Github user StephanEwen commented on the issue: https://github.com/apache/flink/pull/5966 I agree, we need different key/truststores for the internal/external connectivity. This PR was meant as a step in that direction, separating at least within the SSL Utils the internal and external context setup. In your thinking, is there ever a case for a different internal authentication method than "single trusted certificate"? What if were not tied to akka? (Side note: I think for internal communication, 'authentication is authorization' is probably reasonable, because the are no different users/roles for internal communication). Would you assume that internally, we never do hostname verification?
---