You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2016/02/18 00:02:18 UTC
[jira] [Updated] (HADOOP-12817) Enable TLS v1.1 and 1.2
[ https://issues.apache.org/jira/browse/HADOOP-12817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Kanter updated HADOOP-12817:
-----------------------------------
Attachment: HADOOP-12817.001.patch
I verified the changes by checking the shuffle port after enabling encrypted shuffle.
{noformat:title=TLSv1.1 before}
[root@rkanter-z ~]# openssl s_client -connect rkanter-z.vpc.cloudera.com:13562 -tls1_1
CONNECTED(00000003)
139747317544776:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1455749132
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
{noformat}
{noformat:title=TLSv1.1 after}
[root@rkanter-z jars]# openssl s_client -connect rkanter-z.vpc.cloudera.com:13562 -tls1_1
CONNECTED(00000003)
depth=0 O = Hadoop, CN = rkanter-z.vpc.cloudera.com
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Hadoop, CN = rkanter-z.vpc.cloudera.com
verify return:1
---
Certificate chain
0 s:/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
i:/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIEGPQogTANBgkqhkiG9w0BAQsFADA2MQ8wDQYDVQQKEwZI
YWRvb3AxIzAhBgNVBAMTGnJrYW50ZXItei52cGMuY2xvdWRlcmEuY29tMB4XDTE2
MDIxNzIyMjU1MFoXDTIxMDIxNTIyMjU1MFowNjEPMA0GA1UEChMGSGFkb29wMSMw
IQYDVQQDExpya2FudGVyLXoudnBjLmNsb3VkZXJhLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJ6xpEdLHS26AeVmris83Eqm1/roG9mCe2S9j/L9
cAiXrpiy5KsJROqzRwit76fPao4snY65uRcHSedOCUpPfWq7AqWLRoAfayTuYo43
xWVriD9RmLkdMNY4te4gw24rPCfgUQyQcFNuSWZDNT0UTDoye6h9TXDQwwWwN2pv
Xp3W9/l4i0jwUKtB6KSrl2tOwPLwBnGRT33V2/S6W6JBCf3hpNwEm1swcnY2UwWr
8X/xGhtXobURe9iS2ZwWcLosloCwslRF/Cn1AdmyotcjjKIwHIgv3QxPpoKjNQm0
lGRCxTMlArX3jLH6JZfSOAKWMQlFbIbEqtk14BH3yyoPlhECAwEAAaMhMB8wHQYD
VR0OBBYEFPia3A1galfIVf4hDU2XAk4nl4XxMA0GCSqGSIb3DQEBCwUAA4IBAQBk
MQLg4SSsa/Ki3dqFy8aWiadw+nb+2caNvQvgk6PjOPVEWC5NB1kfWzErNF5uC9GP
vsmo+NBfeTVLNz1S7+lTZaehC+mYoRpM7HKYOpq1wX+x5pDrMvgNojEo4xk95p/y
oAWb/+olAQNWxK95JE2cv+yliWbPyIzAq2DlXmfoyg03wT5/vXT7tra3FwdhL+6U
66IdjfFKRHnkpbNGpca74Sur6UMRMWm4GiDBdK6PcQi+9yfW1ZagprVXUgTkFEvD
Zb+YUExxT75jF8EgWW2RJCjGeXviZb/OkhpK4K0W28EP/MT3vtWTvDVbPTe6qEZQ
kThiicNyhyVW44fv7Mv0
-----END CERTIFICATE-----
subject=/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
issuer=/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 1357 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 56C4F9645E5BD9F826F4A77B1382BF4E4EFE93EDF81D030B27A45937A5E9447F
Session-ID-ctx:
Master-Key: 2DE6931DC740F4A3430A34FA28333BEAD19EAEC64F980FF598589A33D47B3620F99624901F2F5CF454FEDCF394A02C21
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1455749476
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
{noformat}
{noformat:title=TLSv1.2 before}
