Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-25993

Make excluded SSL cipher suites configurable for all Web UIs

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.0.0-alpha-1, 2.2.7, 2.5.0, 2.3.5, 2.4.4
    • 3.0.0-alpha-1, 2.5.0, 2.3.6, 2.4.5
    • None
    • None
    • Add "ssl.server.exclude.cipher.list" configuration to excluded cipher suites for the http server started by the InfoServer.

    Description

      When starting a jetty http server, one can explicitly exclude certain (unsecure) SSL cipher suites. This can be especially important, when the HBase cluster needs to be compliant with security regulations (e.g. FIPS).

      Currently it is possible to set the excluded ciphers for the ThriftServer ("hbase.thrift.ssl.exclude.cipher.suites") or for the RestServer ("hbase.rest.ssl.exclude.cipher.suites"), but one can not configure it for the regular InfoServer started by e.g. the master or region servers.

      In this commit I want to introduce a new configuration "ssl.server.exclude.cipher.list" to configure the excluded cipher suites for the http server started by the InfoServer. This parameter has the same name and will work in the same way, as it was already implemented in hadoop (e.g. for hdfs/yarn). See: HADOOP-12668, HADOOP-14341

      Attachments

        Issue Links

          Activity

            People

              symat Mate Szalay-Beko
              symat Mate Szalay-Beko
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: