[jira] [Commented] (HADOOP-11218) Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory

Thu, 01 Oct 2015 22:31:13 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14940781#comment-14940781
 ] 

Vijay Singh commented on HADOOP-11218:
--------------------------------------

I posted an approach for enabling TLSv1.1 and TLSv1.2 for HttpFS service in 
duplicate ticket. The reason for our customers to go for TLS1.2 is that current 
RHEL7 and Ubuntu based HDFS client gateways when used with curl can enforce 
which TLS level to use. The security teams wants application using curl to 
enforce TLSv1.2; however, in absence of server support its not feasible. 
Regardless, once we allow TLSv1, TLSv1.1, TLSv1.2 options as part of server 
config,server can choose highest level of support for TLS available and may or 
may not honor client request. But, atleast client application can downgrade or 
choose not to  use TLSv1. Since we support JDK7 I propose that we add support 
for TLSv1.1 and TLSv1.2 for KMS and HttpFS services atleast using SSLFactory.
Please find the code snippet for implemented changes.
{code:xml}
     <Connector port="${httpfs.http.port}" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" 
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
               keystoreFile="${httpfs.ssl.keystore.file}"
               keystorePass="_httpfs_ssl_keystore_pass_"/>
{code}

Changes include addition of TLSv1.1,TLSv1.2 to SSLenabledProtocols xml 
attribute on line 73 of file 
hadoop/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf

> Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory
> ----------------------------------------------
>
>                 Key: HADOOP-11218
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11218
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.7.0
>            Reporter: Robert Kanter
>            Priority: Critical
>
> HADOOP-11217 required us to specifically list the versions of TLS that KMS 
> supports. With Hadoop 2.7 dropping support for Java 6 and Java 7 supporting 
> TLSv1.1 and TLSv1.2, we should add them to the list.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to