[root@rkanter-z ~]# openssl s_client -connect rkanter-z.vpc.cloudera.com:13562 -tls1_2
CONNECTED(00000003)
140717584258888:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1455749158
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
{noformat}
{noformat:title=TLSv1.2 after}
[root@rkanter-z jars]# openssl s_client -connect rkanter-z.vpc.cloudera.com:13562 -tls1_2
CONNECTED(00000003)
depth=0 O = Hadoop, CN = rkanter-z.vpc.cloudera.com
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Hadoop, CN = rkanter-z.vpc.cloudera.com
verify return:1
---
Certificate chain
0 s:/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
i:/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCzCCAfOgAwIBAgIEGPQogTANBgkqhkiG9w0BAQsFADA2MQ8wDQYDVQQKEwZI
YWRvb3AxIzAhBgNVBAMTGnJrYW50ZXItei52cGMuY2xvdWRlcmEuY29tMB4XDTE2
MDIxNzIyMjU1MFoXDTIxMDIxNTIyMjU1MFowNjEPMA0GA1UEChMGSGFkb29wMSMw
IQYDVQQDExpya2FudGVyLXoudnBjLmNsb3VkZXJhLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAJ6xpEdLHS26AeVmris83Eqm1/roG9mCe2S9j/L9
cAiXrpiy5KsJROqzRwit76fPao4snY65uRcHSedOCUpPfWq7AqWLRoAfayTuYo43
xWVriD9RmLkdMNY4te4gw24rPCfgUQyQcFNuSWZDNT0UTDoye6h9TXDQwwWwN2pv
Xp3W9/l4i0jwUKtB6KSrl2tOwPLwBnGRT33V2/S6W6JBCf3hpNwEm1swcnY2UwWr
8X/xGhtXobURe9iS2ZwWcLosloCwslRF/Cn1AdmyotcjjKIwHIgv3QxPpoKjNQm0
lGRCxTMlArX3jLH6JZfSOAKWMQlFbIbEqtk14BH3yyoPlhECAwEAAaMhMB8wHQYD
VR0OBBYEFPia3A1galfIVf4hDU2XAk4nl4XxMA0GCSqGSIb3DQEBCwUAA4IBAQBk
MQLg4SSsa/Ki3dqFy8aWiadw+nb+2caNvQvgk6PjOPVEWC5NB1kfWzErNF5uC9GP
vsmo+NBfeTVLNz1S7+lTZaehC+mYoRpM7HKYOpq1wX+x5pDrMvgNojEo4xk95p/y
oAWb/+olAQNWxK95JE2cv+yliWbPyIzAq2DlXmfoyg03wT5/vXT7tra3FwdhL+6U
66IdjfFKRHnkpbNGpca74Sur6UMRMWm4GiDBdK6PcQi+9yfW1ZagprVXUgTkFEvD
Zb+YUExxT75jF8EgWW2RJCjGeXviZb/OkhpK4K0W28EP/MT3vtWTvDVbPTe6qEZQ
kThiicNyhyVW44fv7Mv0
-----END CERTIFICATE-----
subject=/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
issuer=/O=Hadoop/CN=rkanter-z.vpc.cloudera.com
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 1391 bytes and written 499 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 56C4F9800BF1838DC6196C712E31DEECBC1AF7411BCA9BCDDE0E2BEE5B7DC41C
Session-ID-ctx:
Master-Key: 1C6E5AC1951B8FDDFC39C17A152E212F957007D301EF26334EBA7DCB3F1AE0C8AF22B72ABCB4BFD06BB4A59F23AD7841
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1455749504
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
{noformat}
> Enable TLS v1.1 and 1.2
> -----------------------
>
> Key: HADOOP-12817
> URL: https://issues.apache.org/jira/browse/HADOOP-12817
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Attachments: HADOOP-12817.001.patch
>
>
> Java 7 supports TLSv1.1 and TLSv1.2, which are more secure than TLSv1 (which was all that was supported in Java 6), so we should add those to the default list for {{hadoop.ssl.enabled.protocols}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)