[
https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14196454#comment-14196454
]
Mike Yoder commented on HADOOP-11260:
-------------------------------------
Ah, well there's my answer. The docs for SSLContext say
{quote}
Every implementation of the Java platform is required to support the following
standard SSLContext protocol: TLSv1
{quote}
And all of the SSLContext algorithms at
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext
say "may support other versions".
In SSLFactory's init(), if I explicitly set the enabled protocols to "SSLv3"
the internal default client protocol list still has "TLSv1" in it. Looks like
it's possible to remove SSLv3, but not possible to remove TLSv1. So nope, no
easy way to test.
> Patch up Jetty to disable SSLv3
> -------------------------------
>
> Key: HADOOP-11260
> URL: https://issues.apache.org/jira/browse/HADOOP-11260
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.5.1
> Reporter: Karthik Kambatla
> Assignee: Mike Yoder
> Priority: Blocker
> Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch
>
>
> Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
