HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)

This commit is contained in:
Karthik Kambatla 2014-10-28 18:03:00 -07:00
parent 0782f60288
commit 3c5f5af118
4 changed files with 23 additions and 1 deletions

View File

@ -1015,6 +1015,8 @@ Release 2.6.0 - UNRELEASED
HADOOP-11217. Disable SSLv3 in KMS. (Robert Kanter via kasha)
HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)
Release 2.5.1 - 2014-09-05
INCOMPATIBLE CHANGES

View File

@ -66,6 +66,10 @@ public class SSLFactory implements ConnectionConfigurator {
public static final String KEYSTORES_FACTORY_CLASS_KEY =
"hadoop.ssl.keystores.factory.class";
public static final String SSL_ENABLED_PROTOCOLS =
"hadoop.ssl.enabled.protocols";
public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1";
private Configuration conf;
private Mode mode;
private boolean requireClientCert;
@ -73,6 +77,8 @@ public class SSLFactory implements ConnectionConfigurator {
private HostnameVerifier hostnameVerifier;
private KeyStoresFactory keystoresFactory;
private String[] enabledProtocols = null;
/**
* Creates an SSLFactory.
*
@ -94,6 +100,9 @@ public class SSLFactory implements ConnectionConfigurator {
= conf.getClass(KEYSTORES_FACTORY_CLASS_KEY,
FileBasedKeyStoresFactory.class, KeyStoresFactory.class);
keystoresFactory = ReflectionUtils.newInstance(klass, sslConf);
enabledProtocols = conf.getStrings(SSL_ENABLED_PROTOCOLS,
DEFAULT_SSL_ENABLED_PROTOCOLS);
}
private Configuration readSSLConfiguration(Mode mode) {
@ -122,7 +131,7 @@ public class SSLFactory implements ConnectionConfigurator {
context = SSLContext.getInstance("TLS");
context.init(keystoresFactory.getKeyManagers(),
keystoresFactory.getTrustManagers(), null);
context.getDefaultSSLParameters().setProtocols(enabledProtocols);
hostnameVerifier = getHostnameVerifier(conf);
}
@ -185,6 +194,7 @@ public class SSLFactory implements ConnectionConfigurator {
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(requireClientCert);
}
sslEngine.setEnabledProtocols(enabledProtocols);
return sslEngine;
}

View File

@ -1372,6 +1372,14 @@ for ldap providers in the same way as above does.
</description>
</property>
<property>
<name>hadoop.ssl.enabled.protocols</name>
<value>TLSv1</value>
<description>
Protocols supported by the ssl.
</description>
</property>
<property>
<name>hadoop.jetty.logs.serve.aliases</name>
<value>true</value>

View File

@ -53,6 +53,8 @@ Hadoop MapReduce Next Generation - Encrypted Shuffle
| <<<hadoop.ssl.server.conf>>> | <<<ss-server.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory |
*--------------------------------------+---------------------+-----------------+
| <<<hadoop.ssl.client.conf>>> | <<<ss-client.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory |
*--------------------------------------+---------------------+-----------------+
| <<<hadoop.ssl.enabled.protocols>>> | <<<TLSv1>>> | The supported SSL protocols (JDK6 can use <<TLSv1>>, JDK7+ can use <<TLSv1,TLSv1.1,TLSv1.2>>) |
*--------------------------------------+---------------------+-----------------+
<<IMPORTANT:>> Currently requiring client certificates should be set to false.