Overview

I’ve collected notes on TLS/SSL for a number of years now. Most of them are related to Apache Hadoop, but others are more general. I was consulting when the POODLE and Heartbleed vulnerabilities were released. Below is a collection of TLS/SSL related references. No guarantee they are up to date but it helps to have references in one place.

TLS/SSL General

Certificate Types

Generating Certificates

Existing Certificate and Key to JKS

openssl pkcs12 ‐export ‐in abc.crt ‐inkey abc.key ‐out abc.p12
keytool ‐importkeystore ‐srckeystore abc.p12 \
        ‐srcstoretype PKCS12 \
        ‐destkeystore abc.jks \
        ‐deststoretype JKS

Trusting CA Certificates

OpenSSL

update‐ca‐trust force‐enable
cp CERT.pem /etc/pki/tls/source/anchors/
update‐ca‐trust extract

OpenLDAP

vi /etc/openldap/ldap.conf

...
TLS_CAFILE /etc/pki/
# Comment out TLS_CERTDIR
...

Java

/usr/java/JAVA_VERSION/jre/lib/security/cacerts
/etc/pki/ca‐trust/extracted/java/cacerts

POODLE ­ SSLv3

What is POODLE?

Testing for POODLE

# Requires a relatively recent version of openssl installed
openssl s_client ‐connect HOST:PORT ‐ssl3
# ‐tls1 ‐tls1_1 ‐tls1_2
curl ‐v3 ‐i ‐X HEAD https://HOST:PORT

Configuring Hadoop for Cipher Suites and Protocols

Each Hadoop component must be configured or have the proper version to disable certain SSL protocols and versions.

Ambari

Hadoop

HTTPFS

Hive

Oozie

Flume

Hue

  • https://issues.cloudera.org/browse/HUE-2438
    • Hue 3.8 ­ Disable SSLv3
    • line 1670 of /usr/lib/hue/desktop/core/src/desktop/lib/wsgiserver.py
    • ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
    • ssl_cipher_list = "DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2" (default)

Ranger

Knox

Storm

Resources