[ https://issues.apache.org/jira/browse/AMBARI-18910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15672165#comment-15672165 ]
Hudson commented on AMBARI-18910: --------------------------------- ABORTED: Integrated in Jenkins build Ambari-trunk-Commit #6030 (See [https://builds.apache.org/job/Ambari-trunk-Commit/6030/]) AMBARI-18910. SSL/TLS protocols should be explicitly enabled and then (rlevas: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=430ecee6139c413faee7a8ed14a988181688cd54]) * (edit) ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java > SSL/TLS protocols should be explicitly enabled and then filtered when Ambari > starts up > -------------------------------------------------------------------------------------- > > Key: AMBARI-18910 > URL: https://issues.apache.org/jira/browse/AMBARI-18910 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.4.0 > Reporter: Robert Levas > Assignee: Robert Levas > Priority: Critical > Fix For: 2.4.2 > > Attachments: AMBARI-18910_branch-2.4_01.patch, > AMBARI-18910_branch-2.5_01.patch > > > SSL/TLS protocols should be explicitly enabled and then filtered when Ambari > starts up. > Currently the following protocols are explicitly enabled: > * {{SSLv2Hello}} > * {{TLSv1}} > {code:title=org/apache/ambari/server/controller/AmbariServer.java:718} > factory.setIncludeProtocols(new String[] { "SSLv2Hello","TLSv1"}); > {code} > However the following protocols should be enabled by default: > * {{SSLv2Hello}} > * {{TLSv1}} > * {{TLSv1.1}} > * {{TLSv1.2}} > * {{SSLv3}} > {code:title=Example} > factory.setIncludeProtocols(new String[] > {"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});{code} > Once set, the protocols may be filtered out using the > {{security.server.disabled.protocols}} property from the ambari.properties > file. For example: > {code:title=Disables TLSv1, TLSv1.1, and SSLv2Hello} > security.server.disabled.protocols=TLSv1.1|TLSv1|SSLv2Hello > {code} > The availability of a particular protocol may be tested using the OpenSSL > s_client facility. > {noformat:title=Example: Test for TLSv1.2} > openssl s_client -connect localhost:8440 -tls1_2 > {noformat} > {noformat:title=Example successful result} > CONNECTED(00000003) > depth=0 C = XX, L = Default City, O = Default Company Ltd > verify error:num=18:self signed certificate > verify return:1 > depth=0 C = XX, L = Default City, O = Default Company Ltd > verify return:1 > --- > Certificate chain > 0 s:/C=XX/L=Default City/O=Default Company Ltd > i:/C=XX/L=Default City/O=Default Company Ltd > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIā¦ > -----END CERTIFICATE----- > subject=/C=XX/L=Default City/O=Default Company Ltd > issuer=/C=XX/L=Default City/O=Default Company Ltd > --- > No client certificate CA names sent > Server Temp Key: ECDH, secp521r1, 521 bits > --- > SSL handshake has read 2248 bytes and written 441 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 4096 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > 5829F75B49C2FED58C60CB7663181B39BCA3AF473F253EDB4BA04D827B9D58BA > Session-ID-ctx: > Master-Key: > 46301FB9B4263547C62F8C793380319DC60A10C1D077C7DAB52D328B12D1FB4B868EE5131CD7F62917C02866196317B8 > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1479145307 > Timeout : 7200 (sec) > Verify return code: 18 (self signed certificate) > --- > {noformat} > {noformat:title=Example failure result} > CONNECTED(00000003) > 140518067173192:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:598: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 0 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1479145122 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > --- > {noformat} > Note: This does not address the agent-side issue of connecting to an Ambari > server where TLSv1 is disabled. See AMBARI-17666. -- This message was sent by Atlassian JIRA (v6.3.4#6332)