HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)
(cherry picked from commit 3c5f5af118
)
This commit is contained in:
parent
e181498a67
commit
d8212c0b7e
|
@ -641,6 +641,8 @@ Release 2.6.0 - UNRELEASED
|
||||||
|
|
||||||
HADOOP-11217. Disable SSLv3 in KMS. (Robert Kanter via kasha)
|
HADOOP-11217. Disable SSLv3 in KMS. (Robert Kanter via kasha)
|
||||||
|
|
||||||
|
HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)
|
||||||
|
|
||||||
Release 2.5.1 - 2014-09-05
|
Release 2.5.1 - 2014-09-05
|
||||||
|
|
||||||
INCOMPATIBLE CHANGES
|
INCOMPATIBLE CHANGES
|
||||||
|
|
|
@ -66,6 +66,10 @@ public class SSLFactory implements ConnectionConfigurator {
|
||||||
public static final String KEYSTORES_FACTORY_CLASS_KEY =
|
public static final String KEYSTORES_FACTORY_CLASS_KEY =
|
||||||
"hadoop.ssl.keystores.factory.class";
|
"hadoop.ssl.keystores.factory.class";
|
||||||
|
|
||||||
|
public static final String SSL_ENABLED_PROTOCOLS =
|
||||||
|
"hadoop.ssl.enabled.protocols";
|
||||||
|
public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1";
|
||||||
|
|
||||||
private Configuration conf;
|
private Configuration conf;
|
||||||
private Mode mode;
|
private Mode mode;
|
||||||
private boolean requireClientCert;
|
private boolean requireClientCert;
|
||||||
|
@ -73,6 +77,8 @@ public class SSLFactory implements ConnectionConfigurator {
|
||||||
private HostnameVerifier hostnameVerifier;
|
private HostnameVerifier hostnameVerifier;
|
||||||
private KeyStoresFactory keystoresFactory;
|
private KeyStoresFactory keystoresFactory;
|
||||||
|
|
||||||
|
private String[] enabledProtocols = null;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Creates an SSLFactory.
|
* Creates an SSLFactory.
|
||||||
*
|
*
|
||||||
|
@ -94,6 +100,9 @@ public class SSLFactory implements ConnectionConfigurator {
|
||||||
= conf.getClass(KEYSTORES_FACTORY_CLASS_KEY,
|
= conf.getClass(KEYSTORES_FACTORY_CLASS_KEY,
|
||||||
FileBasedKeyStoresFactory.class, KeyStoresFactory.class);
|
FileBasedKeyStoresFactory.class, KeyStoresFactory.class);
|
||||||
keystoresFactory = ReflectionUtils.newInstance(klass, sslConf);
|
keystoresFactory = ReflectionUtils.newInstance(klass, sslConf);
|
||||||
|
|
||||||
|
enabledProtocols = conf.getStrings(SSL_ENABLED_PROTOCOLS,
|
||||||
|
DEFAULT_SSL_ENABLED_PROTOCOLS);
|
||||||
}
|
}
|
||||||
|
|
||||||
private Configuration readSSLConfiguration(Mode mode) {
|
private Configuration readSSLConfiguration(Mode mode) {
|
||||||
|
@ -122,7 +131,7 @@ public class SSLFactory implements ConnectionConfigurator {
|
||||||
context = SSLContext.getInstance("TLS");
|
context = SSLContext.getInstance("TLS");
|
||||||
context.init(keystoresFactory.getKeyManagers(),
|
context.init(keystoresFactory.getKeyManagers(),
|
||||||
keystoresFactory.getTrustManagers(), null);
|
keystoresFactory.getTrustManagers(), null);
|
||||||
|
context.getDefaultSSLParameters().setProtocols(enabledProtocols);
|
||||||
hostnameVerifier = getHostnameVerifier(conf);
|
hostnameVerifier = getHostnameVerifier(conf);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -185,6 +194,7 @@ public class SSLFactory implements ConnectionConfigurator {
|
||||||
sslEngine.setUseClientMode(false);
|
sslEngine.setUseClientMode(false);
|
||||||
sslEngine.setNeedClientAuth(requireClientCert);
|
sslEngine.setNeedClientAuth(requireClientCert);
|
||||||
}
|
}
|
||||||
|
sslEngine.setEnabledProtocols(enabledProtocols);
|
||||||
return sslEngine;
|
return sslEngine;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1365,6 +1365,14 @@ for ldap providers in the same way as above does.
|
||||||
</description>
|
</description>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
|
<property>
|
||||||
|
<name>hadoop.ssl.enabled.protocols</name>
|
||||||
|
<value>TLSv1</value>
|
||||||
|
<description>
|
||||||
|
Protocols supported by the ssl.
|
||||||
|
</description>
|
||||||
|
</property>
|
||||||
|
|
||||||
<property>
|
<property>
|
||||||
<name>hadoop.jetty.logs.serve.aliases</name>
|
<name>hadoop.jetty.logs.serve.aliases</name>
|
||||||
<value>true</value>
|
<value>true</value>
|
||||||
|
|
|
@ -53,6 +53,8 @@ Hadoop MapReduce Next Generation - Encrypted Shuffle
|
||||||
| <<<hadoop.ssl.server.conf>>> | <<<ss-server.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory |
|
| <<<hadoop.ssl.server.conf>>> | <<<ss-server.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory |
|
||||||
*--------------------------------------+---------------------+-----------------+
|
*--------------------------------------+---------------------+-----------------+
|
||||||
| <<<hadoop.ssl.client.conf>>> | <<<ss-client.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory |
|
| <<<hadoop.ssl.client.conf>>> | <<<ss-client.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory |
|
||||||
|
*--------------------------------------+---------------------+-----------------+
|
||||||
|
| <<<hadoop.ssl.enabled.protocols>>> | <<<TLSv1>>> | The supported SSL protocols (JDK6 can use <<TLSv1>>, JDK7+ can use <<TLSv1,TLSv1.1,TLSv1.2>>) |
|
||||||
*--------------------------------------+---------------------+-----------------+
|
*--------------------------------------+---------------------+-----------------+
|
||||||
|
|
||||||
<<IMPORTANT:>> Currently requiring client certificates should be set to false.
|
<<IMPORTANT:>> Currently requiring client certificates should be set to false.
|
||||||
|
|
Loading…
Reference in New Issue