HDFS-11418.branch-2.003.patch Patch branch-2.003 * Fix the issue similar to HADOOP-14131 > HttpFS should support old SSL clients > - > > Key: HDFS-11418 > URL: https://issues.apache.org/jira/browse/HDFS-11418 > Project: Hadoop HDFS > Issue Type: Improvement > Components: httpfs >Affects Versions: 2.8.0, 2.7.4, 2.6.6 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Minor > Attachments: HDFS-11418.branch-2.001.patch, > HDFS-11418.branch-2.002.patch, HDFS-11418.branch-2.003.patch > > > HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL > clients such as curl stop working. The symptom is {{NSS error -12286}} when > running {{curl -v}}. > Instead of forcing the SSL clients to upgrade, we can configure Tomcat to > explicitly allow enough weak ciphers so that old SSL clients can work. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients
[ https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] John Zhuge updated HDFS-11418: -- Target Version/s: 2.9.0 (was: 2.8.0, 2.7.4, 2.6.6) > HttpFS should support old SSL clients > - > > Key: HDFS-11418 > URL: https://issues.apache.org/jira/browse/HDFS-11418 > Project: Hadoop HDFS > Issue Type: Improvement > Components: httpfs >Affects Versions: 2.8.0, 2.7.4, 2.6.6 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Minor > Attachments: HDFS-11418.branch-2.001.patch, > HDFS-11418.branch-2.002.patch, HDFS-11418.branch-2.003.patch > > > HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL > clients such as curl stop working. The symptom is {{NSS error -12286}} when > running {{curl -v}}. > Instead of forcing the SSL clients to upgrade, we can configure Tomcat to > explicitly allow enough weak ciphers so that old SSL clients can work. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients
[ https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] John Zhuge updated HDFS-11418: -- Status: Patch Available (was: Open) > HttpFS should support old SSL clients > - > > Key: HDFS-11418 > URL: https://issues.apache.org/jira/browse/HDFS-11418 > Project: Hadoop HDFS > Issue Type: Improvement > Components: httpfs >Affects Versions: 2.8.0, 2.7.4, 2.6.6 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Minor > Attachments: HDFS-11418.branch-2.001.patch, > HDFS-11418.branch-2.002.patch, HDFS-11418.branch-2.003.patch > > > HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL > clients such as curl stop working. The symptom is {{NSS error -12286}} when > running {{curl -v}}. > Instead of forcing the SSL clients to upgrade, we can configure Tomcat to > explicitly allow enough weak ciphers so that old SSL clients can work. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients
[ https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] John Zhuge updated HDFS-11418: -- Status: Open (was: Patch Available) > HttpFS should support old SSL clients > - > > Key: HDFS-11418 > URL: https://issues.apache.org/jira/browse/HDFS-11418 > Project: Hadoop HDFS > Issue Type: Improvement > Components: httpfs >Affects Versions: 2.8.0, 2.7.4, 2.6.6 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Minor > Attachments: HDFS-11418.branch-2.001.patch, > HDFS-11418.branch-2.002.patch > > > HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL > clients such as curl stop working. The symptom is {{NSS error -12286}} when > running {{curl -v}}. > Instead of forcing the SSL clients to upgrade, we can configure Tomcat to > explicitly allow enough weak ciphers so that old SSL clients can work. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients
[ https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] John Zhuge updated HDFS-11418: -- Attachment: HDFS-11418.branch-2.002.patch Patch branch-2.002 - Use file catalina.properties to transfer HttpFS properties instead of env CATALINA_OPTS - Create catalina-default.properties to store default Tomcat properties - Update doc TODO - Discuss Allen's idea of strong security by default Follow up in a new JIRA - Refactor HttpFS scripts based on catalina.properties technique Testing done - Run https://github.com/jzhuge/hadoop-bats-tests/blob/master/httpfs.bats in insecure and SSL single node setup - Run sslscan to verify ciphers in the following test cases: -- No HTTPFS_SSL_CIPHERS, to allow HttpFS default ciphers -- HTTPFS_SSL_CIPHERS=“TLS_RSA_WITH_AES_128_CBC_SHA256“, to allow this cipher only > HttpFS should support old SSL clients > - > > Key: HDFS-11418 > URL: https://issues.apache.org/jira/browse/HDFS-11418 > Project: Hadoop HDFS > Issue Type: Improvement > Components: httpfs >Affects Versions: 2.8.0, 2.7.4, 2.6.6 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Minor > Attachments: HDFS-11418.branch-2.001.patch, > HDFS-11418.branch-2.002.patch > > > HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL > clients such as curl stop working. The symptom is {{NSS error -12286}} when > running {{curl -v}}. > Instead of forcing the SSL clients to upgrade, we can configure Tomcat to > explicitly allow enough weak ciphers so that old SSL clients can work. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients
[ https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] John Zhuge updated HDFS-11418: -- Attachment: HDFS-11418.branch-2.001.patch Patch branch-2.001 * Add env HTTPFS_SSL_CIPHERS, default to a list of selected ciphers * Configure Tomcat to accept a list of ciphers TODO * Discuss Allen's idea of strong security by default Testing done * hadoop-hdfs-httpfs unit tests * Verify HTTPFS_SSL_CIPHERS value on stdout during httpfs startup * Run https://github.com/jzhuge/hadoop-bats-tests/blob/master/httpfs.bats in insecure, SSL, and SSL+Kerberos single node setup * Sslcan result should include only listed ciphers * On Centos 6.6, run the following curl command. Expect {{NSS error -12286}} without the fix. {noformat} curl -v -k --negotiate -u: -sS 'https://HTTPFS_HOST:14000/webhdfs/v1/?op=liststatus' {noformat} > HttpFS should support old SSL clients > - > > Key: HDFS-11418 > URL: https://issues.apache.org/jira/browse/HDFS-11418 > Project: Hadoop HDFS > Issue Type: Improvement > Components: httpfs >Affects Versions: 2.8.0, 2.7.4, 2.6.6 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Minor > Attachments: HDFS-11418.branch-2.001.patch > > > HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL > clients such as curl stop working. The symptom is {{NSS error -12286}} when > running {{curl -v}}. > Instead of forcing the SSL clients to upgrade, we can configure Tomcat to > explicitly allow enough weak ciphers so that old SSL clients can work. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Updated] (HDFS-11418) HttpFS should support old SSL clients
[ https://issues.apache.org/jira/browse/HDFS-11418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] John Zhuge updated HDFS-11418: -- Status: Patch Available (was: Open) > HttpFS should support old SSL clients > - > > Key: HDFS-11418 > URL: https://issues.apache.org/jira/browse/HDFS-11418 > Project: Hadoop HDFS > Issue Type: Improvement > Components: httpfs >Affects Versions: 2.8.0, 2.7.4, 2.6.6 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Minor > Attachments: HDFS-11418.branch-2.001.patch > > > HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL > clients such as curl stop working. The symptom is {{NSS error -12286}} when > running {{curl -v}}. > Instead of forcing the SSL clients to upgrade, we can configure Tomcat to > explicitly allow enough weak ciphers so that old SSL clients can work. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org