1. 介绍

安全研究人员Thai Duong和Juliano Rizzo将演示针对SSL/TLS的概念验证攻击。 研究人员在
SSL/TLS协议中发现了严重弱点,能让黑客悄悄破译Web服务器和终端用户浏览器之间传输
的加密数据。 弱点主要影响TLS协议1.0版及SSL所有版本,TLS 1.1/1.2未受影响。TLS是
SSL的继任者…
https://issues.apache.org/jira/browse/AMBARI-18910

2. 解决方法

vi /etc/ambari-server/conf/ambari.properties
添加
security.server.disabled.protocols=TLSv1.1|TLSv1|SSLv2Hello
重启ambari-server。

3. 验证

[root@host-10-1-236-84 conf]# openssl s_client -connect localhost:8440 -tls1_1
CONNECTED(00000003)
140146039056288:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
failure:s3_pkt.c:659:
—-
no peer certificate available
—-
No client certificate CA names sent
—-
SSL handshake has read 0 bytes and written 0 bytes
—-
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiatedSSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1546832055
Timeout : 7200 (sec)
Verify return code: 0 (ok)
—-
[root@host-10-1-236-84 conf]# openssl s_client -connect localhost:8440 -tls1
CONNECTED(00000003)
140071848437664:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
failure:s3_pkt.c:659:
—-
no peer certificate available
—-
No client certificate CA names sent
—-
SSL handshake has read 0 bytes and written 0 bytes
—-
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1546832058
Timeout : 7200 (sec)
Verify return code: 0 (ok)
如果ambari-agent有报错,无法通过TLSv1和ambari-server通信,还需要在ambari-
agent配置文件中添加:
vi /etc/ambari-agent/conf/ambari-agent.ini
添加:
[security]
force_https_protocol=PROTOCOL_TLSv1_2
重启ambari-agent即可。