[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3

Mon, 03 Nov 2014 14:31:36 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14195236#comment-14195236
 ] 

Mike Yoder commented on HADOOP-11260:
-------------------------------------

Whoa, this is weird.  The above all worked for me.  Suspect a Java 6 vs 7 
issue.  The failures look like

{quote}
Error Message

Received fatal alert: handshake_failure

Stacktrace

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
...
Standard Output

2014-11-03 20:46:49,082 WARN  mortbay.log (Slf4jLog.java:warn(89)) - EXCEPTION 
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
        at 
com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(InputRecord.java:580)
        at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:484)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
        at 
org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:708)
        at 
org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
{quote}

I found this

{quote}
Currently, the SSLv3 and TLSv1 protocols allow you to send SSLv3 and TLSv1 
  hellow encapsulated in an SSLv2 format hello. For more details on the
  reasons for allowing this compatibility in these protocols, see Appendix E
  in RFC 2246: The TLS Protocol Version 1.0.

  Note that some SSL/TLS servers do nto support the v2 hello format and require
  that client hellos conform to the SSLv3 or TLSv1 client hello formats.

  The SSLv2Hello option controls the SSLv2 encapsulation. For example, if
  SSLv2Hello is disabled on the client, then all outgoing messages will conform
  to the SSLv3/TLSv1 client hello format. If SSLv2Hello is disabled on the
  server, then all incoming messages must conform to the SSLv3/TLSv1 client
  hello format.
{quote}

at 
http://bugs.java.com/bugdatabase/view_bug.do;jsessionid=bb4fe7fdf770bffffffffd03f76261bba990?bug_id=4915862

Looks like sslv2hello is innocuous enough; I'll just exclude SSLv3 only and try 
again.
 

> Patch up Jetty to disable SSLv3
> -------------------------------
>
>                 Key: HADOOP-11260
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11260
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.5.1
>            Reporter: Karthik Kambatla
>            Assignee: Mike Yoder
>            Priority: Blocker
>         Attachments: HADOOP-11260.001.patch
>
>
> Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to