[ 
https://issues.apache.org/jira/browse/YARN-2722?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Wei Yan updated YARN-2722:
--------------------------
    Attachment: YARN-2722-1.patch

This patch creates a whilelist {"TLSv1.2", "TLSv1.1", "TLSv1"} for the 
SSLFactory. Have verified with the ShuffleHandler (13562 port).
{code:title=Without fix}
$ openssl s_client -connect localhost:13562 -ssl3
CONNECTED(00000003)
depth=0 CN = *.ent.cloudera.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = *.ent.cloudera.com
verify return:1
---
Certificate chain
 0 s:/CN=*.ent.cloudera.com
   i:/CN=*.ent.cloudera.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC2TCCAcGgAwIBAgIERTXzmDANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDDBIq
LmVudC5jbG91ZGVyYS5jb20wHhcNMTQxMDE0MjEwOTU1WhcNMTUwMTEyMjEwOTU1
WjAdMRswGQYDVQQDDBIqLmVudC5jbG91ZGVyYS5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDdd3RIofg6S0jNi1tZPLC/ye4yLz5PLdxpn5Rlmg8p
jORirbyvsLSn82WcfITUUx8Iez9pYLLXBzOqS4nlXwFP1WHDHGJFyuidTOaXm2fr
sZIVYUx0ldzUT6AhSLQ1p81g8Uplv3xA+Bh/SIXU84vKnjH6eU2wJc/0AKS6Jchl
hNr9ZuMEK6Dc34MbjOd0inLNqR2A26wV/tEPhf3UWbpkED9J8DZqevp25hvmYomM
OSoUSyO2hc6Mkj97Cbd8OglbXzG0lFzCgmN0yqFZ7X8pZuOzs2MhnzXtzjUbwvyO
G+1mpQ95Oc1cBdK40Rq/xeE8NwDP6C9JJ8FEz/VuuUZfAgMBAAGjITAfMB0GA1Ud
DgQWBBR/aS6adMIKP9pQbfcNkxyIbRMXJDANBgkqhkiG9w0BAQsFAAOCAQEAktNr
AzECBbO3hZEmjbZ/lnE+9DI7LF8DV1XbwZqd5qXhnnqZde5CryOGsAn76RkizUlo
KH1+8w8WRW8YxCx3863dOKg9yRr8rR5+BedSfG1GeF9PSpRYJ1o5Bv9wLNjI+UM0
E6zq3ObxpLe1QqXwz5Ro5DOIaBN5GRNp6i1B6k6b1aPsJOAaBkuFkR+unBCWnQk7
uMtGb78LaCYU0/8D5fRMTkeChR9gxuwYj7hwt3+CKdKEQ+0Mxbd5/sO8HgGlOcB1
T1xtu/GXoboiwwn6pLm/OksEyxB9TXnSvkc9C/RXQeaSaiEvYksS1LvPkvq27qDU
09EC8C1HkfWd4uOKYA==
-----END CERTIFICATE-----
subject=/CN=*.ent.cloudera.com
issuer=/CN=*.ent.cloudera.com
---
No client certificate CA names sent
---
SSL handshake has read 1239 bytes and written 288 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-RSA-DES-CBC3-SHA
    Session-ID: 5446E4F74C3341F5AEA8CB827A5745A90AB8BF09765C4EDBBE57174314AEC901
    Session-ID-ctx:
    Master-Key: 
D6C5A557D188361EB4E25414C6360EC6835143D27572D7A0019213C2AD1758DDDD52C8F850D21B95DF334EC8B95D9FDB
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1413932279
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
q
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain; charset=UTF-8
name: mapreduce
version: 1.0.0

closed
{code}

{code:title=With Fix}
$ openssl s_client -connect localhost:13562 -ssl3
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1414013826
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
{code}

> Disable SSLv3 (POODLEbleed vulnerability) in YARN shuffle
> ---------------------------------------------------------
>
>                 Key: YARN-2722
>                 URL: https://issues.apache.org/jira/browse/YARN-2722
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Wei Yan
>            Assignee: Wei Yan
>         Attachments: YARN-2722-1.patch
>
>
> We should disable SSLv3 in HttpFS to protect against the POODLEbleed 
> vulnerability.
> See [CVE-2014-3566 
> |http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566]
> We have {{context = SSLContext.getInstance("TLS");}} in SSLFactory, but when 
> I checked, I could still connect with SSLv3.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to