[ https://issues.apache.org/jira/browse/SPARK-24511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcelo Vanzin resolved SPARK-24511. ------------------------------------ Resolution: Not A Problem The default in jdk8 is 1.2. If you configure your application with insecure settings, that's kinda your problem. By default, SSL is not even on... > Spark WebUI allows Weak TLS Protocols > ------------------------------------- > > Key: SPARK-24511 > URL: https://issues.apache.org/jira/browse/SPARK-24511 > Project: Spark > Issue Type: Bug > Components: Web UI > Affects Versions: 2.3.0 > Reporter: t oo > Priority: Major > Labels: security > Attachments: SSL.PNG > > > *Risk/Issue summary finding* > {code:java} > Weak TLS Protocols Supported{code} > *Risk/Issue summary description/detail* > {code:java} > The Spark web portals support the use of weak TLS protocols (TLSv1.0). > Transport Layer Security (TLS) is the ITEF standard cryptographic protocol > for secure communications. It provides authentication, confidentiality and > integrity between the client and the server. While the successor of SSL, > TLSv1.0 has been superseded by versions 1.1 and 1.2, and is vulnerable to a > variety of downgrade attacks due to its close implementation with SSLv3. > {code} > *Business impact / attack scenario* > {code:java} > Vulnerabilities in the Transport Layer Security protocols and ciphers can > allow attackers to decrypt and view sensitive information transferred between > the server and the client. They need to be positioned between the client and > server in order to intercept messages.{code} > *Recommendation* > {code:java} > Use TLSv1.2 with strong cipher suites (=> 128 bits) for all communications > between the client and server.{code} > > spark-defaults.conf of below applied: > spark.ssl.enabled true > spark.ssl.keyStore /home/ec2-user/spark_home/conf/redact.jks > spark.ssl.trustStore /home/ec2-user/spark_home/conf/redact-trust-nonprd.jks > spark.ssl.enabledAlgorithms > ECDHE-RSA-AES256-SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > spark.ssl.protocol TLSv1.2 > spark.ssl.trustStoreType JKS > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org