[
https://issues.apache.org/jira/browse/SPARK-24512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hyukjin Kwon resolved SPARK-24512.
----------------------------------
Resolution: Incomplete
> SparkSQL ThriftServer port (ie 10015) supports TLSv1.0
> ------------------------------------------------------
>
> Key: SPARK-24512
> URL: https://issues.apache.org/jira/browse/SPARK-24512
> Project: Spark
> Issue Type: Bug
> Components: SQL
> Affects Versions: 2.3.0
> Reporter: t oo
> Priority: Major
> Labels: bulk-closed
>
> THREAT:
> TLS is capable of using a multitude of ciphers (algorithms) to create the
> public and private key pairs.
> For example if TLSv1.0 uses either the RC4 stream cipher, or a block cipher
> in CBC mode.
> RC4 is known to have biases and the block cipher in CBC mode is vulnerable to
> the POODLE attack.
> TLSv1.0, if configured to use the same cipher suites as SSLv3, includes a
> means by which a TLS implementation can downgrade the connection to
> SSL v3.0, thus weakening security.
> A POODLE-type (https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls)
> attack could also be launched directly at TLS without negotiating a
> downgrade.
> This QID will be marked as a Fail for PCI as of May 1st, 2017 in accordance
> with the new standards. For existing implementations, Merchants will
> be able to submit a PCI False Positive / Exception Request and provide proof
> of their Risk Mitigation and Migration Plan, which will result in a pass
> for PCI up until June 30th, 2018.
> Further details can be found at: NEW PCI DSS v3.2 and Migrating from SSL and
> Early TLS v1.1 (https://community.qualys.com/message/34120)
> IMPACT:
> An attacker can exploit cryptographic flaws to conduct man-in-the-middle type
> attacks or to decryption communications.
> For example: An attacker could force a downgrade from the TLS protocol to the
> older SSLv3.0 protocol and exploit the POODLE vulnerability, read
> secure communications or maliciously modify messages.
> A POODLE-type (https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls)
> attack could also be launched directly at TLS without negotiating a
> downgrade.
> SOLUTION:
> Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger
> protocol such as TLSv1.2.
> The following openssl commands can be used
> to do a manual test:
> openssl s_client -connect ip:port -tls1
> If the test is successful, then the target support TLSv1
>
>
> spark-defaults.conf of below applied:
> spark.ssl.enabled true
> spark.ssl.keyStore /home/ec2-user/spark_home/conf/redact.jks
> spark.ssl.trustStore /home/ec2-user/spark_home/conf/redact-trust-nonprd.jks
> spark.ssl.enabledAlgorithms
> ECDHE-RSA-AES256-SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> spark.ssl.protocol TLSv1.2
> spark.ssl.trustStoreType JKS
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
