HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha)

(cherry picked from commit dbf30e3c0e)
This commit is contained in:
Karthik Kambatla 2014-11-04 16:18:24 -08:00
parent 9d697e3038
commit 395d4ba766
5 changed files with 67 additions and 4 deletions

View File

@ -527,6 +527,8 @@ Release 2.6.0 - UNRELEASED
HADOOP-11241. Fixed intermittent TestNMSimulator failure due to timing issue. HADOOP-11241. Fixed intermittent TestNMSimulator failure due to timing issue.
(Varun Vasudev via zjshen) (Varun Vasudev via zjshen)
HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha)
Release 2.5.1 - 2014-09-05 Release 2.5.1 - 2014-09-05
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -53,6 +53,7 @@ import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.ConfServlet; import org.apache.hadoop.conf.ConfServlet;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
import org.apache.hadoop.jmx.JMXJsonServlet; import org.apache.hadoop.jmx.JMXJsonServlet;
import org.apache.hadoop.log.LogLevel; import org.apache.hadoop.log.LogLevel;
import org.apache.hadoop.metrics.MetricsServlet; import org.apache.hadoop.metrics.MetricsServlet;
@ -306,7 +307,7 @@ public final class HttpServer2 implements FilterContainer {
if ("http".equals(scheme)) { if ("http".equals(scheme)) {
listener = HttpServer2.createDefaultChannelConnector(); listener = HttpServer2.createDefaultChannelConnector();
} else if ("https".equals(scheme)) { } else if ("https".equals(scheme)) {
SslSocketConnector c = new SslSocketConnector(); SslSocketConnector c = new SslSocketConnectorSecure();
c.setNeedClientAuth(needsClientAuth); c.setNeedClientAuth(needsClientAuth);
c.setKeyPassword(keyPassword); c.setKeyPassword(keyPassword);

View File

@ -0,0 +1,58 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.security.ssl;
import org.mortbay.jetty.security.SslSocketConnector;
import javax.net.ssl.SSLServerSocket;
import java.io.IOException;
import java.net.ServerSocket;
import java.util.ArrayList;
/**
* This subclass of the Jetty SslSocketConnector exists solely to control
* the TLS protocol versions allowed. This is fallout from the POODLE
* vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
* Only TLS 1.0 and later protocols are allowed.
*/
public class SslSocketConnectorSecure extends SslSocketConnector {
public SslSocketConnectorSecure() {
super();
}
/**
* Create a new ServerSocket that will not accept SSLv3 connections,
* but will accept TLSv1.x connections.
*/
protected ServerSocket newServerSocket(String host, int port,int backlog)
throws IOException {
SSLServerSocket socket = (SSLServerSocket)
super.newServerSocket(host, port, backlog);
ArrayList<String> nonSSLProtocols = new ArrayList<String>();
for (String p : socket.getEnabledProtocols()) {
if (!p.contains("SSLv3")) {
nonSSLProtocols.add(p);
}
}
socket.setEnabledProtocols(nonSSLProtocols.toArray(
new String[nonSSLProtocols.size()]));
return socket;
}
}

View File

@ -22,6 +22,7 @@ import org.apache.commons.io.IOUtils;
import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.KMSRESTConstants; import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
import org.mortbay.jetty.Connector; import org.mortbay.jetty.Connector;
import org.mortbay.jetty.Server; import org.mortbay.jetty.Server;
import org.mortbay.jetty.security.SslSocketConnector; import org.mortbay.jetty.security.SslSocketConnector;
@ -56,7 +57,7 @@ public class MiniKMS {
server.getConnectors()[0].setHost(host); server.getConnectors()[0].setHost(host);
server.getConnectors()[0].setPort(port); server.getConnectors()[0].setPort(port);
} else { } else {
SslSocketConnector c = new SslSocketConnector(); SslSocketConnector c = new SslSocketConnectorSecure();
c.setHost(host); c.setHost(host);
c.setPort(port); c.setPort(port);
c.setNeedClientAuth(false); c.setNeedClientAuth(false);
@ -74,7 +75,7 @@ public class MiniKMS {
private static URL getJettyURL(Server server) { private static URL getJettyURL(Server server) {
boolean ssl = server.getConnectors()[0].getClass() boolean ssl = server.getConnectors()[0].getClass()
== SslSocketConnector.class; == SslSocketConnectorSecure.class;
try { try {
String scheme = (ssl) ? "https" : "http"; String scheme = (ssl) ? "https" : "http";
return new URL(scheme + "://" + return new URL(scheme + "://" +

View File

@ -24,6 +24,7 @@ import java.net.ServerSocket;
import java.net.URL; import java.net.URL;
import java.net.UnknownHostException; import java.net.UnknownHostException;
import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
import org.junit.Test; import org.junit.Test;
import org.junit.rules.MethodRule; import org.junit.rules.MethodRule;
import org.junit.runners.model.FrameworkMethod; import org.junit.runners.model.FrameworkMethod;
@ -92,7 +93,7 @@ public class TestJettyHelper implements MethodRule {
server.getConnectors()[0].setHost(host); server.getConnectors()[0].setHost(host);
server.getConnectors()[0].setPort(port); server.getConnectors()[0].setPort(port);
} else { } else {
SslSocketConnector c = new SslSocketConnector(); SslSocketConnector c = new SslSocketConnectorSecure();
c.setHost(host); c.setHost(host);
c.setPort(port); c.setPort(port);
c.setNeedClientAuth(false); c.setNeedClientAuth(false);