[ https://issues.apache.org/jira/browse/HDFS-7274?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Kanter updated HDFS-7274: -------------------------------- Status: Open (was: Patch Available) I was accidentally testing with Java 7 instead of 6. It turns out that the documentation was wrong and Java 6 only supports TLSv1, not TLSv1.1 (a different documentation page I just found supports this). > Disable SSLv3 (POODLEbleed vulnerability) in HttpFS > --------------------------------------------------- > > Key: HDFS-7274 > URL: https://issues.apache.org/jira/browse/HDFS-7274 > Project: Hadoop HDFS > Issue Type: Bug > Components: webhdfs > Affects Versions: 2.6.0 > Reporter: Robert Kanter > Assignee: Robert Kanter > Priority: Blocker > Attachments: HDFS-7274.patch > > > We should disable SSLv3 in HttpFS to protect against the POODLEbleed > vulnerability. > See > [CVE-2014-3566|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566] > We have {{sslProtocol="TLS"}} set to only allow TLS in ssl-server.xml, but > when I checked, I could still connect with SSLv3. There documentation is > somewhat unclear in the tomcat configs between {{sslProtocol}}, > {{sslProtocols}}, and {{sslEnabledProtocols}} and what each value they take > does exactly. From what I can gather, {{sslProtocol="TLS"}} actually > includes SSLv3 and the only way to fix this is to explicitly list which TLS > versions we support. -- This message was sent by Atlassian JIRA (v6.3.4#6332)