You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ka...@apache.org on 2014/11/05 01:53:55 UTC
[2/3] git commit: HADOOP-11243. SSLFactory shouldn't allow SSLv3.
(Wei Yan via kasha)
HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)
(cherry picked from commit 3c5f5af1184e85158dec962df0b0bc2be8d0d1e3)
(cherry picked from commit d8212c0b7e3d6873a18cdb94b1ac6ab6cf2c0fd2)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/3fbf5876
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/3fbf5876
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/3fbf5876
Branch: refs/heads/branch-2.5
Commit: 3fbf587615374778fe7b78e0e6a043aa23293bac
Parents: 112b469
Author: Karthik Kambatla <ka...@apache.org>
Authored: Tue Oct 28 18:03:00 2014 -0700
Committer: Karthik Kambatla <ka...@apache.org>
Committed: Tue Nov 4 16:44:07 2014 -0800
----------------------------------------------------------------------
.../java/org/apache/hadoop/security/ssl/SSLFactory.java | 12 +++++++++++-
.../hadoop-common/src/main/resources/core-default.xml | 8 ++++++++
.../src/site/apt/EncryptedShuffle.apt.vm | 2 ++
3 files changed, 21 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/3fbf5876/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
index c118948..f0ef58f 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java
@@ -66,6 +66,10 @@ public class SSLFactory implements ConnectionConfigurator {
public static final String KEYSTORES_FACTORY_CLASS_KEY =
"hadoop.ssl.keystores.factory.class";
+ public static final String SSL_ENABLED_PROTOCOLS =
+ "hadoop.ssl.enabled.protocols";
+ public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1";
+
private Configuration conf;
private Mode mode;
private boolean requireClientCert;
@@ -73,6 +77,8 @@ public class SSLFactory implements ConnectionConfigurator {
private HostnameVerifier hostnameVerifier;
private KeyStoresFactory keystoresFactory;
+ private String[] enabledProtocols = null;
+
/**
* Creates an SSLFactory.
*
@@ -94,6 +100,9 @@ public class SSLFactory implements ConnectionConfigurator {
= conf.getClass(KEYSTORES_FACTORY_CLASS_KEY,
FileBasedKeyStoresFactory.class, KeyStoresFactory.class);
keystoresFactory = ReflectionUtils.newInstance(klass, sslConf);
+
+ enabledProtocols = conf.getStrings(SSL_ENABLED_PROTOCOLS,
+ DEFAULT_SSL_ENABLED_PROTOCOLS);
}
private Configuration readSSLConfiguration(Mode mode) {
@@ -122,7 +131,7 @@ public class SSLFactory implements ConnectionConfigurator {
context = SSLContext.getInstance("TLS");
context.init(keystoresFactory.getKeyManagers(),
keystoresFactory.getTrustManagers(), null);
-
+ context.getDefaultSSLParameters().setProtocols(enabledProtocols);
hostnameVerifier = getHostnameVerifier(conf);
}
@@ -181,6 +190,7 @@ public class SSLFactory implements ConnectionConfigurator {
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(requireClientCert);
}
+ sslEngine.setEnabledProtocols(enabledProtocols);
return sslEngine;
}
http://git-wip-us.apache.org/repos/asf/hadoop/blob/3fbf5876/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index 2560056..a126417 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -1285,6 +1285,14 @@ for ldap providers in the same way as above does.
</property>
<property>
+ <name>hadoop.ssl.enabled.protocols</name>
+ <value>TLSv1</value>
+ <description>
+ Protocols supported by the ssl.
+ </description>
+</property>
+
+<property>
<name>hadoop.jetty.logs.serve.aliases</name>
<value>true</value>
<description>
http://git-wip-us.apache.org/repos/asf/hadoop/blob/3fbf5876/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm
----------------------------------------------------------------------
diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm
index e766cbc..da412df 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/apt/EncryptedShuffle.apt.vm
@@ -54,6 +54,8 @@ Hadoop MapReduce Next Generation - Encrypted Shuffle
*--------------------------------------+---------------------+-----------------+
| <<<hadoop.ssl.client.conf>>> | <<<ss-client.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory |
*--------------------------------------+---------------------+-----------------+
+| <<<hadoop.ssl.enabled.protocols>>> | <<<TLSv1>>> | The supported SSL protocols (JDK6 can use <<TLSv1>>, JDK7+ can use <<TLSv1,TLSv1.1,TLSv1.2>>) |
+*--------------------------------------+---------------------+-----------------+
<<IMPORTANT:>> Currently requiring client certificates should be set to false.
Refer the {{{ClientCertificates}Client Certificates}} section for details.