[jira] [Updated] (HADOOP-12668) Modify HDFS embeded jetty server logic in HttpServer2.java to exclude weak Ciphers through ssl-server.conf

Wed, 17 Feb 2016 00:17:53 -0800 

     [ 
https://issues.apache.org/jira/browse/HADOOP-12668?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vijay Singh updated HADOOP-12668:
---------------------------------
    Attachment: Hadoop-12668.008.patch

This patch file introduces the junit testcase to test excluded ciphers. This is 
done by using delegation based subclass for SSLSocketfactory and overriding the 
createSocket method to only support disabled algorithms on the client. When 
this new subclass called PrefferedCipherSSLSocketFactory is passed to 
clientSSLFactory, we encounter SSLHandshakeException. This validates the unit 
test case, we catch the exception pass the changed flag to assert method.

Please provide additional suggestions if any.

> Modify HDFS embeded jetty server logic in HttpServer2.java to exclude weak 
> Ciphers through ssl-server.conf
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-12668
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12668
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.7.1
>            Reporter: Vijay Singh
>            Assignee: Vijay Singh
>            Priority: Critical
>              Labels: common, ha, hadoop, hdfs, security
>         Attachments: Hadoop-12668.006.patch, Hadoop-12668.007.patch, 
> Hadoop-12668.008.patch, test.log
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Currently Embeded jetty Server used across all hadoop services is configured 
> through ssl-server.xml file from their respective configuration section. 
> However, the SSL/TLS protocol being used for this jetty servers can be 
> downgraded to weak cipher suites. This code changes aims to add following 
> functionality:
> 1) Add logic in hadoop common (HttpServer2.java and associated interfaces) to 
> spawn jetty servers with ability to exclude weak cipher suites. I propose we 
> make this though ssl-server.xml and hence each service can choose to disable 
> specific ciphers.
> 2) Modify DFSUtil.java used by HDFS code to supply new parameter 
> ssl.server.exclude.cipher.list for hadoop-common code, so it can exclude the 
> ciphers supplied through this key.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to