[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14198294#comment-14198294 ] Hudson commented on HADOOP-11260: - SUCCESS: Integrated in Hadoop-Yarn-trunk #734 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/734/]) HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha) (kasha: rev dbf30e3c0e1522e6588aecac71c990c0b01fd8fb) * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java * hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java * hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java * hadoop-common-project/hadoop-common/CHANGES.txt Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Fix For: 2.6.0 Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14198392#comment-14198392 ] Hudson commented on HADOOP-11260: - FAILURE: Integrated in Hadoop-Hdfs-trunk #1923 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/1923/]) HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha) (kasha: rev dbf30e3c0e1522e6588aecac71c990c0b01fd8fb) * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java * hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java * hadoop-common-project/hadoop-common/CHANGES.txt * hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Fix For: 2.6.0 Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14198483#comment-14198483 ] Hudson commented on HADOOP-11260: - FAILURE: Integrated in Hadoop-Mapreduce-trunk #1948 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1948/]) HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha) (kasha: rev dbf30e3c0e1522e6588aecac71c990c0b01fd8fb) * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java * hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java * hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java * hadoop-common-project/hadoop-common/CHANGES.txt Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Fix For: 2.6.0 Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14196368#comment-14196368 ] Mike Yoder commented on HADOOP-11260: - Thanks, [~tucu00]. I tried writing a unit test - having the java client specify only SSLv3 as an enabled protocol - but it connected anyway. So I think there is some java crypto thing I don't quite understand going on. So I think the answer is yes, difficult, but I'll poke at it a little more this morning to see if anything turns up. Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14196454#comment-14196454 ] Mike Yoder commented on HADOOP-11260: - Ah, well there's my answer. The docs for SSLContext say {quote} Every implementation of the Java platform is required to support the following standard SSLContext protocol: TLSv1 {quote} And all of the SSLContext algorithms at http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext say may support other versions. In SSLFactory's init(), if I explicitly set the enabled protocols to SSLv3 the internal default client protocol list still has TLSv1 in it. Looks like it's possible to remove SSLv3, but not possible to remove TLSv1. So nope, no easy way to test. Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14197198#comment-14197198 ] Karthik Kambatla commented on HADOOP-11260: --- +1. Checking this in. Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14197220#comment-14197220 ] Hudson commented on HADOOP-11260: - SUCCESS: Integrated in Hadoop-trunk-Commit #6442 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/6442/]) HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha) (kasha: rev dbf30e3c0e1522e6588aecac71c990c0b01fd8fb) * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java * hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java * hadoop-common-project/hadoop-common/CHANGES.txt * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java * hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Fix For: 2.6.0 Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194700#comment-14194700 ] Tsuyoshi OZAWA commented on HADOOP-11260: - [~yoderme], thank you for taking this JIRA. This note from Intalio can help you: https://gist.github.com/joakime/1fa3dfc937ffd8acd8df#file-cve-2014-2566-markdown Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194997#comment-14194997 ] Mike Yoder commented on HADOOP-11260: - Some references for your reading enjoyment: * https://www.openssl.org/~bodo/ssl-poodle.pdf * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 * https://access.redhat.com/articles/1232123 * https://www.imperialviolet.org/2014/10/14/poodle.html * https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html * http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html * http://blog.erratasec.com/2014/10/some-poodle-notes.html * http://www.thoughtcrime.org/blog/the-cryptographic-doom-principle/ * http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation * http://en.wikipedia.org/wiki/Transport_Layer_Security Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195236#comment-14195236 ] Mike Yoder commented on HADOOP-11260: - Whoa, this is weird. The above all worked for me. Suspect a Java 6 vs 7 issue. The failures look like {quote} Error Message Received fatal alert: handshake_failure Stacktrace javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822) ... Standard Output 2014-11-03 20:46:49,082 WARN mortbay.log (Slf4jLog.java:warn(89)) - EXCEPTION javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled at com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(InputRecord.java:580) at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:484) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199) at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:708) at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) {quote} I found this {quote} Currently, the SSLv3 and TLSv1 protocols allow you to send SSLv3 and TLSv1 hellow encapsulated in an SSLv2 format hello. For more details on the reasons for allowing this compatibility in these protocols, see Appendix E in RFC 2246: The TLS Protocol Version 1.0. Note that some SSL/TLS servers do nto support the v2 hello format and require that client hellos conform to the SSLv3 or TLSv1 client hello formats. The SSLv2Hello option controls the SSLv2 encapsulation. For example, if SSLv2Hello is disabled on the client, then all outgoing messages will conform to the SSLv3/TLSv1 client hello format. If SSLv2Hello is disabled on the server, then all incoming messages must conform to the SSLv3/TLSv1 client hello format. {quote} at http://bugs.java.com/bugdatabase/view_bug.do;jsessionid=bb4fe7fdf770bd03f76261bba990?bug_id=4915862 Looks like sslv2hello is innocuous enough; I'll just exclude SSLv3 only and try again. Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195248#comment-14195248 ] Karthik Kambatla commented on HADOOP-11260: --- HADOOP-11243 adds a config for allowed ssl protocols: {code} public static final String SSL_ENABLED_PROTOCOLS = hadoop.ssl.enabled.protocols; public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = TLSv1; {code} Can we just reuse that? Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195274#comment-14195274 ] Mike Yoder commented on HADOOP-11260: - [~kasha] - the actual error was SSLv2Hello is disabled - looks like it's required in Java 6. I think. The fix to HADOOP-11243 makes me sad because there is no TLS 1.1 and no TLS 1.2. Need to revisit when everything moves up to Java 7... Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195385#comment-14195385 ] Hadoop QA commented on HADOOP-11260: {color:green}+1 overall{color}. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12679056/HADOOP-11260.002.patch against trunk revision 734eeb4. {color:green}+1 @author{color}. The patch does not contain any @author tags. {color:green}+1 tests included{color}. The patch appears to include 2 new or modified test files. {color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings. {color:green}+1 javadoc{color}. There were no new javadoc warning messages. {color:green}+1 eclipse:eclipse{color}. The patch built with eclipse:eclipse. {color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 2.0.3) warnings. {color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings. {color:green}+1 core tests{color}. The patch passed unit tests in hadoop-common-project/hadoop-common hadoop-common-project/hadoop-kms hadoop-hdfs-project/hadoop-hdfs-httpfs. {color:green}+1 contrib tests{color}. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/5009//testReport/ Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/5009//console This message is automatically generated. Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195510#comment-14195510 ] Mike Yoder commented on HADOOP-11260: - [~tucu00] - are you able to review this patch? Thanks a bunch if so. -Mike Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195716#comment-14195716 ] Alejandro Abdelnur commented on HADOOP-11260: - +1, LGTM. I assume testing SSLv3 is not working with it it would be a bit difficult, right? Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)