From bc2d3a71d6e09310d1e49e4e31433304c76e6701 Mon Sep 17 00:00:00 2001 From: Daisuke Kobayashi Date: Tue, 10 Sep 2019 10:51:03 +0800 Subject: [PATCH] HADOOP-16549. Remove Unsupported SSL/TLS Versions from Docs/Properties. Contributed by Daisuke Kobayashi. Signed-off-by: Wei-Chiu Chuang Reviewed-by: Akira Ajisaka --- .../main/java/org/apache/hadoop/security/ssl/SSLFactory.java | 2 +- .../hadoop-common/src/main/resources/core-default.xml | 4 ++-- .../src/site/markdown/EncryptedShuffle.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java index a7548aac0c..e10741e58a 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLFactory.java @@ -72,7 +72,7 @@ public enum Mode { CLIENT, SERVER } public static final String SSL_ENABLED_PROTOCOLS_KEY = "hadoop.ssl.enabled.protocols"; public static final String SSL_ENABLED_PROTOCOLS_DEFAULT = - "TLSv1.1,TLSv1.2"; + "TLSv1.2"; public static final String SSL_SERVER_NEED_CLIENT_AUTH = "ssl.server.need.client.auth"; diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml index 583f833dbe..1842171a7b 100644 --- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml +++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml @@ -2703,9 +2703,9 @@ hadoop.ssl.enabled.protocols - TLSv1.1,TLSv1.2 + TLSv1.2 - The supported SSL protocols. The parameter will only used from + The supported SSL protocols. The parameter will only be used from DatanodeHttpServer. diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/EncryptedShuffle.md b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/EncryptedShuffle.md index 1b109a3e29..ddddcd9c8b 100644 --- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/EncryptedShuffle.md +++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/site/markdown/EncryptedShuffle.md @@ -46,7 +46,7 @@ To enable encrypted shuffle, set the following properties in core-site.xml of al | `hadoop.ssl.keystores.factory.class` | `org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory` | The KeyStoresFactory implementation to use | | `hadoop.ssl.server.conf` | `ssl-server.xml` | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory | | `hadoop.ssl.client.conf` | `ssl-client.xml` | Resource file from which ssl server keystore information will be extracted. This file is looked up in the classpath, typically it should be in Hadoop conf/ directory | -| `hadoop.ssl.enabled.protocols` | `TLSv1,SSLv2Hello,TLSv1.1,TLSv1.2` | The supported SSL protocols | +| `hadoop.ssl.enabled.protocols` | `TLSv1.2` | The supported SSL protocols. The parameter will only be used from DatanodeHttpServer. | **IMPORTANT:** Currently requiring client certificates should be set to false. Refer the [Client Certificates](#Client_Certificates) section for details.