You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Allen Wittenauer (JIRA)" <ji...@apache.org> on 2017/02/15 19:35:41 UTC
[jira] [Commented] (HADOOP-14083) KMS should support old SSL
clients
[ https://issues.apache.org/jira/browse/HADOOP-14083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15868443#comment-15868443 ]
Allen Wittenauer commented on HADOOP-14083:
-------------------------------------------
It seems like a really bad idea to support weak SSL ciphers given KMS is for security. In the specific case of curl, I'm 99% certain that curl's cipher usage is specifically tied to the version of OpenSSL in use as well as what options are used on the command line. (This is one of the reasons why many people build their own versions of curl, etc on systems such as OS X, which are known to have old versions of OpenSSL installed.)
> KMS should support old SSL clients
> ----------------------------------
>
> Key: HADOOP-14083
> URL: https://issues.apache.org/jira/browse/HADOOP-14083
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
> Affects Versions: 2.8.0, 2.7.4, 2.6.6
> Reporter: John Zhuge
> Assignee: John Zhuge
> Priority: Minor
>
> HADOOP-13812 upgraded Tomcat to 6.0.48 which filters weak ciphers. Old SSL clients such as curl stop working. The symptom is {{NSS error -12286}} when running {{curl -v}}.
> Instead of forcing the SSL clients to upgrade, we can configure Tomcat to explicitly allow enough weak ciphers so that old SSL clients can work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org