József Kuti created FLINK-39969:
-----------------------------------
Summary: use the same SSL protcol and algorithms on all the flink
services and all clients
Key: FLINK-39969
URL: https://issues.apache.org/jira/browse/FLINK-39969
Project: Flink
Issue Type: Bug
Components: Runtime / Configuration, Runtime / REST, Runtime / RPC
Affects Versions: 1.20.5, 1.20.1, 2.4.0
Environment: I was using yarn-application target with FLINK 1.20.1 ,
but it is the same for the other targets and other versions as well - I'd
linked the master code.
Reporter: József Kuti
When we enable the internal and rest ssl with:
* security.ssl.rest.enabled: true
* security.ssl.internal.enabled: true
* + adding the required truststore and keystore properties to the
flink-conf.yaml
and we want to *override default ssl protocol and* *algorithms* for example
with - using a non-default cipher for TLSv1.3:
*
security.ssl.protocol: TLSv1.3
*
security.ssl.algorithms: TLS_CHACHA20_POLY1305_SHA256
then protocols and algorithms are not set on all the client and services,
resulting:
{code:java}
javax.net.ssl.SSLHandshakeException: no cipher suites in common{code}
It turned out that org.apache.flink.runtime.net.SSLUtils needs the following
adjustments:
*
{color:#ff8b00}SSLUtils{color}#{color:#00875a}*createSSLClientSocketFactory*{color}
[*does not sets* the enabled *protocols* and
*cipherSuites*|https://github.com/apache/flink/blob/9bc156b7faf811ca6940a05e02df900ab9bf6627/flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java#L92-L99]
** while its service side
[SSLUtils#createSSLServerSocketFactory|https://github.com/apache/flink/blob/9bc156b7faf811ca6940a05e02df900ab9bf6627/flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java#L81-L82]
*does*
**
resulting BlobServerConnection-s were dropping its clients - since server
expects non-default cipher
* SSLUtils#createRestNettySSLContext [does sets the enabled sslProtocols and
ciphers ONLY for the
clients|https://github.com/apache/flink/blob/9bc156b7faf811ca6940a05e02df900ab9bf6627/flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java#L438-L449]
and skips it for the services
** Resulting Flink dashboards - MiniDispatcherRestEndpoint - uses incompatible
ciphers
*** one uses the java default tls config - service,
*** one uses the non-defaults the configured one - client
I was using yarn-application target with *FLINK 1.20.1* , but it is the same
for the other targets and other versions as well - *I'd linked the code from
master.*
*It would be useful the configure the internal and rest innen clients and
services the same way.* I had the fix with the related unit tests to achive
that.
We have tested it downstream already. I could contribute the fix.
Additionally I would add some debug level logs to make the printable ssl
settings visible, it was really useful while I was debugging it - what ssl
properties are set and where.
Just assign it to me and I will create the PR.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
