I have tried it right now and TLSv1 is still available. Running the openssl command shows the server certificate. I check for the protocols using nmap (-sV) which shows support for TLSv1, TLSv1.1, TLSv1.2
On Tue, Sep 3, 2019 at 1:41 PM bappa kon <oracle...@gmail.com> wrote: > Can you share the output of below command?. > > openssl s_client -connect hostname:8190 -tls1 > > Also, have you already tried below in custom yarn-site xml? > > ssl.exclude.protocol=TLSv1,TLSv1.1 > > Thanks > > On Mon, 2 Sep 2019, 20:22 Anton Puzanov, <antonpuzdeve...@gmail.com> > wrote: > >> Hi, >> >> I have been requested to disable TLSv1 and TLSv1.1 from our Yarn service. >> Some background: we run a HDP cluster version 2.6.3.0-235 >> After scrapping the web for the specific configuration I need to disable >> the algorithms, the only solution I found is to configure >> "jdk.tls.disabledAlgorithms. >> >> I have set it both in "java.security" file and in the jvm arguments >> themselves (via yarn-env setting in Ambari). >> >> In java.security: jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, >> MD5withRSA, DH keySize < 1024, \ >> EC keySize < 224, 3DES_EDE_CBC, anon, NULL, SSL, SSLv2, TLSv1.1 >> >> When I check the running process I see the following jvm arguments (due >> to the setting in yarn-env): /usr/jdk64/jdk1.8.0_112/bin/java >> -Dproc_resourcemanager -Xmx1024m -Dzookeeper.sasl.client=true >> -Dzookeeper.sasl.client.username=zookeeper >> -Djava.security.auth.login.config=/etc/hadoop/2.6.3.0-235/0/yarn_jaas.conf >> -Dzookeeper.sasl.clientconfig=Client -Dhdp.version=2.6.3.0-235 >> *-Djdk.tls.disabledAlgorithms=TLSv1,TLSv1.1* -Dhadoop... >> >> But, when I check the supported TLS versions on the resource manager port >> (8190 in my case), TLSv1 and TLSv1.1 are still supported. >> >> Any help, ideas, and suggestions on how to correctly configure the TLS >> version support would be appreciated. >> >>