Can you share the output of below command?. openssl s_client -connect hostname:8190 -tls1
Also, have you already tried below in custom yarn-site xml? ssl.exclude.protocol=TLSv1,TLSv1.1 Thanks On Mon, 2 Sep 2019, 20:22 Anton Puzanov, <antonpuzdeve...@gmail.com> wrote: > Hi, > > I have been requested to disable TLSv1 and TLSv1.1 from our Yarn service. > Some background: we run a HDP cluster version 2.6.3.0-235 > After scrapping the web for the specific configuration I need to disable > the algorithms, the only solution I found is to configure > "jdk.tls.disabledAlgorithms. > > I have set it both in "java.security" file and in the jvm arguments > themselves (via yarn-env setting in Ambari). > > In java.security: jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, > MD5withRSA, DH keySize < 1024, \ > EC keySize < 224, 3DES_EDE_CBC, anon, NULL, SSL, SSLv2, TLSv1.1 > > When I check the running process I see the following jvm arguments (due to > the setting in yarn-env): /usr/jdk64/jdk1.8.0_112/bin/java > -Dproc_resourcemanager -Xmx1024m -Dzookeeper.sasl.client=true > -Dzookeeper.sasl.client.username=zookeeper > -Djava.security.auth.login.config=/etc/hadoop/2.6.3.0-235/0/yarn_jaas.conf > -Dzookeeper.sasl.clientconfig=Client -Dhdp.version=2.6.3.0-235 > *-Djdk.tls.disabledAlgorithms=TLSv1,TLSv1.1* -Dhadoop... > > But, when I check the supported TLS versions on the resource manager port > (8190 in my case), TLSv1 and TLSv1.1 are still supported. > > Any help, ideas, and suggestions on how to correctly configure the TLS > version support would be appreciated. > >
