[
https://issues.apache.org/jira/browse/FLINK-39635?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Imre Balassa updated FLINK-39635:
---------------------------------
Description:
Currently {{security.ssl.protocol}} accepts only a single TLS protocol version
string. Users who need to enable multiple protocol versions (e.g. both TLSv1.2
and TLSv1.3) simultaneously have no way to do so. This ticket proposes
extending the option to accept a comma-separated list.
h3. Flink is already prepared for multiple protocols — Pekko is not wired up
correctly
Flink's internal SSL stack already works with a list of protocol versions: it
splits {{security.ssl.protocol}} on comma ( {{,)}} and calls
{{{}SSLEngine.setEnabledProtocols(String[]){}}}, which natively accepts
multiple values.
However, when Flink configures Pekko's RPC transport, only a *single* protocol
string is forwarded — written directly into Pekko's {{protocol}} field (e.g.
{{{}protocol = TLSv1.2{}}}).
Proposed Change
# Split {{security.ssl.protocol}} on comma ({{{},){}}} when building the Pekko
config.
# Write {{protocol = highest available protocol available for the JVM }} and
{{enabled-protocols = [TLSv1.2, TLSv1.3, ...]}} (specific versions) — mirroring
the existing handling of {{{}security.ssl.algorithms{}}}.
# Override {{createServerSSLEngine()}} and {{createClientSSLEngine()}} in
{{CustomSSLEngineProvider}} to call {{SSLEngine.setEnabledProtocols()}} with
the configured list, ensuring the restriction is enforced at the engine level
as well.
# Update the description of {{security.ssl.protocol}} to reflect that a
comma-separated list is now supported.
was:
Currently {{security.ssl.protocol}} accepts only a single TLS protocol version
string. Users who need to enable multiple protocol versions (e.g. both TLSv1.2
and TLSv1.3) simultaneously have no way to do so. This ticket proposes
extending the option to accept a comma-separated list.
h3. Flink is already prepared for multiple protocols — Pekko is not wired up
correctly
Flink's internal SSL stack already works with a list of protocol versions: it
splits {{security.ssl.protocol}} on comma ( {{,)}} and calls
{{{}SSLEngine.setEnabledProtocols(String[]){}}}, which natively accepts
multiple values.
However, when Flink configures Pekko's RPC transport, only a *single* protocol
string is forwarded — written directly into Pekko's {{protocol}} field (e.g.
{{{}protocol = TLSv1.2{}}}). Pekko's SSL config actually has *two separate
fields* for this purpose:
||Pekko field||Purpose||
|{{protocol}}|Generic SSL context type, should be {{TLS}}|
|{{enabled-protocols}}|*List* of specific versions to allow, e.g. {{["TLSv1.2",
"TLSv1.3"]}}|
h2. Proposed Change
# Split {{security.ssl.protocol}} on comma ({{{},){}}} when building the Pekko
config.
# Write {{protocol = TLS}} (generic context) and {{enabled-protocols =
[TLSv1.2, TLSv1.3, ...]}} (specific versions) — mirroring the existing handling
of {{{}security.ssl.algorithms{}}}.
# Override {{createServerSSLEngine()}} and {{createClientSSLEngine()}} in
{{CustomSSLEngineProvider}} to call {{SSLEngine.setEnabledProtocols()}} with
the configured list, ensuring the restriction is enforced at the engine level
as well.
# Update the description of {{security.ssl.protocol}} to reflect that a
comma-separated list is now supported.
> [security] Support comma-separated list in security.ssl.protocol
> ----------------------------------------------------------------
>
> Key: FLINK-39635
> URL: https://issues.apache.org/jira/browse/FLINK-39635
> Project: Flink
> Issue Type: Improvement
> Components: Runtime / RPC
> Affects Versions: 1.20.0, 2.4.0
> Reporter: Imre Balassa
> Assignee: Imre Balassa
> Priority: Major
> Labels: pull-request-available
>
> Currently {{security.ssl.protocol}} accepts only a single TLS protocol
> version string. Users who need to enable multiple protocol versions (e.g.
> both TLSv1.2 and TLSv1.3) simultaneously have no way to do so. This ticket
> proposes extending the option to accept a comma-separated list.
> h3. Flink is already prepared for multiple protocols — Pekko is not wired up
> correctly
> Flink's internal SSL stack already works with a list of protocol versions: it
> splits {{security.ssl.protocol}} on comma ( {{,)}} and calls
> {{{}SSLEngine.setEnabledProtocols(String[]){}}}, which natively accepts
> multiple values.
> However, when Flink configures Pekko's RPC transport, only a *single*
> protocol string is forwarded — written directly into Pekko's {{protocol}}
> field (e.g. {{{}protocol = TLSv1.2{}}}).
> Proposed Change
> # Split {{security.ssl.protocol}} on comma ({{{},){}}} when building the
> Pekko config.
> # Write {{protocol = highest available protocol available for the JVM }} and
> {{enabled-protocols = [TLSv1.2, TLSv1.3, ...]}} (specific versions) —
> mirroring the existing handling of {{{}security.ssl.algorithms{}}}.
> # Override {{createServerSSLEngine()}} and {{createClientSSLEngine()}} in
> {{CustomSSLEngineProvider}} to call {{SSLEngine.setEnabledProtocols()}} with
> the configured list, ensuring the restriction is enforced at the engine level
> as well.
> # Update the description of {{security.ssl.protocol}} to reflect that a
> comma-separated list is now supported.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
