[jira] [Updated] (HDFS-7274) Disable SSLv3 (POODLEbleed vulnerability) in HttpFS

Tue, 21 Oct 2014 15:01:33 -0700 

     [ 
https://issues.apache.org/jira/browse/HDFS-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Kanter updated HDFS-7274:
--------------------------------
    Attachment: HDFS-7274.patch

The patch sets the sslEnabledProtocols to TLSv1,TLSv1.1. I would have also 
added TLSv1.2, but Java 6 doesn't support it (we can add it when we drop Java 6 
support).

For verification:
{noformat:title=Without Fix|borderStyle=solid}
$ openssl s_client -connect rkanter-has-1.ent.cloudera.com:14000 -ssl3
CONNECTED(00000003)
depth=0 CN = *.ent.cloudera.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = *.ent.cloudera.com
verify return:1
---
Certificate chain
 0 s:/CN=*.ent.cloudera.com
   i:/CN=*.ent.cloudera.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC2TCCAcGgAwIBAgIERTXzmDANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDDBIq
LmVudC5jbG91ZGVyYS5jb20wHhcNMTQxMDE0MjEwOTU1WhcNMTUwMTEyMjEwOTU1
WjAdMRswGQYDVQQDDBIqLmVudC5jbG91ZGVyYS5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDdd3RIofg6S0jNi1tZPLC/ye4yLz5PLdxpn5Rlmg8p
jORirbyvsLSn82WcfITUUx8Iez9pYLLXBzOqS4nlXwFP1WHDHGJFyuidTOaXm2fr
sZIVYUx0ldzUT6AhSLQ1p81g8Uplv3xA+Bh/SIXU84vKnjH6eU2wJc/0AKS6Jchl
hNr9ZuMEK6Dc34MbjOd0inLNqR2A26wV/tEPhf3UWbpkED9J8DZqevp25hvmYomM
OSoUSyO2hc6Mkj97Cbd8OglbXzG0lFzCgmN0yqFZ7X8pZuOzs2MhnzXtzjUbwvyO
G+1mpQ95Oc1cBdK40Rq/xeE8NwDP6C9JJ8FEz/VuuUZfAgMBAAGjITAfMB0GA1Ud
DgQWBBR/aS6adMIKP9pQbfcNkxyIbRMXJDANBgkqhkiG9w0BAQsFAAOCAQEAktNr
AzECBbO3hZEmjbZ/lnE+9DI7LF8DV1XbwZqd5qXhnnqZde5CryOGsAn76RkizUlo
KH1+8w8WRW8YxCx3863dOKg9yRr8rR5+BedSfG1GeF9PSpRYJ1o5Bv9wLNjI+UM0
E6zq3ObxpLe1QqXwz5Ro5DOIaBN5GRNp6i1B6k6b1aPsJOAaBkuFkR+unBCWnQk7
uMtGb78LaCYU0/8D5fRMTkeChR9gxuwYj7hwt3+CKdKEQ+0Mxbd5/sO8HgGlOcB1
T1xtu/GXoboiwwn6pLm/OksEyxB9TXnSvkc9C/RXQeaSaiEvYksS1LvPkvq27qDU
09EC8C1HkfWd4uOKYA==
-----END CERTIFICATE-----
subject=/CN=*.ent.cloudera.com
issuer=/CN=*.ent.cloudera.com
---
No client certificate CA names sent
---
SSL handshake has read 1239 bytes and written 303 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-RSA-DES-CBC3-SHA
    Session-ID: 5446CDA747ABD63AF7A7AC6AFD2FF36755D4BA02433045A548EA43E46C83308D
    Session-ID-ctx: 
    Master-Key: 
F57470E4A4AD0A39D414660B43D16FF4798FD87A2D1A6F9B1FCB28874C04529E801D4DB1215DD6A06DA2600A7857911E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1413926311
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
closed
{noformat}
{noformat:title=With Fix|borderStyle=solid}
$ openssl s_client -connect rkanter-has-1.ent.cloudera.com:14000 -ssl3
CONNECTED(00000003)
140735218041680:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
number:s3_pkt.c:337:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1413926514
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
{noformat}

> Disable SSLv3 (POODLEbleed vulnerability) in HttpFS
> ---------------------------------------------------
>
>                 Key: HDFS-7274
>                 URL: https://issues.apache.org/jira/browse/HDFS-7274
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: webhdfs
>    Affects Versions: 2.6.0
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Blocker
>         Attachments: HDFS-7274.patch
>
>
> We should disable SSLv3 in HttpFS to protect against the POODLEbleed 
> vulnerability.
> See 
> [CVE-2014-3566|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566]
> We have {{sslProtocol="TLS"}} set to only allow TLS in ssl-server.xml, but 
> when I checked, I could still connect with SSLv3.  There documentation is 
> somewhat unclear in the tomcat configs between {{sslProtocol}}, 
> {{sslProtocols}}, and {{sslEnabledProtocols}} and what each value they take 
> does exactly.  From what I can gather, {{sslProtocol="TLS"}} actually 
> includes SSLv3 and the only way to fix this is to explicitly list which TLS 
> versions we support.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to