Steve Loughran created HADOOP-19260:
---------------------------------------
Summary: removal of gcm TLS cyphers blocking abfs access "No
negotiable cipher suite"
Key: HADOOP-19260
URL: https://issues.apache.org/jira/browse/HADOOP-19260
Project: Hadoop Common
Issue Type: Bug
Components: common, fs/azure
Affects Versions: 3.4.0
Reporter: Steve Loughran
we've seen instances of client-abfs TLS negotiation failing "No negotiable
cipher suite". this can be fixed by switching to using "Default_JSSE_with_GCM"
as the SSL options.
However, DelegatingSSLSocketFactory "Default" attempts OpenSSL, falling back to
{code}
Default indicates Ordered, preferred OpenSSL, if failed to load then fall
back to Default_JSSE
{code}
And " Default_JSSE is not truly the the default JSSE implementation because
the GCM cipher is disabled when running on Java "
What does that mean? it means that if you use the "Default" TLS option of "try
openssl and fall back to java" doesn't ever turn on gcm encryption.
Proposed:
* "Default" falls back to GCM
* add an option {{Default_JSSE_No_GCM}}
Once we move off java8 turning off GCM is no longer needed for performance,
hopefully (benchmarks would be good here)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
