[ https://issues.apache.org/jira/browse/FLINK-34491 ]
Dhruv Patel deleted comment on FLINK-34491:
-------------------------------------
was (Author: JIRAUSER289387):
Following issue has been observed in after enabling SSL in flink. Since after
migration flink uses tls1.3 as default
|Change |Description | |
|SSL / TLS v1.3|the handshake between the flink components now uses TLS v1.3
with Cipher:
TLS_AES_256_GCM_SHA384
which is causing SSL handshake failures.
{code:java}
SSL3 alert read:fatal:handshake failure
SSL_connect:error in error
409B7454F87F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:ssl/record/rec_layer_s3.c:1586:SSL alert number 40
–
Server Temp Key: ECDH, prime256v1, 256 bits
—
SSL handshake has read 470 bytes and written 730 bytes
Verification: OK
—
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
This TLS version forbids renegotiation.| {code}| |
> Move from experimental support to production support for Java 17
> ----------------------------------------------------------------
>
> Key: FLINK-34491
> URL: https://issues.apache.org/jira/browse/FLINK-34491
> Project: Flink
> Issue Type: New Feature
> Affects Versions: 1.18.1
> Reporter: Dhruv Patel
> Priority: Major
>
> This task is to move away from experimental support for Java 17 to production
> support so that teams running Flink in production can migrate to Java 17
> successfully
> *Background:*
> Flink supports protobuf dataformat to exchange messages between different
> operators and the serialization and deserialization of those protobufs are
> performed by library called "Kryo". In order to move away from experimental
> support of Java 17 released as part of Flink 1.18.1, the Kryo library in
> Flink 1.18.1 needs to be updated from 2.24.0 to 5.5.0 because Kryo 2.24.0
> does not support Java 17. This improvement plan is tracked as part of this
> ticket https://issues.apache.org/jira/browse/FLINK-3154.
> All Flink applications using protobuf currently generate state with Kryo v2.
> Once the above improvement plan is complete all Flink applications will fully
> support reading that state and write newer state with Kryo v5. However,
> latest Kryo v5 doesn't support snapshots made by a previous Kryo v2. This
> will prevent applications which are using snapshot mechanism to deploy their
> jobs to latest Flink version with Kryo v5 support without a bridge version
> running on Java 11. Applications will have to run on a bridge release version
> that will read their state with Kryo v2 data and write it with Kryo v5 data
> before upgrading to a future version of Flink that completely drops support
> for Kryo v2.
> Basically, Flink applications using protobuf dataformat cannot move directly
> from Java 8 to Java 17 without downtime after the kryo v5 release in Flink.
> Applications will need to first move to Java 11 (bridging version) and then
> move to Java 17 to have a safe deployment.
> Migration Plan is documented here:
> https://cwiki.apache.org/confluence/display/FLINK/FLIP-317%3A+Upgrade+Kryo+from+2.24.0+to+5.5.0
> *Blocker for this task:*
> Upgrade to Kryo 5.5.0 which supports Java 17
> https://issues.apache.org/jira/browse/FLINK-3154.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
