You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/05/07 19:50:00 UTC
[jira] [Commented] (FLINK-9310) Update default cyphersuites
[ https://issues.apache.org/jira/browse/FLINK-9310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16466379#comment-16466379 ]
ASF GitHub Bot commented on FLINK-9310:
---------------------------------------
GitHub user StephanEwen opened a pull request:
https://github.com/apache/flink/pull/5965
[FLINK-9310] [security] Update standard cipher suites for secure mode
## What is the purpose of the change
This sets the cipher suits accepted by default to those recommended in
IETF RFC 7525 : https://tools.ietf.org/html/rfc7525
## Brief change log
Updates the default value of the respective config option to
```
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
```
## Verifying this change
This change is already covered by the existing tests that test SSL setups.
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): (yes / **no**)
- The public API, i.e., is any changed class annotated with `@Public(Evolving)`: (yes / **no**)
- The serializers: (yes / **no** / don't know)
- The runtime per-record code paths (performance sensitive): (yes / **no** / don't know)
- Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Yarn/Mesos, ZooKeeper: (yes / **no** / don't know)
- The S3 file system connector: (yes / **no** / don't know)
## Documentation
- Does this pull request introduce a new feature? (yes / **no**)
- If yes, how is the feature documented? (not applicable / **docs** / JavaDocs / not documented)
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/StephanEwen/incubator-flink update_cipher_suits
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/flink/pull/5965.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #5965
----
commit 9b24574cd437ddbc2d3546c1fa0f73e983c02e31
Author: Stephan Ewen <se...@...>
Date: 2018-05-07T17:47:00Z
[FLINK-9310] [security] Update standard cipher suites for secure mode
This sets the cipher suits accepted by default to those recommended in
IETF RFC 7525 : https://tools.ietf.org/html/rfc7525
----
> Update default cyphersuites
> ---------------------------
>
> Key: FLINK-9310
> URL: https://issues.apache.org/jira/browse/FLINK-9310
> Project: Flink
> Issue Type: Task
> Components: Security
> Affects Versions: 1.4.2
> Reporter: Stephan Ewen
> Assignee: Stephan Ewen
> Priority: Major
>
> The current default cipher suite {{TLS_RSA_WITH_AES_128_CBC_SHA}} is no longer recommended.
> RFC 7525 [1] recommends to use the following cipher suites only:
> * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> [1] https://tools.ietf.org/html/rfc7525
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)