You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Viktor Vlasov (JIRA)" <ji...@apache.org> on 2018/07/03 14:53:00 UTC
[jira] [Commented] (FLINK-9643) Flink allowing TLS 1.1 in spite of
configuring TLS 1.2
[ https://issues.apache.org/jira/browse/FLINK-9643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16531509#comment-16531509 ]
Viktor Vlasov commented on FLINK-9643:
--------------------------------------
I've gathered statistics (result.csv in attachments or the table in repository by the link below) about different versions behavior with openssl command.
It has next columns:
dist - version of the Flink distributive;
jdk - version of TLS protocol pointed in java security file in parameter jdk.tls.disabledAlgorithms;
flink - version of TLS protocol pointed in Flink configuration in parameter security.tls.protocol;
request - version of TLS protocol used in openssl request;
result - 0 is a success, 1 is an error.
I've performed it on the two nodes cluster on Docker. