[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14198294#comment-14198294 ] Hudson commented on HADOOP-11260: - SUCCESS: Integrated in Hadoop-Yarn-trunk #734 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/734/]) HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha) (kasha: rev dbf30e3c0e1522e6588aecac71c990c0b01fd8fb) * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java * hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java * hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java * hadoop-common-project/hadoop-common/CHANGES.txt Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Fix For: 2.6.0 Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14198392#comment-14198392 ] Hudson commented on HADOOP-11260: - FAILURE: Integrated in Hadoop-Hdfs-trunk #1923 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/1923/]) HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha) (kasha: rev dbf30e3c0e1522e6588aecac71c990c0b01fd8fb) * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java * hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java * hadoop-common-project/hadoop-common/CHANGES.txt * hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Fix For: 2.6.0 Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14198483#comment-14198483 ] Hudson commented on HADOOP-11260: - FAILURE: Integrated in Hadoop-Mapreduce-trunk #1948 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1948/]) HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha) (kasha: rev dbf30e3c0e1522e6588aecac71c990c0b01fd8fb) * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java * hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java * hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java * hadoop-common-project/hadoop-common/CHANGES.txt Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Fix For: 2.6.0 Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14196368#comment-14196368 ] Mike Yoder commented on HADOOP-11260: - Thanks, [~tucu00]. I tried writing a unit test - having the java client specify only SSLv3 as an enabled protocol - but it connected anyway. So I think there is some java crypto thing I don't quite understand going on. So I think the answer is yes, difficult, but I'll poke at it a little more this morning to see if anything turns up. Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[
https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14196454#comment-14196454
]
Mike Yoder commented on HADOOP-11260:
-
Ah, well there's my answer. The docs for SSLContext say
{quote}
Every implementation of the Java platform is required to support the following
standard SSLContext protocol: TLSv1
{quote}
And all of the SSLContext algorithms at
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext
say may support other versions.
In SSLFactory's init(), if I explicitly set the enabled protocols to SSLv3
the internal default client protocol list still has TLSv1 in it. Looks like
it's possible to remove SSLv3, but not possible to remove TLSv1. So nope, no
easy way to test.
Patch up Jetty to disable SSLv3
---
Key: HADOOP-11260
URL: https://issues.apache.org/jira/browse/HADOOP-11260
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 2.5.1
Reporter: Karthik Kambatla
Assignee: Mike Yoder
Priority: Blocker
Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch
Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14197198#comment-14197198 ] Karthik Kambatla commented on HADOOP-11260: --- +1. Checking this in. Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14197220#comment-14197220 ] Hudson commented on HADOOP-11260: - SUCCESS: Integrated in Hadoop-trunk-Commit #6442 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/6442/]) HADOOP-11260. Patch up Jetty to disable SSLv3. (Mike Yoder via kasha) (kasha: rev dbf30e3c0e1522e6588aecac71c990c0b01fd8fb) * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java * hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java * hadoop-common-project/hadoop-common/CHANGES.txt * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java * hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Fix For: 2.6.0 Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194700#comment-14194700 ] Tsuyoshi OZAWA commented on HADOOP-11260: - [~yoderme], thank you for taking this JIRA. This note from Intalio can help you: https://gist.github.com/joakime/1fa3dfc937ffd8acd8df#file-cve-2014-2566-markdown Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194997#comment-14194997 ] Mike Yoder commented on HADOOP-11260: - Some references for your reading enjoyment: * https://www.openssl.org/~bodo/ssl-poodle.pdf * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 * https://access.redhat.com/articles/1232123 * https://www.imperialviolet.org/2014/10/14/poodle.html * https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html * http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html * http://blog.erratasec.com/2014/10/some-poodle-notes.html * http://www.thoughtcrime.org/blog/the-cryptographic-doom-principle/ * http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation * http://en.wikipedia.org/wiki/Transport_Layer_Security Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[
https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195236#comment-14195236
]
Mike Yoder commented on HADOOP-11260:
-
Whoa, this is weird. The above all worked for me. Suspect a Java 6 vs 7
issue. The failures look like
{quote}
Error Message
Received fatal alert: handshake_failure
Stacktrace
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
...
