You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Sumit Mohanty (JIRA)" <ji...@apache.org> on 2017/04/21 17:59:04 UTC
[jira] [Updated] (AMBARI-17666) Ambari agent can't start when TLSv1
is disabled in Java security
[ https://issues.apache.org/jira/browse/AMBARI-17666?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sumit Mohanty updated AMBARI-17666:
-----------------------------------
Fix Version/s: 2.4.3
> Ambari agent can't start when TLSv1 is disabled in Java security
> ----------------------------------------------------------------
>
> Key: AMBARI-17666
> URL: https://issues.apache.org/jira/browse/AMBARI-17666
> Project: Ambari
> Issue Type: Bug
> Components: ambari-agent
> Affects Versions: 2.2.0
> Reporter: Tuong Truong
> Assignee: Dmitry Lysnichenko
> Labels: security
> Fix For: 2.5.0, 2.4.3
>
> Attachments: AMBARI-17666_test_trunk.patch
>
>
> Currently, the commit for https://issues.apache.org/jira/browse/AMBARI-14236 explicit force the SSL protocol to TLSv1 in ambari-agent/src/main/python/ambari_agent/alerts/web_alert.py. Unfortunate, this setting in effect whenever web_alert pacackged is loaded (ambari-agent/src/main/python/ambari_agent/AlertSchedulerHandler.py) regardless whether ssl is used or not.
> As a result, disabling TLSv1 in Ambari server will cause the agent to fail to start.
> Recreate:
> In Ambari's acitve JDK on Ambari server node, in java.security file, set jdk.tls.disabledAlgorithms=MD5, SSLv2, SSLv3, TLSv1, DSA, RC4, RSA keySize < 2048
> restart ambari-server, and you will see errors in ambari agent logs:
> ERROR 2016-07-11 15:11:15,269 NetUtil.py:84 - [Errno 8] _ssl.c:492: EOF occurred in violation of protocol
> ERROR 2016-07-11 15:11:15,269 NetUtil.py:85 - SSLError: Failed to connect. Please check openssl library versions.
> Refer to: https://bugzilla.redhat.com/show_bug.cgi?id=1022468 for more details.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)