question Re: Disabling sslv3 and RC4 ciphers on Ambari Webserver and Knox in Archives of Support Questions (Read Only)

Disabling sslv3 and RC4 ciphers on Ambari Webserver and Knox

kbaxley — Fri, 09 Oct 2015 05:56:23 GMT

re: security audit on the following items for Knox and Ambari Webservers:

Report snippet is below. Do we have a way of disabling these things for the given components?

Issue Types that this task fixes

Browser Exploit Against SSL/TLS (a.k.a. BEAST)

RC4 cipher suites were detected

GeneralBrowser Exploit Against SSL/TLS (a.k.a. BEAST)

Remove support of SSLv3/TLS1.0 cipher suites with CBC.

For more information, see:http://disablessl3.com/

RC4 cipher suites were detected

Adapt your server so that it supports the following ciphersuites ([1]):

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCMSHA384:\

ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:\ ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:\ ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:\ ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:\ DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:\ DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:\ AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:\ !aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:\ !EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA [1] https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility

Re: Disabling sslv3 and RC4 ciphers on Ambari Webserver and Knox

pcodding — Sat, 10 Oct 2015 02:17:20 GMT

For Ambari, please refer to this doc: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.1.0/bk_Ambari_Security_Guide/content/_optional_configure_ciphers_and_protocols_for_ambari_server.html

Re: Disabling sslv3 and RC4 ciphers on Ambari Webserver and Knox

lmccay — Tue, 13 Oct 2015 22:12:29 GMT

For Knox, sslv3 is disabled by default and this can be further configured to disable more or "none" through the ssl.exclude.protocols parameter in gateway-site.xml. This can be done directly in the file or from within Ambari.

Knox does not have a configurable means to disable specific algorithms - however you can use the Java JSSE networking properties to do this. In fact, this will work for all applications being run in that particular JVM which is better than having to track it down for each application.

You should be able to find this in $JRE_HOME/lib/security/java.security in others.

# Algorithm restrictions for Secure Socket Layer/Transport Layer Security

# (SSL/TLS) processing

# In some environments, certain algorithms or key lengths may be undesirable

# when using SSL/TLS. This section describes the mechanism for disabling

# algorithms during SSL/TLS security parameters negotiation, including cipher

# suites selection, peer authentication and key exchange mechanisms.

# For PKI-based peer authentication and key exchange mechanisms, this list

# of disabled algorithms will also be checked during certification path

# building and validation, including algorithms used in certificates, as

# well as revocation information such as CRLs and signed OCSP Responses.

# This is in addition to the jdk.certpath.disabledAlgorithms property above.

# See the specification of "jdk.certpath.disabledAlgorithms" for the

# syntax of the disabled algorithm string.

# Note: This property is currently used by Oracle's JSSE implementation.

# It is not guaranteed to be examined and used by other implementations.

# Example:

# jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048