HBASE-16662 Fix open POODLE vulnerabilities

Signed-off-by: Andrew Purtell <apurtell@apache.org>
This commit is contained in:
Ben Lau 2016-09-22 19:16:51 +00:00 committed by Andrew Purtell
parent ba650a8a10
commit 6973304026
6 changed files with 137 additions and 6 deletions

View File

@ -39,6 +39,7 @@ import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
import org.apache.hadoop.hbase.http.HttpServer;
import org.apache.hadoop.hbase.http.InfoServer;
import org.apache.hadoop.hbase.jetty.SslSelectChannelConnectorSecure;
import org.apache.hadoop.hbase.rest.filter.AuthFilter;
import org.apache.hadoop.hbase.rest.filter.RestCsrfPreventionFilter;
import org.apache.hadoop.hbase.security.UserProvider;
@ -51,7 +52,6 @@ import org.apache.hadoop.util.StringUtils;
import org.mortbay.jetty.Connector;
import org.mortbay.jetty.Server;
import org.mortbay.jetty.nio.SelectChannelConnector;
import org.mortbay.jetty.security.SslSelectChannelConnector;
import org.mortbay.jetty.servlet.Context;
import org.mortbay.jetty.servlet.FilterHolder;
import org.mortbay.jetty.servlet.ServletHolder;
@ -252,7 +252,7 @@ public class RESTServer implements Constants {
Connector connector = new SelectChannelConnector();
if(conf.getBoolean(REST_SSL_ENABLED, false)) {
SslSelectChannelConnector sslConnector = new SslSelectChannelConnector();
SslSelectChannelConnectorSecure sslConnector = new SslSelectChannelConnectorSecure();
String keystore = conf.get(REST_SSL_KEYSTORE_STORE);
String password = HBaseConfiguration.getPassword(conf,
REST_SSL_KEYSTORE_PASSWORD, null);

View File

@ -110,8 +110,8 @@ public class JMXListener implements Coprocessor {
throw new IOException("SSL is enabled. " +
"rmiConnectorPort cannot share with the rmiRegistryPort!");
}
csf = new SslRMIClientSocketFactory();
ssf = new SslRMIServerSocketFactory();
csf = new SslRMIClientSocketFactorySecure();
ssf = new SslRMIServerSocketFactorySecure();
}
if (csf != null) {

View File

@ -0,0 +1,38 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more contributor license
* agreements. See the NOTICE file distributed with this work for additional information regarding
* copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance with the License. You may obtain a
* copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable
* law or agreed to in writing, software distributed under the License is distributed on an "AS IS"
* BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License
* for the specific language governing permissions and limitations under the License.
*/
package org.apache.hadoop.hbase;
import java.io.IOException;
import java.net.Socket;
import java.util.ArrayList;
import javax.net.ssl.SSLSocket;
import javax.rmi.ssl.SslRMIClientSocketFactory;
/**
* Avoid SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566
*/
@SuppressWarnings("serial")
public class SslRMIClientSocketFactorySecure extends SslRMIClientSocketFactory {
@Override
public Socket createSocket(String host, int port) throws IOException {
SSLSocket socket = (SSLSocket) super.createSocket(host, port);
ArrayList<String> secureProtocols = new ArrayList<String>();
for (String p : socket.getEnabledProtocols()) {
if (!p.contains("SSLv3")) {
secureProtocols.add(p);
}
}
socket.setEnabledProtocols(secureProtocols.toArray(
new String[secureProtocols.size()]));
return socket;
}
}

