[ https://issues.apache.org/jira/browse/FLINK-34491 ]
Dhruv Patel deleted comment on FLINK-34491: ------------------------------------- was (Author: JIRAUSER289387): Following issue has been observed in after enabling SSL in flink. Since after migration flink uses tls1.3 as default |Change |Description | | |SSL / TLS v1.3|the handshake between the flink components now uses TLS v1.3 with Cipher: TLS_AES_256_GCM_SHA384 which is causing SSL handshake failures. {code:java} SSL3 alert read:fatal:handshake failure SSL_connect:error in error 409B7454F87F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1586:SSL alert number 40 – Server Temp Key: ECDH, prime256v1, 256 bits — SSL handshake has read 470 bytes and written 730 bytes Verification: OK — New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 This TLS version forbids renegotiation.| {code}| | > Move from experimental support to production support for Java 17 > ---------------------------------------------------------------- > > Key: FLINK-34491 > URL: https://issues.apache.org/jira/browse/FLINK-34491 > Project: Flink > Issue Type: New Feature > Affects Versions: 1.18.1 > Reporter: Dhruv Patel > Priority: Major > > This task is to move away from experimental support for Java 17 to production > support so that teams running Flink in production can migrate to Java 17 > successfully > *Background:* > Flink supports protobuf dataformat to exchange messages between different > operators and the serialization and deserialization of those protobufs are > performed by library called "Kryo". In order to move away from experimental > support of Java 17 released as part of Flink 1.18.1, the Kryo library in > Flink 1.18.1 needs to be updated from 2.24.0 to 5.5.0 because Kryo 2.24.0 > does not support Java 17. This improvement plan is tracked as part of this > ticket https://issues.apache.org/jira/browse/FLINK-3154. > All Flink applications using protobuf currently generate state with Kryo v2. > Once the above improvement plan is complete all Flink applications will fully > support reading that state and write newer state with Kryo v5. However, > latest Kryo v5 doesn't support snapshots made by a previous Kryo v2. This > will prevent applications which are using snapshot mechanism to deploy their > jobs to latest Flink version with Kryo v5 support without a bridge version > running on Java 11. Applications will have to run on a bridge release version > that will read their state with Kryo v2 data and write it with Kryo v5 data > before upgrading to a future version of Flink that completely drops support > for Kryo v2. > Basically, Flink applications using protobuf dataformat cannot move directly > from Java 8 to Java 17 without downtime after the kryo v5 release in Flink. > Applications will need to first move to Java 11 (bridging version) and then > move to Java 17 to have a safe deployment. > Migration Plan is documented here: > https://cwiki.apache.org/confluence/display/FLINK/FLIP-317%3A+Upgrade+Kryo+from+2.24.0+to+5.5.0 > *Blocker for this task:* > Upgrade to Kryo 5.5.0 which supports Java 17 > https://issues.apache.org/jira/browse/FLINK-3154. -- This message was sent by Atlassian Jira (v8.20.10#820010)