HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)
(cherry picked from commit 3c5f5af118
)
This commit is contained in:
parent
e181498a67
commit
d8212c0b7e
|
@ -641,6 +641,8 @@ Release 2.6.0 - UNRELEASED
|
|||
|
||||
HADOOP-11217. Disable SSLv3 in KMS. (Robert Kanter via kasha)
|
||||
|
||||
HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)
|
||||
|
||||
Release 2.5.1 - 2014-09-05
|
||||
|
||||
INCOMPATIBLE CHANGES
|
||||
|
|
|
@ -66,6 +66,10 @@ public class SSLFactory implements ConnectionConfigurator {
|
|||
public static final String KEYSTORES_FACTORY_CLASS_KEY =
|
||||
"hadoop.ssl.keystores.factory.class";
|
||||
|
||||
public static final String SSL_ENABLED_PROTOCOLS =
|
||||
"hadoop.ssl.enabled.protocols";
|
||||
public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1";
|
||||
|
||||
private Configuration conf;
|
||||
private Mode mode;
|
||||
private boolean requireClientCert;
|
||||
|
@ -73,6 +77,8 @@ public class SSLFactory implements ConnectionConfigurator {
|
|||
private HostnameVerifier hostnameVerifier;
|
||||
private KeyStoresFactory keystoresFactory;
|
||||
|
||||
private String[] enabledProtocols = null;
|
||||
|
||||
/**
|
||||
* Creates an SSLFactory.
|
||||
*
|
||||
|
@ -94,6 +100,9 @@ public class SSLFactory implements ConnectionConfigurator {
|
|||
= conf.getClass(KEYSTORES_FACTORY_CLASS_KEY,
|
||||
FileBasedKeyStoresFactory.class, KeyStoresFactory.class);
|
||||
keystoresFactory = ReflectionUtils.newInstance(klass, sslConf);
|
||||
|
||||
enabledProtocols = conf.getStrings(SSL_ENABLED_PROTOCOLS,
|
||||
DEFAULT_SSL_ENABLED_PROTOCOLS);
|
||||
}
|
||||
|
||||
private Configuration readSSLConfiguration(Mode mode) {
|
||||
|
@ -122,7 +131,7 @@ public class SSLFactory implements ConnectionConfigurator {
|
|||
context = SSLContext.getInstance("TLS");
|
||||
context.init(keystoresFactory.getKeyManagers(),
|
||||
keystoresFactory.getTrustManagers(), null);
|
||||
|
||||
context.getDefaultSSLParameters().setProtocols(enabledProtocols);
|
||||
hostnameVerifier = getHostnameVerifier(conf);
|
||||
}
|
||||
|
||||
|
@ -185,6 +194,7 @@ public class SSLFactory implements ConnectionConfigurator {
|
|||
sslEngine.setUseClientMode(false);
|
||||
sslEngine.setNeedClientAuth(requireClientCert);
|
||||
}
|
||||
sslEngine.setEnabledProtocols(enabledProtocols);
|
||||
return sslEngine;
|
||||
}
|
||||
|
||||
|
|
|
@ -1365,6 +1365,14 @@ for ldap providers in the same way as above does.
|
|||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.ssl.enabled.protocols</name>
|
||||
<value>TLSv1</value>
|
||||
<description>
|
||||
Protocols supported by the ssl.
|
||||
</description>
|
||||
</property>
|
||||
|
||||
<property>
|
||||
<name>hadoop.jetty.logs.serve.aliases</name>
|
||||
<value>true</value>
|
||||
|
|
|
@ -53,6 +53,8 @@ Hadoop MapReduce Next Generation - Encrypted Shuffle
|
|||
| <<<hadoop.ssl.server.conf>>> | <<<ss-server.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory |
|
||||
*--------------------------------------+---------------------+-----------------+
|
||||
| <<<hadoop.ssl.client.conf>>> | <<<ss-client.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory |
|
||||
*--------------------------------------+---------------------+-----------------+
|
||||
| <<<hadoop.ssl.enabled.protocols>>> | <<<TLSv1>>> | The supported SSL protocols (JDK6 can use <<TLSv1>>, JDK7+ can use <<TLSv1,TLSv1.1,TLSv1.2>>) |
|
||||
*--------------------------------------+---------------------+-----------------+
|
||||
|
||||
<<IMPORTANT:>> Currently requiring client certificates should be set to false.
|
||||
|
|
Loading…
Reference in New Issue