diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 9269960615..41ba87d861 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -691,6 +691,8 @@ Release 2.9.0 - UNRELEASED HADOOP-12710. Remove dependency on commons-httpclient for TestHttpServerLogs (Wei-Chiu Chuang via iwasakims) + HADOOP-12817. Enable TLS v1.1 and 1.2 (rkanter) + BUG FIXES HADOOP-12605. Fix intermittent failure of TestIPC.testIpcWithReaderQueuing diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java index edec347d0d..518de8095a 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java @@ -69,7 +69,8 @@ public static enum Mode { CLIENT, SERVER } public static final String SSL_ENABLED_PROTOCOLS = "hadoop.ssl.enabled.protocols"; - public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1"; + public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = + "TLSv1,SSLv2Hello,TLSv1.1,TLSv1.2"; private Configuration conf; private Mode mode; diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml index 34e1236173..dd4919cf73 100644 --- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml +++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml @@ -1644,9 +1644,9 @@ for ldap providers in the same way as above does. hadoop.ssl.enabled.protocols - TLSv1 + TLSv1,SSLv2Hello,TLSv1.1,TLSv1.2 - Protocols supported by the ssl. + The supported SSL protocols. diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/EncryptedShuffle.md b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/EncryptedShuffle.md index fddd84f823..f67978111a 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/EncryptedShuffle.md +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/EncryptedShuffle.md @@ -44,7 +44,7 @@ To enable encrypted shuffle, set the following properties in core-site.xml of al | `hadoop.ssl.keystores.factory.class` | `org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory` | The KeyStoresFactory implementation to use | | `hadoop.ssl.server.conf` | `ssl-server.xml` | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory | | `hadoop.ssl.client.conf` | `ssl-client.xml` | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory | -| `hadoop.ssl.enabled.protocols` | `TLSv1` | The supported SSL protocols (JDK6 can use **TLSv1**, JDK7+ can use **TLSv1,TLSv1.1,TLSv1.2**) | +| `hadoop.ssl.enabled.protocols` | `TLSv1,SSLv2Hello,TLSv1.1,TLSv1.2` | The supported SSL protocols | **IMPORTANT:** Currently requiring client certificates should be set to false. Refer the [Client Certificates](#Client_Certificates) section for details.