[ https://issues.apache.org/jira/browse/HADOOP-11218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14940792#comment-14940792 ]
Vijay Singh commented on HADOOP-11218: -------------------------------------- The code snippted changes for kms will be required on line 73 of file /hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf. The code changes are as follows: {code:xml} <Connector port="${kms.http.port}" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="${kms.max.threads}" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" truststorePass="_kms_ssl_truststore_pass_" keystoreFile="${kms.ssl.keystore.file}" keystorePass="_kms_ssl_keystore_pass_"/> {code:xml} Please see the excerpts from test log. {noformat} [root@vjs-kms ~]# diff /opt/myclient/hadoop-kms/tomcat-conf.https/conf/server.xml /opt/myclient/hadoop-kms/tomcat-conf.https/conf/server_tls1.xml 73c73 < clientAuth="false" sslEnabledProtocols=“TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello" --- > clientAuth="false" sslEnabledProtocols="TLSv1,SSLv2Hello" [root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000 -tls1 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep Renegotiation depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA verify return:1 depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com verify return:1 Secure Renegotiation IS supported [root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000 -tls1_1 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA verify return:1 depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com verify return:1 Secure Renegotiation IS supported [root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000 -tls1_2 -CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i Renegotiation depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA verify return:1 depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN = vjs-kms.vpc.myclient.com verify return:1 Secure Renegotiation IS supported {noformat} Please review my proposed changes and suggest any feedback. I will work on the patch for submission in the meantime. > Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory > ---------------------------------------------- > > Key: HADOOP-11218 > URL: https://issues.apache.org/jira/browse/HADOOP-11218 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.7.0 > Reporter: Robert Kanter > Priority: Critical > > HADOOP-11217 required us to specifically list the versions of TLS that KMS > supports. With Hadoop 2.7 dropping support for Java 6 and Java 7 supporting > TLSv1.1 and TLSv1.2, we should add them to the list. -- This message was sent by Atlassian JIRA (v6.3.4#6332)