You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-commits@hadoop.apache.org by ka...@apache.org on 2014/11/05 01:21:38 UTC

git commit: HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha)

Repository: hadoop
Updated Branches:
  refs/heads/trunk 5bd3a569f -> dbf30e3c0


HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha)


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/dbf30e3c
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/dbf30e3c
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/dbf30e3c

Branch: refs/heads/trunk
Commit: dbf30e3c0e1522e6588aecac71c990c0b01fd8fb
Parents: 5bd3a56
Author: Karthik Kambatla <ka...@apache.org>
Authored: Tue Nov 4 16:18:24 2014 -0800
Committer: Karthik Kambatla <ka...@apache.org>
Committed: Tue Nov 4 16:18:24 2014 -0800

----------------------------------------------------------------------
 hadoop-common-project/hadoop-common/CHANGES.txt |  2 +
 .../org/apache/hadoop/http/HttpServer2.java     |  3 +-
 .../security/ssl/SslSocketConnectorSecure.java  | 58 ++++++++++++++++++++
 .../hadoop/crypto/key/kms/server/MiniKMS.java   |  5 +-
 .../org/apache/hadoop/test/TestJettyHelper.java |  3 +-
 5 files changed, 67 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/dbf30e3c/hadoop-common-project/hadoop-common/CHANGES.txt
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index ede1148..7f01207 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -1056,6 +1056,8 @@ Release 2.6.0 - UNRELEASED
     HADOOP-11241. Fixed intermittent TestNMSimulator failure due to timing issue.
     (Varun Vasudev via zjshen)
 
+    HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha)
+
 Release 2.5.1 - 2014-09-05
 
   INCOMPATIBLE CHANGES

http://git-wip-us.apache.org/repos/asf/hadoop/blob/dbf30e3c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
index 8aa777b..168fd77 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
@@ -53,6 +53,7 @@ import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.conf.ConfServlet;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
 import org.apache.hadoop.jmx.JMXJsonServlet;
 import org.apache.hadoop.log.LogLevel;
 import org.apache.hadoop.metrics.MetricsServlet;
@@ -306,7 +307,7 @@ public final class HttpServer2 implements FilterContainer {
         if ("http".equals(scheme)) {
           listener = HttpServer2.createDefaultChannelConnector();
         } else if ("https".equals(scheme)) {
-          SslSocketConnector c = new SslSocketConnector();
+          SslSocketConnector c = new SslSocketConnectorSecure();
           c.setNeedClientAuth(needsClientAuth);
           c.setKeyPassword(keyPassword);
 

http://git-wip-us.apache.org/repos/asf/hadoop/blob/dbf30e3c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java
new file mode 100644
index 0000000..52ab7ad
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.security.ssl;
+
+import org.mortbay.jetty.security.SslSocketConnector;
+
+import javax.net.ssl.SSLServerSocket;
+import java.io.IOException;
+import java.net.ServerSocket;
+import java.util.ArrayList;
+
+/**
+ * This subclass of the Jetty SslSocketConnector exists solely to control
+ * the TLS protocol versions allowed.  This is fallout from the POODLE
+ * vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
+ * Only TLS 1.0 and later protocols are allowed.
+ */
+public class SslSocketConnectorSecure extends SslSocketConnector {
+
+  public SslSocketConnectorSecure() {
+    super();
+  }
+
+  /**
+   * Create a new ServerSocket that will not accept SSLv3 connections,
+   * but will accept TLSv1.x connections.
+   */
+  protected ServerSocket newServerSocket(String host, int port,int backlog)
+          throws IOException {
+    SSLServerSocket socket = (SSLServerSocket)
+            super.newServerSocket(host, port, backlog);
+    ArrayList<String> nonSSLProtocols = new ArrayList<String>();
+    for (String p : socket.getEnabledProtocols()) {
+      if (!p.contains("SSLv3")) {
+        nonSSLProtocols.add(p);
+      }
+    }
+    socket.setEnabledProtocols(nonSSLProtocols.toArray(
+            new String[nonSSLProtocols.size()]));
+    return socket;
+  }
+}

http://git-wip-us.apache.org/repos/asf/hadoop/blob/dbf30e3c/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
index 51cc026..4f802cc 100644
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
@@ -22,6 +22,7 @@ import org.apache.commons.io.IOUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
 import org.mortbay.jetty.Connector;
 import org.mortbay.jetty.Server;
 import org.mortbay.jetty.security.SslSocketConnector;
@@ -56,7 +57,7 @@ public class MiniKMS {
         server.getConnectors()[0].setHost(host);
         server.getConnectors()[0].setPort(port);
       } else {
-        SslSocketConnector c = new SslSocketConnector();
+        SslSocketConnector c = new SslSocketConnectorSecure();
         c.setHost(host);
         c.setPort(port);
         c.setNeedClientAuth(false);
@@ -74,7 +75,7 @@ public class MiniKMS {
 
   private static URL getJettyURL(Server server) {
     boolean ssl = server.getConnectors()[0].getClass()
-        == SslSocketConnector.class;
+        == SslSocketConnectorSecure.class;
     try {
       String scheme = (ssl) ? "https" : "http";
       return new URL(scheme + "://" +

http://git-wip-us.apache.org/repos/asf/hadoop/blob/dbf30e3c/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java
index 5dd6124..50b4327 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java
@@ -24,6 +24,7 @@ import java.net.ServerSocket;
 import java.net.URL;
 import java.net.UnknownHostException;
 
+import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
 import org.junit.Test;
 import org.junit.rules.MethodRule;
 import org.junit.runners.model.FrameworkMethod;
@@ -92,7 +93,7 @@ public class TestJettyHelper implements MethodRule {
         server.getConnectors()[0].setHost(host);
         server.getConnectors()[0].setPort(port);
       } else {
-        SslSocketConnector c = new SslSocketConnector();
+        SslSocketConnector c = new SslSocketConnectorSecure();
         c.setHost(host);
         c.setPort(port);
         c.setNeedClientAuth(false);