[AMBARI-18910] SSL/TLS protocols should be explicitly enabled and then filtered when Ambari starts up - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.4.0
Fix Version/s: 2.4.2
Component/s: ambari-server
Labels:
None

Description

SSL/TLS protocols should be explicitly enabled and then filtered when Ambari starts up.

Currently the following protocols are explicitly enabled:

SSLv2Hello
TLSv1

org/apache/ambari/server/controller/AmbariServer.java:718

 
factory.setIncludeProtocols(new String[] { "SSLv2Hello","TLSv1"});

However the following protocols should be enabled by default:

SSLv2Hello
TLSv1
TLSv1.1
TLSv1.2
SSLv3

Example

 
factory.setIncludeProtocols(new String[] {"SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"});

Once set, the protocols may be filtered out using the security.server.disabled.protocols property from the ambari.properties file. For example:

Disables TLSv1, TLSv1.1, and SSLv2Hello

security.server.disabled.protocols=TLSv1.1|TLSv1|SSLv2Hello

The availability of a particular protocol may be tested using the OpenSSL s_client facility.

Example: Test for TLSv1.2

openssl s_client -connect localhost:8440 -tls1_2

Example successful result

CONNECTED(00000003)
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify return:1
---
Certificate chain
0 s:/C=XX/L=Default City/O=Default Company Ltd
   i:/C=XX/L=Default City/O=Default Company Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MII…
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd
issuer=/C=XX/L=Default City/O=Default Company Ltd
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 2248 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5829F75B49C2FED58C60CB7663181B39BCA3AF473F253EDB4BA04D827B9D58BA
    Session-ID-ctx:
    Master-Key: 46301FB9B4263547C62F8C793380319DC60A10C1D077C7DAB52D328B12D1FB4B868EE5131CD7F62917C02866196317B8
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1479145307
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---

Example failure result

CONNECTED(00000003)
140518067173192:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1479145122
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Note: This does not address the agent-side issue of connecting to an Ambari server where TLSv1 is disabled. See ~~AMBARI-17666~~.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-18910_branch-2.4_01.patch
16/Nov/16 18:39
0.9 kB
Robert Levas
AMBARI-18910_branch-2.5_01.patch
16/Nov/16 18:39
0.9 kB
Robert Levas

Issue Links

relates to

AMBARI-20545 Remove the use of legacy SSL and TLS protocol versions

Open

links to

ReviewBoard

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 16/Nov/16 18:36

Updated:: 23/Mar/17 17:01

Resolved:: 16/Nov/16 19:45