You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2016/11/16 18:39:58 UTC
[jira] [Updated] (AMBARI-18910) SSL/TLS protocols should be
explicitly enabled and then filtered when Ambari starts up
[ https://issues.apache.org/jira/browse/AMBARI-18910?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Levas updated AMBARI-18910:
----------------------------------
Attachment: AMBARI-18910_branch-2.5_01.patch
AMBARI-18910_branch-2.4_01.patch
> SSL/TLS protocols should be explicitly enabled and then filtered when Ambari starts up
> --------------------------------------------------------------------------------------
>
> Key: AMBARI-18910
> URL: https://issues.apache.org/jira/browse/AMBARI-18910
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.4.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Critical
> Fix For: 2.4.2
>
> Attachments: AMBARI-18910_branch-2.4_01.patch, AMBARI-18910_branch-2.5_01.patch
>
>
> SSL/TLS protocols should be explicitly enabled and then filtered when Ambari starts up.
> Currently the following protocols are explicitly enabled:
> * {{SSLv2Hello}}
> * {{TLSv1}}
> {code:title=org/apache/ambari/server/controller/AmbariServer.java:718}
> factory.setIncludeProtocols(new String[] { "SSLv2Hello","TLSv1"});
> {code}
> However the following protocols should be enabled by default:
> * {{SSLv2Hello}}
> * {{TLSv1}}
> * {{TLSv1.1}}
> * {{TLSv1.2}}
> * {{SSLv3}}
> {code:title=Example}
> factory.setIncludeProtocols(new String[] {"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});{code}
> Once set, the protocols may be filtered out using the {{security.server.disabled.protocols}} property from the ambari.properties file. For example:
> {code:title=Disables TLSv1, TLSv1.1, and SSLv2Hello}
> security.server.disabled.protocols=TLSv1.1|TLSv1|SSLv2Hello
> {code}
> The availability of a particular protocol may be tested using the OpenSSL s_client facility.
> {noformat:title=Example: Test for TLSv1.2}
> openssl s_client -connect localhost:8440 -tls1_2
> {noformat}
> {noformat:title=Example successful result}
> CONNECTED(00000003)
> depth=0 C = XX, L = Default City, O = Default Company Ltd
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = XX, L = Default City, O = Default Company Ltd
> verify return:1
> ---
> Certificate chain
> 0 s:/C=XX/L=Default City/O=Default Company Ltd
> i:/C=XX/L=Default City/O=Default Company Ltd
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIā¦
> -----END CERTIFICATE-----
> subject=/C=XX/L=Default City/O=Default Company Ltd
> issuer=/C=XX/L=Default City/O=Default Company Ltd
> ---
> No client certificate CA names sent
> Server Temp Key: ECDH, secp521r1, 521 bits
> ---
> SSL handshake has read 2248 bytes and written 441 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID: 5829F75B49C2FED58C60CB7663181B39BCA3AF473F253EDB4BA04D827B9D58BA
> Session-ID-ctx:
> Master-Key: 46301FB9B4263547C62F8C793380319DC60A10C1D077C7DAB52D328B12D1FB4B868EE5131CD7F62917C02866196317B8
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> Start Time: 1479145307
> Timeout : 7200 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> {noformat}
> {noformat:title=Example failure result}
> CONNECTED(00000003)
> 140518067173192:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 0 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> Krb5 Principal: None
> PSK identity: None
> PSK identity hint: None
> Start Time: 1479145122
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> ---
> {noformat}
> Note: This does not address the agent-side issue of connecting to an Ambari server where TLSv1 is disabled. See AMBARI-17666.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)