You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Attila Magyar (JIRA)" <ji...@apache.org> on 2017/03/27 12:07:41 UTC
[jira] [Created] (AMBARI-20583) Allow for larger Ephemeral DH Keys
in Ambari server running on JVM versions 1.8 and above
Attila Magyar created AMBARI-20583:
--------------------------------------
Summary: Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above
Key: AMBARI-20583
URL: https://issues.apache.org/jira/browse/AMBARI-20583
Project: Ambari
Issue Type: Task
Components: ambari-server
Reporter: Attila Magyar
Assignee: Attila Magyar
Allow for larger Ephemeral DH Keys in Ambari server running on JVM versions 1.8 and above.
This can already be done by manually editing the ambari-env.sh file (/var/lib/ambari-server/ambari-env.sh) and adding the following to the AMBARI_JVM_ARGS environment variable:
-Djdk.tls.ephemeralDHKeySize=2048
The jdk.tls.ephemeralDHKeySize property is only available in Java VM versions 1.8 and above. However it may not be supported in by all Java vendors. Both Oracle and OpenJDK JVM appear to support it.
See https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys for more information.
To help users set this value, Ambari should provide a property in the ambari.properties file. If a supported JVM is in use, Ambari should internally set the System property (before creating the embedded web server) as specified by the user. A possible Ambari property name could be security.server.tls.ephemeral_dh_key_size. If not set, it's default value should be 2048.
To test the Ephemeral DH key size, the OpenSSL s_client utility may be used to query the Ambari server's HTTPS port(s):
openssl s_client -connect `hostname -f`:8441 -cipher "EDH"
CONNECTED(00000003)
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify return:1
---
Certificate chain
0 s:/C=XX/L=Default City/O=Default Company Ltd
i:/C=XX/L=Default City/O=Default Company Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd
issuer=/C=XX/L=Default City/O=Default Company Ltd
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2374 bytes and written 335 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 58D28ED880FDAEA00E20CC7C93875616C6608DA39D3F673168D0243E3E8D2269
Session-ID-ctx:
Master-Key: 141A9B0C116097DBD01C437BD19536CAC7E0174877DA95D63345D17C1BB238A74142767FCE74C1FE33B01936020B468A
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1490194136
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
Notice Server Temp Key: DH, 1024 bits.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)