[
https://issues.apache.org/jira/browse/HADOOP-15169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16949694#comment-16949694
]
Xiaoyu Yao commented on HADOOP-15169:
-------------------------------------
Thanks [~brahmareddy] and [~weichiu] for the patch. It looks good to me overall.
I just have one suggestion w.r.t. the handling of the excluded protocols. By
default SslContextFactory will set the following ("SSL", "SSLv2", "SSLv2Hello",
"SSLv3") to the excluded protocol.
Instead of always reset the excluded protocol to empty, we should remove only
those contained in the enabledProtocols from the excluded protocol. This way,
we don't allow weak protocols not in the enable list.
Please also add a test case to ensure if use add SSLv2Hello to included
protocol, SSL/SSLv2/SSLv3 should not be allowed.
> "hadoop.ssl.enabled.protocols" should be considered in httpserver2
> ------------------------------------------------------------------
>
> Key: HADOOP-15169
> URL: https://issues.apache.org/jira/browse/HADOOP-15169
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Brahma Reddy Battula
> Assignee: Brahma Reddy Battula
> Priority: Major
> Attachments: HADOOP-15169-branch-2.patch, HADOOP-15169.002.patch,
> HADOOP-15169.patch
>
>
> As of now *hadoop.ssl.enabled.protocols"* will not take effect for all the
> http servers( only Datanodehttp server will use this config).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
