[
https://issues.apache.org/jira/browse/FLINK-5981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15925930#comment-15925930
]
ASF GitHub Bot commented on FLINK-5981:
---------------------------------------
Github user StephanEwen commented on a diff in the pull request:
https://github.com/apache/flink/pull/3486#discussion_r106140551
--- Diff:
flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java ---
@@ -125,4 +129,101 @@ public void
testCreateSSLServerContextMisconfiguration() {
}
}
+ /**
+ * Tests if SSL Server Context creation fails with bad SSL configuration
+ */
+ @Test
+ public void testCreateSSLServerContextWithMultiProtocols() {
+
+ Configuration serverConfig = new Configuration();
+ serverConfig.setBoolean(ConfigConstants.SECURITY_SSL_ENABLED,
true);
+ serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE,
"src/test/resources/local127.keystore");
+
serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE_PASSWORD,
"password");
+
serverConfig.setString(ConfigConstants.SECURITY_SSL_KEY_PASSWORD, "password");
+ serverConfig.setString(ConfigConstants.SECURITY_SSL_PROTOCOL,
"TLSv1,TLSv1.2");
+
+ try {
+ SSLContext serverContext =
SSLUtils.createSSLServerContext(serverConfig);
+ Assert.fail("SSL server context created even with
multiple protocols set ");
+ } catch (Exception e) {
+ // Exception here is valid
+ }
+ }
+
+ /**
+ * Tests if SSLUtils set the right ssl version and cipher suites for
SSLServerSocket
+ */
+ @Test
+ public void testSetSSLVersionAndCipherSuitesForSSLServerSocket() throws
Exception {
+
+ Configuration serverConfig = new Configuration();
+ serverConfig.setBoolean(ConfigConstants.SECURITY_SSL_ENABLED,
true);
+ serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE,
"src/test/resources/local127.keystore");
+
serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE_PASSWORD,
"password");
+
serverConfig.setString(ConfigConstants.SECURITY_SSL_KEY_PASSWORD, "password");
+ serverConfig.setString(ConfigConstants.SECURITY_SSL_PROTOCOL,
"TLSv1.1");
+ serverConfig.setString(ConfigConstants.SECURITY_SSL_ALGORITHMS,
"TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256");
+
+ int port = new Random().nextInt(65535);
+ SSLContext serverContext =
SSLUtils.createSSLServerContext(serverConfig);
+ ServerSocket socket = null;
+ try {
+ socket =
serverContext.getServerSocketFactory().createServerSocket(port);
+
+ String[] protocols = ((SSLServerSocket)
socket).getEnabledProtocols();
+ String[] algorithms = ((SSLServerSocket)
socket).getEnabledCipherSuites();
+
+ Assert.assertNotEquals(protocols.length, 1);
+ Assert.assertNotEquals(algorithms.length, 2);
+
+ SSLUtils.setSSLVerAndCipherSuites(socket, serverConfig);
+ protocols = ((SSLServerSocket)
socket).getEnabledProtocols();
+ algorithms = ((SSLServerSocket)
socket).getEnabledCipherSuites();
+
+ Assert.assertEquals(protocols.length, 1);
+ Assert.assertEquals(protocols[0], "TLSv1.1");
+ Assert.assertEquals(algorithms.length, 2);
+
Assert.assertTrue(algorithms[0].equals("TLS_RSA_WITH_AES_128_CBC_SHA") ||
algorithms[0].equals("TLS_RSA_WITH_AES_128_CBC_SHA256"));
+
Assert.assertTrue(algorithms[1].equals("TLS_RSA_WITH_AES_128_CBC_SHA") ||
algorithms[1].equals("TLS_RSA_WITH_AES_128_CBC_SHA256"));
+ } finally {
+ if (socket != null) {
+ socket.close();
+ }
+ }
+ }
+
+ /**
+ * Tests if SSLUtils set the right ssl version and cipher suites for
SSLEngine
+ */
+ @Test
+ public void testSetSSLVersionAndCipherSuitesForSSLEngine() throws
Exception {
+
+ Configuration serverConfig = new Configuration();
+ serverConfig.setBoolean(ConfigConstants.SECURITY_SSL_ENABLED,
true);
+ serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE,
"src/test/resources/local127.keystore");
+
serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE_PASSWORD,
"password");
+
serverConfig.setString(ConfigConstants.SECURITY_SSL_KEY_PASSWORD, "password");
+ serverConfig.setString(ConfigConstants.SECURITY_SSL_PROTOCOL,
"TLSv1");
+ serverConfig.setString(ConfigConstants.SECURITY_SSL_ALGORITHMS,
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256");
+
+ SSLContext serverContext =
SSLUtils.createSSLServerContext(serverConfig);
+ SSLEngine engine = serverContext.createSSLEngine();
+
+ String[] protocols = engine.getEnabledProtocols();
+ String[] algorithms = engine.getEnabledCipherSuites();
+
+ Assert.assertNotEquals(protocols.length, 1);
+ Assert.assertNotEquals(algorithms.length, 2);
+
+ SSLUtils.setSSLVerAndCipherSuites(engine, serverConfig);
+ protocols = engine.getEnabledProtocols();
+ algorithms = engine.getEnabledCipherSuites();
+
+ Assert.assertEquals(protocols.length, 1);
--- End diff --
`assertEquals` takes the parameters the other way around: (expected,
actual) rather than (actual, expected).
Will fix that on the fly while merging...
> SSL version and ciper suites cannot be constrained as configured
> ----------------------------------------------------------------
>
> Key: FLINK-5981
> URL: https://issues.apache.org/jira/browse/FLINK-5981
> Project: Flink
> Issue Type: Bug
> Components: Security
> Reporter: Tao Wang
> Assignee: Tao Wang
>
> I configured ssl and start flink job, but found configured properties cannot
> apply properly:
> akka port: only ciper suites apply right, ssl version not
> blob server/netty server: both ssl version and ciper suites are not like what
> I configured
> I've found out the reason why:
> http://stackoverflow.com/questions/11504173/sslcontext-initialization (for
> blob server and netty server)
> https://groups.google.com/forum/#!topic/akka-user/JH6bGnWE8kY(for akka ssl
> version, it's fixed in akka 2.4:https://github.com/akka/akka/pull/21078)
> I'll fix the issue on blob server and netty server, and it seems like only
> upgrade for akka can solve issue in akka side(we'll consider later as upgrade
> is not a small action).
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
