You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Ying Zhang (Jira)" <ji...@apache.org> on 2021/02/06 14:24:00 UTC
[jira] [Created] (HDFS-15825) Update to enable TLS >=1.2 as default
secure protocols
Ying Zhang created HDFS-15825:
---------------------------------
Summary: Update to enable TLS >=1.2 as default secure protocols
Key: HDFS-15825
URL: https://issues.apache.org/jira/browse/HDFS-15825
Project: Hadoop HDFS
Issue Type: Improvement
Reporter: Ying Zhang
In file client/src/main/java/org/apache/abdera/protocol/client/util/SimpleSSLProtocolSocketFactory.java line 46, SSL protocol is used as a security protocol in statement *context = SSLContext.getInstance("SSL");*
*Impact:*
An SSL DDoS attack targets the SSL handshake protocol either by sending worthless data to the SSL server which will result in connection issues for legitimate users or by abusing the SSL handshake protocol itself.
*Suggestions:*
Upgrade the implementation to the “TLS”, and configure https.protocols JVM option to include TLSv1.2:
*Useful links:*
[https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https]
[https://www.appmarq.com/public/tqi,1039002,CWE-319-Avoid-using-Deprecated-SSL-protocols-to-secure-connection]
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org