[
https://issues.apache.org/jira/browse/AMBARI-12393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14740905#comment-14740905
]
Greg Hill commented on AMBARI-12393:
------------------------------------
I didn't move the end quote in ambari-env.sh to cover the new setting.
/facepalm Testing it again now.
> Ambari Server is vulnerable to logjam
> -------------------------------------
>
> Key: AMBARI-12393
> URL: https://issues.apache.org/jira/browse/AMBARI-12393
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.1.0
> Environment: Red Hat Enterprise Linux Server release 6.6
> Reporter: Jeffrey E Rodriguez
> Priority: Critical
> Fix For: 2.1.2
>
>
> All Ambari servers running in Jetty server as well as the Ambari server
> itself are vulnerable to LogJam see details.
> https://weakdh.org/
> Test setting up Ambari SSL.
> 1. create certificate
> openssl genrsa -out $wserver.key 2048
> openssl req -new -key $wserver.key -out $wserver.csr
> openssl x509 -req -days 365 -in $wserver.csr -signkey $wserver.key -out
> $wserver.crt
> where #wscver is hostname of ambari server.
> 2. run ambari-server setup-security
> 3. Run openssl to check DH key lenght
> penssl s_client -connect bdvs1390.svl.ibm.com:8444 -cipher "EDH" | grep
> "Server Temp Key"
> depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = sever.com,
> emailAddress = test
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = US, ST = CA, L = San Jose, O = IBM, OU = BI, CN = server.com,
> emailAddress = test
> verify return:1
> Server Temp Key: DH, 1024 bits
> Furthermore, some versions of Firefox would reject the certificate so Ambari
> server would not be accessible from browser.
> Jira https://issues.apache.org/jira/browse/KNOX-566 has already been open for
> Knox.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
