You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Attila Sasvari (JIRA)" <ji...@apache.org> on 2016/12/29 23:03:58 UTC
[jira] [Updated] (OOZIE-2756) Extend HTTPS configuration settings
for embedded Jetty
[ https://issues.apache.org/jira/browse/OOZIE-2756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Attila Sasvari updated OOZIE-2756:
----------------------------------
Attachment: OOZIE-2756-01.patch
Additional tests I performed (manually):
Exclude protocol test
- added {{TLSv1.2}} with {{oozie.https.exclude.protocol}} in {{oozie-site.xml}}
- verified {{curl -k --tlsv1.2 https://localhost:11443 -vv}} failed
Exclude ciphers "always win"
- added {{TLS_ECDHE_RSA_WITH_RC4_128_SHA}} to {{oozie.https.include.cipher.suites}} _Note: it is excluded by default_
- verified that {{curl}} could not connect to server
In my opinion, this kind of simple integration tests (e.g. starting the Oozie server with HTTPS with different configuration settings) may be worth to automate in the future.
> Extend HTTPS configuration settings for embedded Jetty
> ------------------------------------------------------
>
> Key: OOZIE-2756
> URL: https://issues.apache.org/jira/browse/OOZIE-2756
> Project: Oozie
> Issue Type: Improvement
> Reporter: Attila Sasvari
> Assignee: Attila Sasvari
> Attachments: OOZIE-2756-01.patch
>
>
> Regarding HTTPS settings, currently Oozie only support {{oozie.https.include.protocols}} and {{oozie.https.exclude.cipher.suites}} (introduced by OOZIE-2666).
> However, Jetty SslContextFactory supports the following configurations:
> * excludeProtocols
> * includeProtocols
> * excludeCipherSuites
> * includeCipherSuites
> To have more control over employed protocols and cipher suites, we should extend current implementation to allow users to configure {{excludeProtocols}} and {{includeCipherSuites}}. Sensible defaults are also needed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)