MLE-27557: Fix weak crypto - replace insecure TLSv1 with TLSv1.3 in ContentReader.java#579
Conversation
…ontentReader.java
There was a problem hiding this comment.
Pull request overview
Updates the Hadoop Connector example ContentReader to use TLS 1.3 instead of TLS 1.0 for SSL connections, addressing the weak-cryptography concern referenced in MLE-27557.
Changes:
- Switch enabled SSL protocol from
TLSv1toTLSv1.3. - Switch
SSLContextinitialization fromTLSv1toTLSv1.3. - Remove the hardcoded (TLS 1.0-era) cipher suite allowlist from the example.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Code Change Summary
|
NeoSaber
left a comment
NeoSaber
left a comment
There was a problem hiding this comment.
The changes look good to me. The issue copilot found seems important to address, but it also looks out of scope for this PR. I suggest making a ticket for that one so it can be handled by someone later.
DarrenJAN
left a comment
DarrenJAN
left a comment
There was a problem hiding this comment.
This changes looks good to me
|
The mapreduce module is not used in the MLCP workflows, so I am fine with this change to appease the Polaris scan. |
This PR addresses a weak cryptography security issue (MLE-27557) by replacing the insecure TLSv1 protocol with TLSv1.3 in
ContentReader.java. TLSv1 is considered cryptographically weak and vulnerable to various attacks. Upgrading to TLSv1.3 ensures stronger encryption and improved security posture.Ran the 06mlcp test suite — no regression failures were found in testing.