[
https://issues.apache.org/jira/browse/RANGER-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15959382#comment-15959382
]
Ayub Khan commented on RANGER-1500:
-----------------------------------
Looking at the ranger code, understood that tomcat catalina connector is used
for SSL configuration.
Below is my understanding:
HTTPS connector parameter sslProtocol defines which SSL/TLS protocols are
enabled by default.
e.g. for Oracle JDK 7:
1) setProtocol="TLS" will enable SSLv3 and TLSv1
2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1
4) setProtocol="TLSv1" will enable SSLv3 and TLSv1
5) setProtocol="SSL" will enable SSLv3 and TLSv1
6) setProtocol="SSLv3" will enable SSLv3 and TLSv1
7) setProtocol="SSLv2" won't work
Note that even if some protocol is not enabled by default, it can be enabled by
specifying sslEnabledProtocols parameter.
So in the ranger code, in order to restrict available protocols only to
TLSv1.2, simple fix is to change sslEnabledProtocols parameter value from
"SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2" to "TLSv1.2"
here(https://github.com/apache/ranger/blob/ranger-0.7/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java#L151).
The configuration looks like this after doing above changes : sslProtocol="SSL"
sslEnabledProtocols="TLSv1.2".
Is my understanding correct?
> Add support to exclude/disable SSL protocols.
> ---------------------------------------------
>
> Key: RANGER-1500
> URL: https://issues.apache.org/jira/browse/RANGER-1500
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 0.7.0
> Reporter: Ayub Khan
> Priority: Critical
> Fix For: 1.0.0, 0.7.1
>
>
> Add support to disable/exclude weaker SSL protocols like TLSv1, TLSv1.1 for
> ranger.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
