[HBASE-25993] Make excluded SSL cipher suites configurable for all Web UIs - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.0-alpha-1, 2.2.7, 2.5.0, 2.3.5, 2.4.4
Fix Version/s: 3.0.0-alpha-1, 2.5.0, 2.3.6, 2.4.5
Component/s: None
Labels:
None

Release Note:
Add "ssl.server.exclude.cipher.list" configuration to excluded cipher suites for the http server started by the InfoServer.

Description

When starting a jetty http server, one can explicitly exclude certain (unsecure) SSL cipher suites. This can be especially important, when the HBase cluster needs to be compliant with security regulations (e.g. FIPS).

Currently it is possible to set the excluded ciphers for the ThriftServer ("hbase.thrift.ssl.exclude.cipher.suites") or for the RestServer ("hbase.rest.ssl.exclude.cipher.suites"), but one can not configure it for the regular InfoServer started by e.g. the master or region servers.

In this commit I want to introduce a new configuration "ssl.server.exclude.cipher.list" to configure the excluded cipher suites for the http server started by the InfoServer. This parameter has the same name and will work in the same way, as it was already implemented in hadoop (e.g. for hdfs/yarn). See: ~~HADOOP-12668~~, ~~HADOOP-14341~~

Attachments

Issue Links

links to

GitHub Pull Request #3375

Activity

People

Assignee:: Mate Szalay-Beko

Reporter:: Mate Szalay-Beko

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 10/Jun/21 13:49

Updated:: 12/Jun/21 02:37

Resolved:: 10/Jun/21 17:39