You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Mate Szalay-Beko (Jira)" <ji...@apache.org> on 2021/06/10 13:50:00 UTC

[jira] [Created] (HBASE-25993) Make excluded cipher suites configurable for all Web UIs

Mate Szalay-Beko created HBASE-25993:
----------------------------------------

             Summary: Make excluded cipher suites configurable for all Web UIs
                 Key: HBASE-25993
                 URL: https://issues.apache.org/jira/browse/HBASE-25993
             Project: HBase
          Issue Type: Improvement
    Affects Versions: 2.4.4, 2.3.5, 2.2.7, 3.0.0-alpha-1, 2.5.0
            Reporter: Mate Szalay-Beko
            Assignee: Mate Szalay-Beko


When starting a jetty http server, one can explicitly exclude certain (unsecure) SSL cipher suites. This can be especially important, when the HBase cluster needs to be compliant with security regulations (e.g. FIPS).

Currently it is possible to set the excluded ciphers for the ThriftServer ("hbase.thrift.ssl.exclude.cipher.suites") or for the RestServer ("hbase.rest.ssl.exclude.cipher.suites"), but one can not configure it for the regular InfoServer started by e.g. the master or region servers.

In this commit I want to introduce a new configuration "ssl.server.exclude.cipher.list" to configure the excluded cipher suites for the http server started by the InfoServer. This parameter has the same name and will work in the same way, as it was already implemented in hadoop (e.g. for hdfs/yarn). See: HADOOP-12668, HADOOP-14341



--
This message was sent by Atlassian Jira
(v8.3.4#803005)