View File

@ -0,0 +1,57 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more contributor license
* agreements. See the NOTICE file distributed with this work for additional information regarding
* copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance with the License. You may obtain a
* copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable
* law or agreed to in writing, software distributed under the License is distributed on an "AS IS"
* BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License
* for the specific language governing permissions and limitations under the License.
*/
package org.apache.hadoop.hbase;
import java.io.IOException;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.ArrayList;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.rmi.ssl.SslRMIServerSocketFactory;
/**
* Avoid SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566
*/
public class SslRMIServerSocketFactorySecure extends SslRMIServerSocketFactory {
// If you add more constructors, you may have to change the rest of this implementation,
// which assumes an empty constructor, i.e. there are no specially enabled protocols or
// cipher suites on this RMI factory nor a provided SSLContext
public SslRMIServerSocketFactorySecure() {
super();
}
@Override
public ServerSocket createServerSocket(int port) throws IOException {
return new ServerSocket(port) {
public Socket accept() throws IOException {
Socket socket = super.accept();
SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslSocket =
(SSLSocket) sslSocketFactory.createSocket(socket,
socket.getInetAddress().getHostName(), socket.getPort(), true);
sslSocket.setUseClientMode(false);
sslSocket.setNeedClientAuth(false);
ArrayList<String> secureProtocols = new ArrayList<String>();
for (String p : sslSocket.getEnabledProtocols()) {
if (!p.contains("SSLv3")) {
secureProtocols.add(p);
}
}
sslSocket.setEnabledProtocols(secureProtocols.toArray(new String[secureProtocols.size()]));
return sslSocket;
}
};
}
}

View File

@ -0,0 +1,36 @@
/**
* Licensed to the Apache Software Foundation (ASF) under one or more contributor license
* agreements. See the NOTICE file distributed with this work for additional information regarding
* copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance with the License. You may obtain a
* copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable
* law or agreed to in writing, software distributed under the License is distributed on an "AS IS"
* BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License
* for the specific language governing permissions and limitations under the License.
*/
package org.apache.hadoop.hbase.jetty;
import java.io.IOException;
import java.util.ArrayList;
import javax.net.ssl.SSLEngine;
import org.mortbay.jetty.security.SslSelectChannelConnector;
/**
* Avoid SSL V3.0 "Poodle" Vulnerability - CVE-2014-3566
*/
public class SslSelectChannelConnectorSecure extends SslSelectChannelConnector {
@Override
protected SSLEngine createSSLEngine() throws IOException {
SSLEngine sslEngine = super.createSSLEngine();
ArrayList<String> secureProtocols = new ArrayList<String>();
for (String p : sslEngine.getEnabledProtocols()) {
if (!p.contains("SSLv3")) {
secureProtocols.add(p);
}
}
sslEngine.setEnabledProtocols(secureProtocols.toArray(new String[secureProtocols.size()]));
return sslEngine;
}
}

View File

@ -80,6 +80,7 @@ import org.apache.hadoop.hbase.filter.Filter;
import org.apache.hadoop.hbase.filter.ParseFilter;
import org.apache.hadoop.hbase.filter.PrefixFilter;
import org.apache.hadoop.hbase.filter.WhileMatchFilter;
import org.apache.hadoop.hbase.jetty.SslSelectChannelConnectorSecure;
import org.apache.hadoop.hbase.security.SecurityUtil;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.thrift.CallQueue.Call;
@ -125,7 +126,6 @@ import org.apache.thrift.transport.TTransportFactory;
import org.mortbay.jetty.Connector;
import org.mortbay.jetty.Server;
import org.mortbay.jetty.nio.SelectChannelConnector;
import org.mortbay.jetty.security.SslSelectChannelConnector;
import org.mortbay.jetty.servlet.Context;
import org.mortbay.jetty.servlet.ServletHolder;
import org.mortbay.thread.QueuedThreadPool;
@ -404,7 +404,7 @@ public class ThriftServerRunner implements Runnable {
// set up Jetty and run the embedded server
Connector connector = new SelectChannelConnector();
if(conf.getBoolean(THRIFT_SSL_ENABLED, false)) {
SslSelectChannelConnector sslConnector = new SslSelectChannelConnector();
SslSelectChannelConnectorSecure sslConnector = new SslSelectChannelConnectorSecure();
String keystore = conf.get(THRIFT_SSL_KEYSTORE_STORE);
String password = HBaseConfiguration.getPassword(conf,
THRIFT_SSL_KEYSTORE_PASSWORD, null);