Configure the TLS (SSL) Protocol Version in Hive
Beginning with EEPs 6.3.1 and 7.0.0, the
default protocol version for TLS (SSL) is TLSv1.2, but you can use the
hive.ssl.protocol.version property to set a custom value for TLS
(SSL).
Setting the TLS (SSL) Protocol Version
To enable the direct configuration of the TLS (SSL) version, Hive provides the following
property:
| Property | Type | Default Value | Description |
|---|---|---|---|
hive.ssl.protocol.version |
String |
TLSv1.2 |
SSL protocol versions for all Hive servers. |
To set a custom value for the TLS (SSL) protocol version in Hive:
- Add the following to the
hive-site.xmlfile:
In this example,<property> <name>hive.ssl.protocol.version</name> <value><custom_value></value> </property><custom_value>can be one of the following:SSLv2SSLv3SSLv2HelloTLSv1TLSv1.1TLSv1.2
# Algorithm Name (TLS/SSL Version) Description 1 DefaultUse the default algorithm. 2 SSLSupports some versions of SSL; may support other versions. 3 SSLv2Supports SSL version 2 or later; may support other versions. 4 SSLv3Supports SSL version 3; may support other versions. 5 TLSSupports some versions of TLS; may support other versions. 6 TLSv1Supports RFC 2246: TLS version 1.0; may support other versions. 7 TLSv1.1Supports RFC 4346: TLS version 1.1; may support other versions. 8 TLSv1.2Supports RFC 5246: TLS version 1.2; may support other versions. - Restart all Hive services.
Special Considerations for Protocol Versions
Note these special considerations for the protocol versions:
- When
hive.ssl.protocol.versionis set toTLSv1.2, the protocol supports TLS 1.2. Whenhive.ssl.protocol.versionis set toTLSv1, the protocol supports TLS versions up to TLS 1.0 (but not TLS 1.1 and 1.2). Whenhive.ssl.protocol.versionis set toTLSv1.1, the protocol supports versions up to TLS 1.1 (but not TLS 1.2). SSLv2Hellois not a real encryption protocol. It merely enables clients to find out which encryption protocols are supported by the server to which they connect. As long asSSLv2Hellois used only by clients and servers to negotiate a safe protocol, such asTLSv1.1orTLSv1.2, it does not pose a security risk.- Hive has a property called
hive.ssl.protocol.blacklistwith a default value ofSSLv2,SSLv3,SSLv2Hello,TLSv1,TLSv1.1. If you want to enableTLSv1.1, for example, you must remove it from the blacklist above. For example:<property> <name>hive.ssl.protocol.blacklist</name> <value>SSLv2,SSLv3,SSLv2Hello,TLSv1</value> </property> <property> <name>hive.ssl.protocol.version</name> <value>TLSv1.1</value> </property> - If you use the TLS (SSL) protocol version from the blacklist, you will get the
following exception when connecting to Hiveserver2 via
JDBC:
Unknown HS2 problem when communicating with Thrift server. Error: Could not open client transport with JDBC Uri: jdbc:hive2://<hostname>:10000/default;auth=maprsasl;ssl=true: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure (state=08S01,code=0) - Empty values are allowed for
hive.ssl.protocol.version. Hive uses the default value in that case. The same is true forhive.ssl.protocol.blacklist. - The
hive.ssl.protocol.versionproperty is out of scope for a secure-by-default configuration. This means that it will not appear in thehive-site.xmlafter you use the Hiveconfigure.shscript. Nevertheless, the default value ofhive.ssl.protocol.versionis stillTLSv1.2, and you do not need to set it explicitly.