You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flink.apache.org by se...@apache.org on 2018/07/13 09:35:58 UTC

flink git commit: [FLINK-9424] [security] Set default cipher suite to a more compatible cipher suite.

Repository: flink
Updated Branches:
  refs/heads/master ca3081bea -> 37abf46f6


[FLINK-9424] [security] Set default cipher suite to a more compatible cipher suite.

The upgraded ciphers are not yet supported on all platforms and JDK versions, making
the getting-started process rough. Instead, we document our recommendation to set these
values in the configuration.

This reverts "[FLINK-9310] [security] Update standard cipher suites for secure mode"


Project: http://git-wip-us.apache.org/repos/asf/flink/repo
Commit: http://git-wip-us.apache.org/repos/asf/flink/commit/37abf46f
Tree: http://git-wip-us.apache.org/repos/asf/flink/tree/37abf46f
Diff: http://git-wip-us.apache.org/repos/asf/flink/diff/37abf46f

Branch: refs/heads/master
Commit: 37abf46f6030b6404707958e5a3a3fae0051dbea
Parents: ca3081b
Author: Stephan Ewen <se...@apache.org>
Authored: Fri Jul 13 09:31:18 2018 +0200
Committer: Stephan Ewen <se...@apache.org>
Committed: Fri Jul 13 09:57:06 2018 +0200

----------------------------------------------------------------------
 docs/_includes/generated/security_configuration.html   |  2 +-
 docs/ops/security-ssl.md                               | 13 +++++++++++++
 .../apache/flink/configuration/SecurityOptions.java    |  2 +-
 3 files changed, 15 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/flink/blob/37abf46f/docs/_includes/generated/security_configuration.html
----------------------------------------------------------------------
diff --git a/docs/_includes/generated/security_configuration.html b/docs/_includes/generated/security_configuration.html
index fae0525..cd682ec 100644
--- a/docs/_includes/generated/security_configuration.html
+++ b/docs/_includes/generated/security_configuration.html
@@ -9,7 +9,7 @@
     <tbody>
         <tr>
             <td><h5>security.ssl.algorithms</h5></td>
-            <td style="word-wrap: break-word;">"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"</td>
+            <td style="word-wrap: break-word;">"TLS_RSA_WITH_AES_128_CBC_SHA"</td>
             <td>The comma separated list of standard SSL algorithms to be supported. Read more &#60;a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites"&#62;here&#60;/a&#62;.</td>
         </tr>
         <tr>

http://git-wip-us.apache.org/repos/asf/flink/blob/37abf46f/docs/ops/security-ssl.md
----------------------------------------------------------------------
diff --git a/docs/ops/security-ssl.md b/docs/ops/security-ssl.md
index c2ba7df..1a3c381 100644
--- a/docs/ops/security-ssl.md
+++ b/docs/ops/security-ssl.md
@@ -33,6 +33,19 @@ SSL can be enabled for all network communication between Flink components. SSL k
 * **akka.ssl.enabled**: SSL flag for akka based control connection between the Flink client, jobmanager and taskmanager 
 * **jobmanager.web.ssl.enabled**: Flag to enable https access to the jobmanager's web frontend
 
+**IMPORTANT**
+
+The [IETF RFC 7525](https://tools.ietf.org/html/rfc7525) recommends to use a specific set of cipher suites for strong security.
+Because these cipher suites were not available on many setups out of the box, Flink's default value is set to a slightly
+weaker but more compatible cipher suite.
+We recommend that SSL setups update to the stronger cipher suites, if possible, by adding the below entry to the Flink configuration:
+
+{% highlight yaml %}
+security.ssl.algorithms: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+{% endhighlight %}
+
+If these suites are not supported on your setup, you will see that Flink processes will not be able to connect to each other.
+
 ## Deploying Keystores and Truststores
 
 You need to have a Java Keystore generated and copied to each node in the Flink cluster. The common name or subject alternative names in the certificate should match the node's hostname and IP address. Keystores and truststores can be generated using the [keytool utility](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html). All Flink components should have read access to the keystore and truststore files.

http://git-wip-us.apache.org/repos/asf/flink/blob/37abf46f/flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java
----------------------------------------------------------------------
diff --git a/flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java b/flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java
index feae587..fc7e391 100644
--- a/flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java
+++ b/flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java
@@ -151,7 +151,7 @@ public class SecurityOptions {
 	 */
 	public static final ConfigOption<String> SSL_ALGORITHMS =
 		key("security.ssl.algorithms")
-			.defaultValue("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
+			.defaultValue("TLS_RSA_WITH_AES_128_CBC_SHA")
 			.withDescription("The comma separated list of standard SSL algorithms to be supported. Read more" +
 				" <a href=\"http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites\">here</a>.");