Set TLS version for an ADH cluster

This section shows how to configure an ADH cluster to use a specific TLS version for SSL communication and how to verify the current TLS version that is in use.

As of ADH 2.1.10.b1, the minimum supported TLS version is TLSv1.2 as restricted by Java 8. TLSv1.3 is supported on JDK11+ and JDK8 build 8u261 or later (JRE 1.8.0_261-b12+).

Select TLS version

You can specify the desired TLS version for entire ADH cluster using the TLS Version parameter when running the Manage SSL action. As of 2.1.10.b1, the only supported version is TLSv1.2.

Select TLS version
Select TLS version

Per-service TLS settings

You can also set a specific TLS version for individual ADH components. The list of configuration files and parameters responsible for the TLS protocol selection is presented below.

TLS configuration for ADH services
Service Configuration file Parameter Default value Description

Hive

/etc/hive/conf/hive-site.xml

hive.ssl.protocol.blacklist

SSLv2Hello,SSLv2,SSLv3,TLSv1,TLSv1.1

Disables specified TLS protocols for all Hive Servers

TezUI

/etc/nginx/nginx.conf

server.ssl_protocols

TLSv1.2

A comma-separated list of TLS protocols supported for the SSL transport

Metastore

/etc/hive/conf/hive-site.xml

metastore.ssl.protocol.blacklist

SSLv2Hello,SSLv2,SSLv3,TLSv1,TLSv1.1

Disables specified TLS protocols for Hive Metastore

HDFS, YARN

/etc/hadoop/conf/core-site.xml

hadoop.ssl.enabled.protocols

TLSv1.2

A comma-separated list of TLS protocols used for SSL communication between HDFS DataNodes

Spark2/Spark3

  • /etc/spark/conf/spark-defaults.conf

  • /etc/spark3/conf/spark-defaults.conf

spark.ssl.protocol

TLSv1.2

Specifies the TLS protocol to use

Livy (for Spark2/Spark3)

  • /etc/livy/conf/livy.conf

  • /etc/livy-spark3/conf/livy.conf

livy.server.thrift.ssl.protocol.blacklist

SSLv2,SSLv3,TLSv1,TLSv1.1

Disables specified TLS protocols

Flink

/etc/flink/conf/flink-conf.yaml

security.ssl.protocol

TLSv1.2

Specifies a single TLS version to be used for the SSL transport. Does not support comma-separated values

ZooKeeper 3.5.5+

/etc/zookeeper/conf/zoo.cfg

  • ssl.protocol

  • ssl.quorum.protocol

TLSv1.2

ssl.protocol defines a protocol for the client SSL negotiation. ssl.quorum.protocol defines a protocol to use for quorum SSL negotiation

Test TLS version

To get the TLS version currently used by ADH, you can use curl or OpenSSL as shown below.

Use curl

Below is a sample HTTPS request to the Hive server forcing curl to use the fairly deprecated TLSv1.1.

$ curl https://ka-adh-1.ru-central1.internal:10002/  --insecure --tlsv1.1 --tls-max 1.1

The response indicates that TLSv1.1 is unsupported.

curl: (35) Peer reports incompatible or unsupported protocol version

If you omit --tlsv1.1 --tls-max 1.1, the default TLSv1.2 is used and curl returns a web page.

Use OpenSSL

The command below opens an SSL connection to a Tez server and OpenSSL attempts to get SSL certificates using the deprecated TLSv1.1.

$ openssl s_client -connect ka-adh-2.ru-central1.internal:9999 -tls1_1

OpenSSL fails to establish the connection due to the unsupported TLS version.

no peer certificate available. No client certificate CA names send

If you omit -tls1_1, the default TLSv1.2 is used and OpenSSL retrieves a certificate.

Found a mistake? Seleсt text and press Ctrl+Enter to report it