You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Ahmed Hussein (Jira)" <ji...@apache.org> on 2020/11/09 18:05:00 UTC
[jira] [Created] (HADOOP-17367) Improve TLS/SSL default settings
for security and performance
Ahmed Hussein created HADOOP-17367:
--------------------------------------
Summary: Improve TLS/SSL default settings for security and performance
Key: HADOOP-17367
URL: https://issues.apache.org/jira/browse/HADOOP-17367
Project: Hadoop Common
Issue Type: Bug
Reporter: Ahmed Hussein
Assignee: Ahmed Hussein
[~kihwal] reported that {{HttpServer2}} is still accepting TLS 1.1 or 1.0. These are only rejected when the java security setting excludes them. The expensive algorithms arte still being used.
{code:bash}
main, WRITE: TLSv1.2 Handshake, length = 239
main, READ: TLSv1.2 Handshake, length = 1508
*** ServerHello, TLSv1.2
...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
{code}
SSLFactory calls {{sslEngine.setEnabledCipherSuites()}} to set enabled ciphers.
Apparently this does not disable unincluded ciphers, so SSLFactory's cipher disabling feature does not work. Or it could be jetty's undoing.
Jetty9 introduced SSLContextFactory. Following methods can be used.
{code:java}
setExcludeCipherSuites()
setExcludeProtocols()
setIncludeCipherSuites()
setIncludeProtocols()
{code}
SSLFactory is not used by HttpServer2. It is only used by {{DatanodeHttpServer}} and {{ShuffleHandler}}. The reloading feature is also broken for the same reason.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-dev-help@hadoop.apache.org