HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)

(cherry picked from commit 3c5f5af118)
This commit is contained in:
Karthik Kambatla 2014-10-28 18:03:00 -07:00
parent e181498a67
commit d8212c0b7e
4 changed files with 23 additions and 1 deletions

View File

@ -641,6 +641,8 @@ Release 2.6.0 - UNRELEASED
HADOOP-11217. Disable SSLv3 in KMS. (Robert Kanter via kasha) HADOOP-11217. Disable SSLv3 in KMS. (Robert Kanter via kasha)
HADOOP-11243. SSLFactory shouldn't allow SSLv3. (Wei Yan via kasha)
Release 2.5.1 - 2014-09-05 Release 2.5.1 - 2014-09-05
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -66,6 +66,10 @@ public class SSLFactory implements ConnectionConfigurator {
public static final String KEYSTORES_FACTORY_CLASS_KEY = public static final String KEYSTORES_FACTORY_CLASS_KEY =
"hadoop.ssl.keystores.factory.class"; "hadoop.ssl.keystores.factory.class";
public static final String SSL_ENABLED_PROTOCOLS =
"hadoop.ssl.enabled.protocols";
public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1";
private Configuration conf; private Configuration conf;
private Mode mode; private Mode mode;
private boolean requireClientCert; private boolean requireClientCert;
@ -73,6 +77,8 @@ public class SSLFactory implements ConnectionConfigurator {
private HostnameVerifier hostnameVerifier; private HostnameVerifier hostnameVerifier;
private KeyStoresFactory keystoresFactory; private KeyStoresFactory keystoresFactory;
private String[] enabledProtocols = null;
/** /**
* Creates an SSLFactory. * Creates an SSLFactory.
* *
@ -94,6 +100,9 @@ public class SSLFactory implements ConnectionConfigurator {
= conf.getClass(KEYSTORES_FACTORY_CLASS_KEY, = conf.getClass(KEYSTORES_FACTORY_CLASS_KEY,
FileBasedKeyStoresFactory.class, KeyStoresFactory.class); FileBasedKeyStoresFactory.class, KeyStoresFactory.class);
keystoresFactory = ReflectionUtils.newInstance(klass, sslConf); keystoresFactory = ReflectionUtils.newInstance(klass, sslConf);
enabledProtocols = conf.getStrings(SSL_ENABLED_PROTOCOLS,
DEFAULT_SSL_ENABLED_PROTOCOLS);
} }
private Configuration readSSLConfiguration(Mode mode) { private Configuration readSSLConfiguration(Mode mode) {
@ -122,7 +131,7 @@ public class SSLFactory implements ConnectionConfigurator {
context = SSLContext.getInstance("TLS"); context = SSLContext.getInstance("TLS");
context.init(keystoresFactory.getKeyManagers(), context.init(keystoresFactory.getKeyManagers(),
keystoresFactory.getTrustManagers(), null); keystoresFactory.getTrustManagers(), null);
context.getDefaultSSLParameters().setProtocols(enabledProtocols);
hostnameVerifier = getHostnameVerifier(conf); hostnameVerifier = getHostnameVerifier(conf);
} }
@ -185,6 +194,7 @@ public class SSLFactory implements ConnectionConfigurator {
sslEngine.setUseClientMode(false); sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(requireClientCert); sslEngine.setNeedClientAuth(requireClientCert);
} }
sslEngine.setEnabledProtocols(enabledProtocols);
return sslEngine; return sslEngine;
} }

View File

@ -1365,6 +1365,14 @@ for ldap providers in the same way as above does.
</description> </description>
</property> </property>
<property>
<name>hadoop.ssl.enabled.protocols</name>
<value>TLSv1</value>
<description>
Protocols supported by the ssl.
</description>
</property>
<property> <property>
<name>hadoop.jetty.logs.serve.aliases</name> <name>hadoop.jetty.logs.serve.aliases</name>
<value>true</value> <value>true</value>

View File

@ -53,6 +53,8 @@ Hadoop MapReduce Next Generation - Encrypted Shuffle
| <<<hadoop.ssl.server.conf>>> | <<<ss-server.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory | | <<<hadoop.ssl.server.conf>>> | <<<ss-server.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory |
*--------------------------------------+---------------------+-----------------+ *--------------------------------------+---------------------+-----------------+
| <<<hadoop.ssl.client.conf>>> | <<<ss-client.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory | | <<<hadoop.ssl.client.conf>>> | <<<ss-client.xml>>> | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory |
*--------------------------------------+---------------------+-----------------+
| <<<hadoop.ssl.enabled.protocols>>> | <<<TLSv1>>> | The supported SSL protocols (JDK6 can use <<TLSv1>>, JDK7+ can use <<TLSv1,TLSv1.1,TLSv1.2>>) |
*--------------------------------------+---------------------+-----------------+ *--------------------------------------+---------------------+-----------------+
<<IMPORTANT:>> Currently requiring client certificates should be set to false. <<IMPORTANT:>> Currently requiring client certificates should be set to false.