You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Ayub Khan (JIRA)" <ji...@apache.org> on 2017/04/06 17:34:41 UTC
[jira] [Commented] (RANGER-1500) Add support to exclude/disable SSL
protocols.
[ https://issues.apache.org/jira/browse/RANGER-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15959382#comment-15959382 ]
Ayub Khan commented on RANGER-1500:
-----------------------------------
Looking at the ranger code, understood that tomcat catalina connector is used for SSL configuration.
Below is my understanding:
HTTPS connector parameter sslProtocol defines which SSL/TLS protocols are enabled by default.
e.g. for Oracle JDK 7:
1) setProtocol="TLS" will enable SSLv3 and TLSv1
2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1
4) setProtocol="TLSv1" will enable SSLv3 and TLSv1
5) setProtocol="SSL" will enable SSLv3 and TLSv1
6) setProtocol="SSLv3" will enable SSLv3 and TLSv1
7) setProtocol="SSLv2" won't work
Note that even if some protocol is not enabled by default, it can be enabled by specifying sslEnabledProtocols parameter.
So in the ranger code, in order to restrict available protocols only to TLSv1.2, simple fix is to change sslEnabledProtocols parameter value from "SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2" to "TLSv1.2" here(https://github.com/apache/ranger/blob/ranger-0.7/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java#L151).
The configuration looks like this after doing above changes : sslProtocol="SSL" sslEnabledProtocols="TLSv1.2".
Is my understanding correct?
> Add support to exclude/disable SSL protocols.
> ---------------------------------------------
>
> Key: RANGER-1500
> URL: https://issues.apache.org/jira/browse/RANGER-1500
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 0.7.0
> Reporter: Ayub Khan
> Priority: Critical
> Fix For: 1.0.0, 0.7.1
>
>
> Add support to disable/exclude weaker SSL protocols like TLSv1, TLSv1.1 for ranger.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)