Configure the TLS (SSL) Protocol Version in Hive

Beginning with EEPs 6.3.1 and 7.0.0, the default protocol version for TLS (SSL) is TLSv1.2, but you can use the hive.ssl.protocol.version property to set a custom value for TLS (SSL).

Setting the TLS (SSL) Protocol Version

To enable the direct configuration of the TLS (SSL) version, Hive provides the following property:
Property Type Default Value Description
hive.ssl.protocol.version String TLSv1.2 SSL protocol versions for all Hive servers.
To set a custom value for the TLS (SSL) protocol version in Hive:
  1. Add the following to the hive-site.xml file:
    <property>
    <name>hive.ssl.protocol.version</name>
    <value><custom_value></value>
    </property>
    In this example, <custom_value> can be one of the following:
    • SSLv2
    • SSLv3
    • SSLv2Hello
    • TLSv1
    • TLSv1.1
    • TLSv1.2
    For more information, see the following table:
    # Algorithm Name (TLS/SSL Version) Description
    1 Default Use the default algorithm.
    2 SSL Supports some versions of SSL; may support other versions.
    3 SSLv2 Supports SSL version 2 or later; may support other versions.
    4 SSLv3 Supports SSL version 3; may support other versions.
    5 TLS Supports some versions of TLS; may support other versions.
    6 TLSv1 Supports RFC 2246: TLS version 1.0; may support other versions.
    7 TLSv1.1 Supports RFC 4346: TLS version 1.1; may support other versions.
    8 TLSv1.2 Supports RFC 5246: TLS version 1.2; may support other versions.
  2. Restart all Hive services.

Special Considerations for Protocol Versions

Note these special considerations for the protocol versions:
  • When hive.ssl.protocol.version is set to TLSv1.2, the protocol supports TLS 1.2. When hive.ssl.protocol.version is set to TLSv1, the protocol supports TLS versions up to TLS 1.0 (but not TLS 1.1 and 1.2). When hive.ssl.protocol.version is set to TLSv1.1, the protocol supports versions up to TLS 1.1 (but not TLS 1.2).
  • SSLv2Hello is not a real encryption protocol. It merely enables clients to find out which encryption protocols are supported by the server to which they connect. As long as SSLv2Hello is used only by clients and servers to negotiate a safe protocol, such as TLSv1.1 or TLSv1.2, it does not pose a security risk.
  • Hive has a property called hive.ssl.protocol.blacklist with a default value of SSLv2,SSLv3,SSLv2Hello,TLSv1,TLSv1.1. If you want to enable TLSv1.1, for example, you must remove it from the blacklist above. For example:
    <property>
    <name>hive.ssl.protocol.blacklist</name>
    <value>SSLv2,SSLv3,SSLv2Hello,TLSv1</value>
    </property>
    
    <property>
    <name>hive.ssl.protocol.version</name>
    <value>TLSv1.1</value>
    </property>
  • If you use the TLS (SSL) protocol version from the blacklist, you will get the following exception when connecting to Hiveserver2 via JDBC:
    Unknown HS2 problem when communicating with Thrift server.
    Error: Could not open client transport with JDBC Uri: jdbc:hive2://<hostname>:10000/default;auth=maprsasl;ssl=true: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure (state=08S01,code=0)
    
  • Empty values are allowed for hive.ssl.protocol.version. Hive uses the default value in that case. The same is true for hive.ssl.protocol.blacklist.
  • The hive.ssl.protocol.version property is out of scope for a secure-by-default configuration. This means that it will not appear in the hive-site.xml after you use the Hive configure.sh script. Nevertheless, the default value of hive.ssl.protocol.version is still TLSv1.2, and you do not need to set it explicitly.