[jira] [Created] (FLINK-39635) [security] Support comma-separated list in security.ssl.protocol

Fri, 08 May 2026 02:59:25 -0700 

Imre Balassa created FLINK-39635:
------------------------------------

             Summary: [security] Support comma-separated list in 
security.ssl.protocol
                 Key: FLINK-39635
                 URL: https://issues.apache.org/jira/browse/FLINK-39635
             Project: Flink
          Issue Type: Improvement
          Components: Runtime / RPC
    Affects Versions: 1.20.0, 2.4.0
            Reporter: Imre Balassa


Currently {{security.ssl.protocol}} accepts only a single TLS protocol version 
string. Users who need to enable multiple protocol versions (e.g. both TLSv1.2 
and TLSv1.3) simultaneously have no way to do so. This ticket proposes 
extending the option to accept a comma-separated list.
h3. Flink is already prepared for multiple protocols — Pekko is not wired up 
correctly

Flink's internal SSL stack already works with a list of protocol versions: it 
splits {{security.ssl.protocol}} on comma ( {{,)}} and calls 
{{{}SSLEngine.setEnabledProtocols(String[]){}}}, which natively accepts 
multiple values.

However, when Flink configures Pekko's RPC transport, only a *single* protocol 
string is forwarded — written directly into Pekko's {{protocol}} field (e.g. 
{{{}protocol = TLSv1.2{}}}). Pekko's SSL config actually has *two separate 
fields* for this purpose:
||Pekko field||Purpose||
|{{protocol}}|Generic SSL context type, should be {{TLS}}|
|{{enabled-protocols}}|*List* of specific versions to allow, e.g. {{["TLSv1.2", 
"TLSv1.3"]}}|
h2. Proposed Change
 # Split {{security.ssl.protocol}} on comma ({{{},){}}} when building the Pekko 
config.
 # Write {{protocol = TLS}} (generic context) and {{enabled-protocols = 
[TLSv1.2, TLSv1.3, ...]}} (specific versions) — mirroring the existing handling 
of {{{}security.ssl.algorithms{}}}.
 # Override {{createServerSSLEngine()}} and {{createClientSSLEngine()}} in 
{{CustomSSLEngineProvider}} to call {{SSLEngine.setEnabledProtocols()}} with 
the configured list, ensuring the restriction is enforced at the engine level 
as well.
 # Update the description of {{security.ssl.protocol}} to reflect that a 
comma-separated list is now supported.

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to