[
https://issues.apache.org/jira/browse/HADOOP-11218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14940792#comment-14940792
]
Vijay Singh commented on HADOOP-11218:
--------------------------------------
The code snippted changes for kms will be required on line 73 of file
/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml.conf. The code
changes are as follows:
{code:xml}
<Connector port="${kms.http.port}" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="${kms.max.threads}" scheme="https" secure="true"
clientAuth="false"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
truststorePass="_kms_ssl_truststore_pass_"
keystoreFile="${kms.ssl.keystore.file}"
keystorePass="_kms_ssl_keystore_pass_"/>
{code:xml}
Please see the excerpts from test log.
{noformat}
[root@vjs-kms ~]# diff
/opt/myclient/hadoop-kms/tomcat-conf.https/conf/server.xml
/opt/myclient/hadoop-kms/tomcat-conf.https/conf/server_tls1.xml
73c73
< clientAuth="false"
sslEnabledProtocols=“TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
---
> clientAuth="false" sslEnabledProtocols="TLSv1,SSLv2Hello"
[root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000 -tls1
-CAfile /opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem |
grep Renegotiation
depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
verify return:1
depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN =
vjs-kms.vpc.myclient.com
verify return:1
Secure Renegotiation IS supported
[root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000
-tls1_1 -CAfile
/opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i
Renegotiation
depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
verify return:1
depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN =
vjs-kms.vpc.myclient.com
verify return:1
Secure Renegotiation IS supported
[root@vjkc ~]# openssl s_client -connect vjs-kms.vpc.myclient.com:16000
-tls1_2 -CAfile
/opt/myclient/security/setup/ca-certs/VIJAY-WIN-HEN9IV5CAGA-CA.pem | grep -i
Renegotiation
depth=1 DC = FCE, DC = SINGH, DC = VIJAY, CN = VIJAY-WIN-HEN9IV5CAGA-CA
verify return:1
depth=0 C = US, ST = Illinois, L = Chicago, O = myclient, OU = EDHCLUSTER, CN =
vjs-kms.vpc.myclient.com
verify return:1
Secure Renegotiation IS supported
{noformat}
Please review my proposed changes and suggest any feedback. I will work on the
patch for submission in the meantime.
> Add TLSv1.1,TLSv1.2 to KMS, HttpFS, SSLFactory
> ----------------------------------------------
>
> Key: HADOOP-11218
> URL: https://issues.apache.org/jira/browse/HADOOP-11218
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.7.0
> Reporter: Robert Kanter
> Priority: Critical
>
> HADOOP-11217 required us to specifically list the versions of TLS that KMS
> supports. With Hadoop 2.7 dropping support for Java 6 and Java 7 supporting
> TLSv1.1 and TLSv1.2, we should add them to the list.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
