[
https://issues.apache.org/jira/browse/HADOOP-19546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17945460#comment-17945460
]
ASF GitHub Bot commented on HADOOP-19546:
-----------------------------------------
jojochuang commented on code in PR #7629:
URL: https://github.com/apache/hadoop/pull/7629#discussion_r2049345393
##########
hadoop-common-project/hadoop-common/src/main/conf/ssl-server.xml.example:
##########
@@ -85,4 +85,32 @@
from SSL communication.</description>
</property>
+<property>
+ <name>ssl.server.include.cipher.list</name>
+ <value>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+ TLS_EMPTY_RENEGOTIATION_INFO_SCSV</value>
+ <description>Optional. If the inclusion list is populated,
Review Comment:
Could you explain how the include list work with exclude list? Like can both
of them be specified at the same time, and if so, which one takes precedence.
> Include cipher feature for HttpServer2 and SSLFactory
> -----------------------------------------------------
>
> Key: HADOOP-19546
> URL: https://issues.apache.org/jira/browse/HADOOP-19546
> Project: Hadoop Common
> Issue Type: Improvement
> Components: hadoop-common, hdfs, yarn
> Affects Versions: 3.4.1
> Reporter: Bence Kosztolnik
> Assignee: Bence Kosztolnik
> Priority: Major
> Labels: pull-request-available
>
> Currently, we have a feature to exclude weak ciphers from *HttpServer2* and
> *SSLFactory* using the *ssl.server.exclude.cipher.list property*.
> With this feature, we can also define an inclusion list of ciphers using the
> *ssl.server.include.cipher.list property*.
> If the inclusion list is populated, any cipher not present in the list will
> not be allowed.
> If a cipher is present in both the exclusion and inclusion lists, it will be
> excluded.
> Note that SSLFactory does not support regex-based cipher patterns, unlike
> HttpServer2.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
