diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java index 9de02f0bc65..68524ab8aad 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java @@ -356,7 +356,7 @@ public class HttpServer implements FilterContainer { if ("http".equals(scheme)) { listener = HttpServer.createDefaultChannelConnector(); } else if ("https".equals(scheme)) { - SslSocketConnector c = new SslSocketConnector(); + SslSocketConnector c = new SslSocketConnectorSecure(); c.setNeedClientAuth(needsClientAuth); c.setKeyPassword(keyPassword); diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/SslSocketConnectorSecure.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/SslSocketConnectorSecure.java new file mode 100644 index 00000000000..2d78a3ff1f3 --- /dev/null +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/SslSocketConnectorSecure.java @@ -0,0 +1,58 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hbase.http; + +import org.mortbay.jetty.security.SslSocketConnector; + +import javax.net.ssl.SSLServerSocket; +import java.io.IOException; +import java.net.ServerSocket; +import java.util.ArrayList; + +/** + * This subclass of the Jetty SslSocketConnector exists solely to control + * the TLS protocol versions allowed. This is fallout from the POODLE + * vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled. + * Only TLS 1.0 and later protocols are allowed. + */ +public class SslSocketConnectorSecure extends SslSocketConnector { + + public SslSocketConnectorSecure() { + super(); + } + + /** + * Create a new ServerSocket that will not accept SSLv3 connections, + * but will accept TLSv1.x connections. + */ + protected ServerSocket newServerSocket(String host, int port,int backlog) + throws IOException { + SSLServerSocket socket = (SSLServerSocket) + super.newServerSocket(host, port, backlog); + ArrayList nonSSLProtocols = new ArrayList(); + for (String p : socket.getEnabledProtocols()) { + if (!p.contains("SSLv3")) { + nonSSLProtocols.add(p); + } + } + socket.setEnabledProtocols(nonSSLProtocols.toArray( + new String[nonSSLProtocols.size()])); + return socket; + } +}