You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Attila Magyar (JIRA)" <ji...@apache.org> on 2017/03/27 12:07:41 UTC

[jira] [Created] (AMBARI-20583) Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above

Attila Magyar created AMBARI-20583:
--------------------------------------

             Summary: Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above	
                 Key: AMBARI-20583
                 URL: https://issues.apache.org/jira/browse/AMBARI-20583
             Project: Ambari
          Issue Type: Task
          Components: ambari-server
            Reporter: Attila Magyar
            Assignee: Attila Magyar


Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above.
This can already be done by manually editing the ambari-env.sh file (/var/lib/ambari-server/ambari-env.sh) and adding the following to the AMBARI_JVM_ARGS environment variable:
-Djdk.tls.ephemeralDHKeySize=2048
The jdk.tls.ephemeralDHKeySize property is only available in Java VM versions 1.8 and above. However it may not be supported in by all Java vendors. Both Oracle and OpenJDK JVM appear to support it.
See https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys for more information.
To help users set this value, Ambari should provide a property in the ambari.properties file. If a supported JVM is in use, Ambari should internally set the System property (before creating the embedded web server) as specified by the user. A possible Ambari property name could be security.server.tls.ephemeral_dh_key_size. If not set, it's default value should be 2048.
To test the Ephemeral DH key size, the OpenSSL s_client utility may be used to query the Ambari server's HTTPS port(s):
openssl s_client -connect `hostname -f`:8441 -cipher "EDH"
CONNECTED(00000003)
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify return:1
---
Certificate chain
 0 s:/C=XX/L=Default City/O=Default Company Ltd
   i:/C=XX/L=Default City/O=Default Company Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd
issuer=/C=XX/L=Default City/O=Default Company Ltd
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2374 bytes and written 335 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: 58D28ED880FDAEA00E20CC7C93875616C6608DA39D3F673168D0243E3E8D2269
    Session-ID-ctx:
    Master-Key: 141A9B0C116097DBD01C437BD19536CAC7E0174877DA95D63345D17C1BB238A74142767FCE74C1FE33B01936020B468A
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1490194136
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
Notice Server Temp Key: DH, 1024 bits.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)