Beginning with MEPs 6.3.1 and 7.0.0, the
default protocol version for TLS (SSL) is TLSv1.2, but you can use the
hive.ssl.protocol.version property to set a custom value for TLS
(SSL).
Setting the TLS (SSL) Protocol Version
To enable the direct configuration of the TLS (SSL) version, Hive provides the following
property:
| Property |
Type |
Default Value |
Description |
hive.ssl.protocol.version |
String |
TLSv1.2 |
SSL protocol versions for all Hive servers. |
To set a custom value for the TLS (SSL) protocol version in Hive:
- Add the following to the
hive-site.xml file:
<property>
<name>hive.ssl.protocol.version</name>
<value><custom_value></value>
</property>
In
this example, <custom_value> can be one of the following:
SSLv2SSLv3SSLv2HelloTLSv1TLSv1.1TLSv1.2
For more information, see the following table:
| # |
Algorithm Name (TLS/SSL Version) |
Description |
| 1 |
Default |
Use the default algorithm. |
| 2 |
SSL |
Supports some versions of SSL; may support other versions. |
| 3 |
SSLv2 |
Supports SSL version 2 or later; may support other versions. |
| 4 |
SSLv3 |
Supports SSL version 3; may support other versions. |
| 5 |
TLS |
Supports some versions of TLS; may support other versions. |
| 6 |
TLSv1 |
Supports RFC 2246: TLS version 1.0; may support other
versions. |
| 7 |
TLSv1.1 |
Supports RFC 4346: TLS version 1.1; may support other
versions. |
| 8 |
TLSv1.2 |
Supports RFC 5246: TLS version 1.2; may support other
versions. |
- Restart all Hive services.
Special Considerations for Protocol Versions
Note these special considerations for the protocol versions:
- When
hive.ssl.protocol.version is set to TLSv1.2,
the protocol supports TLS 1.2. When hive.ssl.protocol.version is set to
TLSv1, the protocol supports TLS versions up to TLS 1.0 (but not TLS
1.1 and 1.2). When hive.ssl.protocol.version is set to
TLSv1.1, the protocol supports versions up to TLS 1.1 (but not TLS
1.2).
SSLv2Hello is not a real encryption protocol. It merely enables
clients to find out which encryption protocols are supported by the server to which they
connect. As long as SSLv2Hello is used only by clients and servers to
negotiate a safe protocol, such as TLSv1.1 or TLSv1.2,
it does not pose a security risk.- Hive has a property called
hive.ssl.protocol.blacklist with a default
value of SSLv2,SSLv3,SSLv2Hello,TLSv1,TLSv1.1. If you want to enable
TLSv1.1, for example, you must remove it from the blacklist above.
For
example:<property>
<name>hive.ssl.protocol.blacklist</name>
<value>SSLv2,SSLv3,SSLv2Hello,TLSv1</value>
</property>
<property>
<name>hive.ssl.protocol.version</name>
<value>TLSv1.1</value>
</property>
- If you use the TLS (SSL) protocol version from the blacklist, you will get the
following exception when connecting to Hiveserver2 via
JDBC:
Unknown HS2 problem when communicating with Thrift server.
Error: Could not open client transport with JDBC Uri: jdbc:hive2://<hostname>:10000/default;auth=maprsasl;ssl=true: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure (state=08S01,code=0)
- Empty values are allowed for
hive.ssl.protocol.version. Hive uses the
default value in that case. The same is true for
hive.ssl.protocol.blacklist.
- The
hive.ssl.protocol.version property is out of scope for a
secure-by-default configuration. This means that it will not appear in the
hive-site.xml after you use the Hive configure.sh
script. Nevertheless, the default value of hive.ssl.protocol.version is
still TLSv1.2, and you do not need to set it explicitly.