HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha)
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/dbf30e3c Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/dbf30e3c Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/dbf30e3c Branch: refs/heads/HDFS-EC Commit: dbf30e3c0e1522e6588aecac71c990c0b01fd8fb Parents: 5bd3a56 Author: Karthik Kambatla <ka...@apache.org> Authored: Tue Nov 4 16:18:24 2014 -0800 Committer: Karthik Kambatla <ka...@apache.org> Committed: Tue Nov 4 16:18:24 2014 -0800 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/CHANGES.txt | 2 + .../org/apache/hadoop/http/HttpServer2.java | 3 +- .../security/ssl/SslSocketConnectorSecure.java | 58 ++++++++++++++++++++ .../hadoop/crypto/key/kms/server/MiniKMS.java | 5 +- .../org/apache/hadoop/test/TestJettyHelper.java | 3 +- 5 files changed, 67 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/dbf30e3c/hadoop-common-project/hadoop-common/CHANGES.txt ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index ede1148..7f01207 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -1056,6 +1056,8 @@ Release 2.6.0 - UNRELEASED HADOOP-11241. Fixed intermittent TestNMSimulator failure due to timing issue. (Varun Vasudev via zjshen) + HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha) + Release 2.5.1 - 2014-09-05 INCOMPATIBLE CHANGES http://git-wip-us.apache.org/repos/asf/hadoop/blob/dbf30e3c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java index 8aa777b..168fd77 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java @@ -53,6 +53,7 @@ import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.conf.ConfServlet; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.CommonConfigurationKeys; +import org.apache.hadoop.security.ssl.SslSocketConnectorSecure; import org.apache.hadoop.jmx.JMXJsonServlet; import org.apache.hadoop.log.LogLevel; import org.apache.hadoop.metrics.MetricsServlet; @@ -306,7 +307,7 @@ public final class HttpServer2 implements FilterContainer { if ("http".equals(scheme)) { listener = HttpServer2.createDefaultChannelConnector(); } else if ("https".equals(scheme)) { - SslSocketConnector c = new SslSocketConnector(); + SslSocketConnector c = new SslSocketConnectorSecure(); c.setNeedClientAuth(needsClientAuth); c.setKeyPassword(keyPassword); http://git-wip-us.apache.org/repos/asf/hadoop/blob/dbf30e3c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java new file mode 100644 index 0000000..52ab7ad --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java @@ -0,0 +1,58 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.security.ssl; + +import org.mortbay.jetty.security.SslSocketConnector; + +import javax.net.ssl.SSLServerSocket; +import java.io.IOException; +import java.net.ServerSocket; +import java.util.ArrayList; + +/** + * This subclass of the Jetty SslSocketConnector exists solely to control + * the TLS protocol versions allowed. This is fallout from the POODLE + * vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled. + * Only TLS 1.0 and later protocols are allowed. + */ +public class SslSocketConnectorSecure extends SslSocketConnector { + + public SslSocketConnectorSecure() { + super(); + } + + /** + * Create a new ServerSocket that will not accept SSLv3 connections, + * but will accept TLSv1.x connections. + */ + protected ServerSocket newServerSocket(String host, int port,int backlog) + throws IOException { + SSLServerSocket socket = (SSLServerSocket) + super.newServerSocket(host, port, backlog); + ArrayList<String> nonSSLProtocols = new ArrayList<String>(); + for (String p : socket.getEnabledProtocols()) { + if (!p.contains("SSLv3")) { + nonSSLProtocols.add(p); + } + } + socket.setEnabledProtocols(nonSSLProtocols.toArray( + new String[nonSSLProtocols.size()])); + return socket; + } +} http://git-wip-us.apache.org/repos/asf/hadoop/blob/dbf30e3c/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java index 51cc026..4f802cc 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java @@ -22,6 +22,7 @@ import org.apache.commons.io.IOUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.crypto.key.kms.KMSRESTConstants; import org.apache.hadoop.fs.Path; +import org.apache.hadoop.security.ssl.SslSocketConnectorSecure; import org.mortbay.jetty.Connector; import org.mortbay.jetty.Server; import org.mortbay.jetty.security.SslSocketConnector; @@ -56,7 +57,7 @@ public class MiniKMS { server.getConnectors()[0].setHost(host); server.getConnectors()[0].setPort(port); } else { - SslSocketConnector c = new SslSocketConnector(); + SslSocketConnector c = new SslSocketConnectorSecure(); c.setHost(host); c.setPort(port); c.setNeedClientAuth(false); @@ -74,7 +75,7 @@ public class MiniKMS { private static URL getJettyURL(Server server) { boolean ssl = server.getConnectors()[0].getClass() - == SslSocketConnector.class; + == SslSocketConnectorSecure.class; try { String scheme = (ssl) ? "https" : "http"; return new URL(scheme + "://" + http://git-wip-us.apache.org/repos/asf/hadoop/blob/dbf30e3c/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java index 5dd6124..50b4327 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java +++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java @@ -24,6 +24,7 @@ import java.net.ServerSocket; import java.net.URL; import java.net.UnknownHostException; +import org.apache.hadoop.security.ssl.SslSocketConnectorSecure; import org.junit.Test; import org.junit.rules.MethodRule; import org.junit.runners.model.FrameworkMethod; @@ -92,7 +93,7 @@ public class TestJettyHelper implements MethodRule { server.getConnectors()[0].setHost(host); server.getConnectors()[0].setPort(port); } else { - SslSocketConnector c = new SslSocketConnector(); + SslSocketConnector c = new SslSocketConnectorSecure(); c.setHost(host); c.setPort(port); c.setNeedClientAuth(false);