Standard Output
2014-11-03 20:46:49,082 WARN mortbay.log (Slf4jLog.java:warn(89)) - EXCEPTION
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at
com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(InputRecord.java:580)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:484)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
at
org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:708)
at
org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
{quote}
I found this
{quote}
Currently, the SSLv3 and TLSv1 protocols allow you to send SSLv3 and TLSv1
hellow encapsulated in an SSLv2 format hello. For more details on the
reasons for allowing this compatibility in these protocols, see Appendix E
in RFC 2246: The TLS Protocol Version 1.0.
Note that some SSL/TLS servers do nto support the v2 hello format and require
that client hellos conform to the SSLv3 or TLSv1 client hello formats.
The SSLv2Hello option controls the SSLv2 encapsulation. For example, if
SSLv2Hello is disabled on the client, then all outgoing messages will conform
to the SSLv3/TLSv1 client hello format. If SSLv2Hello is disabled on the
server, then all incoming messages must conform to the SSLv3/TLSv1 client
hello format.
{quote}
at
http://bugs.java.com/bugdatabase/view_bug.do;jsessionid=bb4fe7fdf770bd03f76261bba990?bug_id=4915862
Looks like sslv2hello is innocuous enough; I'll just exclude SSLv3 only and try
again.
Patch up Jetty to disable SSLv3
---
Key: HADOOP-11260
URL: https://issues.apache.org/jira/browse/HADOOP-11260
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 2.5.1
Reporter: Karthik Kambatla
Assignee: Mike Yoder
Priority: Blocker
Attachments: HADOOP-11260.001.patch
Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[
https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195248#comment-14195248
]
Karthik Kambatla commented on HADOOP-11260:
---
HADOOP-11243 adds a config for allowed ssl protocols:
{code}
public static final String SSL_ENABLED_PROTOCOLS =
hadoop.ssl.enabled.protocols;
public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = TLSv1;
{code}
Can we just reuse that?
Patch up Jetty to disable SSLv3
---
Key: HADOOP-11260
URL: https://issues.apache.org/jira/browse/HADOOP-11260
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 2.5.1
Reporter: Karthik Kambatla
Assignee: Mike Yoder
Priority: Blocker
Attachments: HADOOP-11260.001.patch
Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195274#comment-14195274 ] Mike Yoder commented on HADOOP-11260: - [~kasha] - the actual error was SSLv2Hello is disabled - looks like it's required in Java 6. I think. The fix to HADOOP-11243 makes me sad because there is no TLS 1.1 and no TLS 1.2. Need to revisit when everything moves up to Java 7... Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[
https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195385#comment-14195385
]
Hadoop QA commented on HADOOP-11260:
{color:green}+1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12679056/HADOOP-11260.002.patch
against trunk revision 734eeb4.
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:green}+1 tests included{color}. The patch appears to include 2 new
or modified test files.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with
eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in
hadoop-common-project/hadoop-common hadoop-common-project/hadoop-kms
hadoop-hdfs-project/hadoop-hdfs-httpfs.
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results:
https://builds.apache.org/job/PreCommit-HADOOP-Build/5009//testReport/
Console output:
https://builds.apache.org/job/PreCommit-HADOOP-Build/5009//console
This message is automatically generated.
Patch up Jetty to disable SSLv3
---
Key: HADOOP-11260
URL: https://issues.apache.org/jira/browse/HADOOP-11260
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 2.5.1
Reporter: Karthik Kambatla
Assignee: Mike Yoder
Priority: Blocker
Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch
Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195510#comment-14195510 ] Mike Yoder commented on HADOOP-11260: - [~tucu00] - are you able to review this patch? Thanks a bunch if so. -Mike Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HADOOP-11260) Patch up Jetty to disable SSLv3
[ https://issues.apache.org/jira/browse/HADOOP-11260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14195716#comment-14195716 ] Alejandro Abdelnur commented on HADOOP-11260: - +1, LGTM. I assume testing SSLv3 is not working with it it would be a bit difficult, right? Patch up Jetty to disable SSLv3 --- Key: HADOOP-11260 URL: https://issues.apache.org/jira/browse/HADOOP-11260 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.5.1 Reporter: Karthik Kambatla Assignee: Mike Yoder Priority: Blocker Attachments: HADOOP-11260.001.patch, HADOOP-11260.002.patch Hadoop uses an older version of Jetty that allows SSLv3. We should fix it up. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
