Ahmed Hussein created HADOOP-17367: -------------------------------------- Summary: Improve TLS/SSL default settings for security and performance Key: HADOOP-17367 URL: https://issues.apache.org/jira/browse/HADOOP-17367 Project: Hadoop Common Issue Type: Bug Reporter: Ahmed Hussein Assignee: Ahmed Hussein
[~kihwal] reported that {{HttpServer2}} is still accepting TLS 1.1 or 1.0. These are only rejected when the java security setting excludes them. The expensive algorithms arte still being used. {code:bash} main, WRITE: TLSv1.2 Handshake, length = 239 main, READ: TLSv1.2 Handshake, length = 1508 *** ServerHello, TLSv1.2 ... Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 {code} SSLFactory calls {{sslEngine.setEnabledCipherSuites()}} to set enabled ciphers. Apparently this does not disable unincluded ciphers, so SSLFactory's cipher disabling feature does not work. Or it could be jetty's undoing. Jetty9 introduced SSLContextFactory. Following methods can be used. {code:java} setExcludeCipherSuites() setExcludeProtocols() setIncludeCipherSuites() setIncludeProtocols() {code} SSLFactory is not used by HttpServer2. It is only used by {{DatanodeHttpServer}} and {{ShuffleHandler}}. The reloading feature is also broken for the same reason. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-dev-h...@hadoop.apache.org