[ https://issues.apache.org/jira/browse/HADOOP-11218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14940781#comment-14940781 ]
Vijay Singh commented on HADOOP-11218: -------------------------------------- I posted an approach for enabling TLSv1.1 and TLSv1.2 for HttpFS service in duplicate ticket. The reason for our customers to go for TLS1.2 is that current RHEL7 and Ubuntu based HDFS client gateways when used with curl can enforce which TLS level to use. The security teams wants application using curl to enforce TLSv1.2; however, in absence of server support its not feasible. Regardless, once we allow TLSv1, TLSv1.1, TLSv1.2 options as part of server config,server can choose highest level of support for TLS available and may or may not honor client request. But, atleast client application can downgrade or choose not to use TLSv1. Since we support JDK7 I propose that we add support for TLSv1.1 and TLSv1.2 for KMS and HttpFS services atleast using SSLFactory. Please find the code snippet for implemented changes. {code:xml} <Connector port="${httpfs.http.port}" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" keystoreFile="${httpfs.ssl.keystore.file}" keystorePass="_httpfs_ssl_keystore_pass_"/> {code} Changes include addition of TLSv1.1,TLSv1.2 to SSLenabledProtocols xml attribute on line 73 of file hadoop/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/main/tomcat/ssl-server.xml.conf > Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory > ---------------------------------------------- > > Key: HADOOP-11218 > URL: https://issues.apache.org/jira/browse/HADOOP-11218 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.7.0 > Reporter: Robert Kanter > Priority: Critical > > HADOOP-11217 required us to specifically list the versions of TLS that KMS > supports. With Hadoop 2.7 dropping support for Java 6 and Java 7 supporting > TLSv1.1 and TLSv1.2, we should add them to the list. -- This message was sent by Atlassian JIRA (v6.3.4#6332)