[jira] [Commented] (HADOOP-13812) Upgrade Tomcat to 6.0.47
[
https://issues.apache.org/jira/browse/HADOOP-13812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15696618#comment-15696618
]
John Zhuge commented on HADOOP-13812:
-
Upgrading curl from 7.19 built with NSS to 7.51 built with OpenSSL fixes the
SSL issue without adding {{ciphers="ALL"}}, so I will update docs for KMS and
HttpFS to warn about old SSL clients using weak ciphers and make suggestion.
> Upgrade Tomcat to 6.0.47
>
>
> Key: HADOOP-13812
> URL: https://issues.apache.org/jira/browse/HADOOP-13812
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
>Affects Versions: 2.6.0
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Blocker
>
> KMS and HttpFS currently uses Tomcat 6.0.44, propose to upgrade to the latest
> version is 6.0.47.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13812) Upgrade Tomcat to 6.0.47
[
https://issues.apache.org/jira/browse/HADOOP-13812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15695447#comment-15695447
]
John Zhuge commented on HADOOP-13812:
-
Adding {{ciphers="ALL"}} to SSL connector in {{server.xml}} does fix the issue
but ALL is intended for testing purpose.
> Upgrade Tomcat to 6.0.47
>
>
> Key: HADOOP-13812
> URL: https://issues.apache.org/jira/browse/HADOOP-13812
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
>Affects Versions: 2.6.0
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Blocker
>
> KMS and HttpFS currently uses Tomcat 6.0.44, propose to upgrade to the latest
> version is 6.0.47.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13812) Upgrade Tomcat to 6.0.47
[
https://issues.apache.org/jira/browse/HADOOP-13812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15695443#comment-15695443
]
John Zhuge commented on HADOOP-13812:
-
Here is the SSL issue encountered when I test either HttpFS or KMS REST API
over SSL:
{noformat}
$ curl --negotiate -i -v -k -L -u:
https://jzhuge-tomcat-ssl-1.gce.cloudera.com:14000/webhdfs/v1?op=liststatus
* About to connect() to jzhuge-tomcat-ssl-1.gce.cloudera.com port 14000 (#0)
* Trying 172.31.8.185... connected
* Connected to jzhuge-tomcat-ssl-1.gce.cloudera.com (172.31.8.185) port 14000
(#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* NSS error -12286
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
{noformat}
It is caused by this commit in Tomcat 6.0.46
https://github.com/apache/tomcat60/commit/d8767c0a751bdd261b9f33dbe74e2428f5645601#diff-275f38188d4d9c830969f8889fb6f3fc
which filters out known weak ciphers from the default list:
{code:java}
// Remove kRSA ciphers when running on Java 7 or above. Can't
// remove them for Java 6 since they are likely to be the only
// ones left
if (JreCompat.isJre7Available() &&
(cipher.toUpperCase(Locale.ENGLISH).startsWith("TLS_RSA_")
||
cipher.toUpperCase(Locale.ENGLISH).startsWith("SSL_RSA_"))) {
log.debug(sm.getString("jsse.excludeDefaultCipher", cipher));
continue;
}
{code}
> Upgrade Tomcat to 6.0.47
>
>
> Key: HADOOP-13812
> URL: https://issues.apache.org/jira/browse/HADOOP-13812
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
>Affects Versions: 2.6.0
>Reporter: John Zhuge
>Assignee: John Zhuge
>Priority: Blocker
>
> KMS and HttpFS currently uses Tomcat 6.0.44, propose to upgrade to the latest
> version is 6.0.47.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
-
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13812) Upgrade Tomcat to 6.0.47
[ https://issues.apache.org/jira/browse/HADOOP-13812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15695214#comment-15695214 ] John Zhuge commented on HADOOP-13812: - +1 for upgrading to 6.0.48 > Upgrade Tomcat to 6.0.47 > > > Key: HADOOP-13812 > URL: https://issues.apache.org/jira/browse/HADOOP-13812 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.6.0 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Blocker > > KMS and HttpFS currently uses Tomcat 6.0.44, propose to upgrade to the latest > version is 6.0.47. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13812) Upgrade Tomcat to 6.0.47
[ https://issues.apache.org/jira/browse/HADOOP-13812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15695097#comment-15695097 ] Akira Ajisaka commented on HADOOP-13812: Thank you for the quick response! How about upgrading to 6.0.48? This version includes some security fixes. https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48 > Upgrade Tomcat to 6.0.47 > > > Key: HADOOP-13812 > URL: https://issues.apache.org/jira/browse/HADOOP-13812 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.6.0 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Blocker > > KMS and HttpFS currently uses Tomcat 6.0.44, propose to upgrade to the latest > version is 6.0.47. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13812) Upgrade Tomcat to 6.0.47
[ https://issues.apache.org/jira/browse/HADOOP-13812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15695085#comment-15695085 ] John Zhuge commented on HADOOP-13812: - Tested 6.0.47 with CDH 5.10 in the following cases: * KMS, kerberos * KMS, kerberos + SSL * HttpFS, kerberos Investigating some issue in this case: * HttpFS, kerberos + SSL > Upgrade Tomcat to 6.0.47 > > > Key: HADOOP-13812 > URL: https://issues.apache.org/jira/browse/HADOOP-13812 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.6.0 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Blocker > > KMS and HttpFS currently uses Tomcat 6.0.44, propose to upgrade to the latest > version is 6.0.47. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13812) Upgrade Tomcat to 6.0.47
[ https://issues.apache.org/jira/browse/HADOOP-13812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15695034#comment-15695034 ] Akira Ajisaka commented on HADOOP-13812: Hi [~jzhuge], how is this issue going on? > Upgrade Tomcat to 6.0.47 > > > Key: HADOOP-13812 > URL: https://issues.apache.org/jira/browse/HADOOP-13812 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.6.0 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Blocker > > KMS and HttpFS currently uses Tomcat 6.0.44, propose to upgrade to the latest > version is 6.0.47. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13812) Upgrade Tomcat to 6.0.47
[ https://issues.apache.org/jira/browse/HADOOP-13812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15692391#comment-15692391 ] Akira Ajisaka commented on HADOOP-13812: Now 6.0.48 is released. Can we update to 6.0.48 instead of 6.0.47? > Upgrade Tomcat to 6.0.47 > > > Key: HADOOP-13812 > URL: https://issues.apache.org/jira/browse/HADOOP-13812 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.6.0 >Reporter: John Zhuge >Assignee: John Zhuge >Priority: Blocker > > KMS and HttpFS currently uses Tomcat 6.0.44, propose to upgrade to the latest > version is 6.0.47. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
