Ahmed Hussein created HADOOP-17367:
--------------------------------------
Summary: Improve TLS/SSL default settings for security and
performance
Key: HADOOP-17367
URL: https://issues.apache.org/jira/browse/HADOOP-17367
Project: Hadoop Common
Issue Type: Bug
Reporter: Ahmed Hussein
Assignee: Ahmed Hussein
[~kihwal] reported that {{HttpServer2}} is still accepting TLS 1.1 or 1.0.
These are only rejected when the java security setting excludes them. The
expensive algorithms arte still being used.
{code:bash}
main, WRITE: TLSv1.2 Handshake, length = 239
main, READ: TLSv1.2 Handshake, length = 1508
*** ServerHello, TLSv1.2
...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
{code}
SSLFactory calls {{sslEngine.setEnabledCipherSuites()}} to set enabled ciphers.
Apparently this does not disable unincluded ciphers, so SSLFactory's cipher
disabling feature does not work. Or it could be jetty's undoing.
Jetty9 introduced SSLContextFactory. Following methods can be used.
{code:java}
setExcludeCipherSuites()
setExcludeProtocols()
setIncludeCipherSuites()
setIncludeProtocols()
{code}
SSLFactory is not used by HttpServer2. It is only used by
{{DatanodeHttpServer}} and {{ShuffleHandler}}. The reloading feature is also
broken for the same reason.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
