[jira] [Commented] (FLINK-5981) SSL version and ciper suites cannot be constrained as configured

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FLINK-5981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15924219#comment-15924219
 ] 

ASF GitHub Bot commented on FLINK-5981:
---------------------------------------

Github user StephanEwen commented on a diff in the pull request:

    https://github.com/apache/flink/pull/3486#discussion_r105910791
  
    --- Diff: 
flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java ---
    @@ -125,4 +129,99 @@ public void 
testCreateSSLServerContextMisconfiguration() {
                }
        }
     
    +   /**
    +    * Tests if SSL Server Context creation fails with bad SSL configuration
    +    */
    +   @Test
    +   public void testCreateSSLServerContextWithMultiProtocols() {
    +
    +           Configuration serverConfig = new Configuration();
    +           serverConfig.setBoolean(ConfigConstants.SECURITY_SSL_ENABLED, 
true);
    +           serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE, 
"src/test/resources/local127.keystore");
    +           
serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE_PASSWORD, 
"password");
    +           
serverConfig.setString(ConfigConstants.SECURITY_SSL_KEY_PASSWORD, "password");
    +           serverConfig.setString(ConfigConstants.SECURITY_SSL_PROTOCOL, 
"TLSv1,TLSv1.2");
    +
    +           try {
    +                   SSLContext serverContext = 
SSLUtils.createSSLServerContext(serverConfig);
    +                   Assert.fail("SSL server context created even with 
multiple protocols set ");
    +           } catch (Exception e) {
    +                   // Exception here is valid
    +           }
    +   }
    +
    +   /**
    +    * Tests if SSLUtils set the right ssl version and cipher suites for 
SSLServerSocket
    +    */
    +   @Test
    +   public void testSetSSLVersionAndCipherSuitesForSSLServerSocket() throws 
Exception {
    +
    +           Configuration serverConfig = new Configuration();
    +           serverConfig.setBoolean(ConfigConstants.SECURITY_SSL_ENABLED, 
true);
    +           serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE, 
"src/test/resources/local127.keystore");
    +           
serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE_PASSWORD, 
"password");
    +           
serverConfig.setString(ConfigConstants.SECURITY_SSL_KEY_PASSWORD, "password");
    +           serverConfig.setString(ConfigConstants.SECURITY_SSL_PROTOCOL, 
"TLSv1.1");
    +           serverConfig.setString(ConfigConstants.SECURITY_SSL_ALGORITHMS, 
"TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256");
    +
    +           int port = new Random().nextInt(65535);
    +           SSLContext serverContext = 
SSLUtils.createSSLServerContext(serverConfig);
    +           ServerSocket socket = null;
    +           try {
    +                   socket = 
serverContext.getServerSocketFactory().createServerSocket(port);
    +
    +                   String[] protocols = ((SSLServerSocket) 
socket).getEnabledProtocols();
    +                   String[] algorithms = ((SSLServerSocket) 
socket).getEnabledCipherSuites();
    +                   Assert.assertTrue(protocols.length > 1);
    +                   Assert.assertTrue(algorithms.length > 2);
    +
    +                   SSLUtils.setSSLVerAndCipherSuites(socket, serverConfig);
    +                   protocols = ((SSLServerSocket) 
socket).getEnabledProtocols();
    +                   algorithms = ((SSLServerSocket) 
socket).getEnabledCipherSuites();
    +                   Assert.assertTrue(protocols.length == 1);
    --- End diff --
    
    Using `assertEquals` often helps in failing tests, because it prints 
expected and actual values. `assertTrue` gives no good error message (other 
than that the condition was violated).


> SSL version and ciper suites cannot be constrained as configured
> ----------------------------------------------------------------
>
>                 Key: FLINK-5981
>                 URL: https://issues.apache.org/jira/browse/FLINK-5981
>             Project: Flink
>          Issue Type: Bug
>          Components: Security
>            Reporter: Tao Wang
>            Assignee: Tao Wang
>
> I configured ssl and start flink job, but found configured properties cannot 
> apply properly:
> akka port: only ciper suites apply right, ssl version not
> blob server/netty server: both ssl version and ciper suites are not like what 
> I configured
> I've found out the reason why:
> http://stackoverflow.com/questions/11504173/sslcontext-initialization (for 
> blob server and netty server)
> https://groups.google.com/forum/#!topic/akka-user/JH6bGnWE8kY(for akka ssl 
> version, it's fixed in akka 2.4:https://github.com/akka/akka/pull/21078)
> I'll fix the issue on blob server and netty server, and it seems like only 
> upgrade for akka can solve issue in akka side(we'll consider later as upgrade 
> is not a small action).



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)