Configure the TLS (SSL) Protocol Version in Hive
Beginning with EEPs 6.3.1 and 7.0.0, the
default protocol version for TLS (SSL) is TLSv1.2
, but you can use the
hive.ssl.protocol.version
property to set a custom value for TLS
(SSL).
Setting the TLS (SSL) Protocol Version
To enable the direct configuration of the TLS (SSL) version, Hive provides the following
property:
Property | Type | Default Value | Description |
---|---|---|---|
hive.ssl.protocol.version |
String |
TLSv1.2 |
SSL protocol versions for all Hive servers. |
To set a custom value for the TLS (SSL) protocol version in Hive:
- Add the following to the
hive-site.xml
file:
In this example,<property> <name>hive.ssl.protocol.version</name> <value><custom_value></value> </property>
<custom_value>
can be one of the following:SSLv2
SSLv3
SSLv2Hello
TLSv1
TLSv1.1
TLSv1.2
# Algorithm Name (TLS/SSL Version) Description 1 Default
Use the default algorithm. 2 SSL
Supports some versions of SSL; may support other versions. 3 SSLv2
Supports SSL version 2 or later; may support other versions. 4 SSLv3
Supports SSL version 3; may support other versions. 5 TLS
Supports some versions of TLS; may support other versions. 6 TLSv1
Supports RFC 2246: TLS version 1.0; may support other versions. 7 TLSv1.1
Supports RFC 4346: TLS version 1.1; may support other versions. 8 TLSv1.2
Supports RFC 5246: TLS version 1.2; may support other versions. - Restart all Hive services.
Special Considerations for Protocol Versions
Note these special considerations for the protocol versions:
- When
hive.ssl.protocol.version
is set toTLSv1.2
, the protocol supports TLS 1.2. Whenhive.ssl.protocol.version
is set toTLSv1
, the protocol supports TLS versions up to TLS 1.0 (but not TLS 1.1 and 1.2). Whenhive.ssl.protocol.version
is set toTLSv1.1
, the protocol supports versions up to TLS 1.1 (but not TLS 1.2). SSLv2Hello
is not a real encryption protocol. It merely enables clients to find out which encryption protocols are supported by the server to which they connect. As long asSSLv2Hello
is used only by clients and servers to negotiate a safe protocol, such asTLSv1.1
orTLSv1.2
, it does not pose a security risk.- Hive has a property called
hive.ssl.protocol.blacklist
with a default value ofSSLv2,SSLv3,SSLv2Hello,TLSv1,TLSv1.1
. If you want to enableTLSv1.1
, for example, you must remove it from the blacklist above. For example:<property> <name>hive.ssl.protocol.blacklist</name> <value>SSLv2,SSLv3,SSLv2Hello,TLSv1</value> </property> <property> <name>hive.ssl.protocol.version</name> <value>TLSv1.1</value> </property>
- If you use the TLS (SSL) protocol version from the blacklist, you will get the
following exception when connecting to Hiveserver2 via
JDBC:
Unknown HS2 problem when communicating with Thrift server. Error: Could not open client transport with JDBC Uri: jdbc:hive2://<hostname>:10000/default;auth=maprsasl;ssl=true: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure (state=08S01,code=0)
- Empty values are allowed for
hive.ssl.protocol.version
. Hive uses the default value in that case. The same is true forhive.ssl.protocol.blacklist
. - The
hive.ssl.protocol.version
property is out of scope for a secure-by-default configuration. This means that it will not appear in thehive-site.xml
after you use the Hiveconfigure.sh
script. Nevertheless, the default value ofhive.ssl.protocol.version
is stillTLSv1.2
, and you do not need to set it explicitly.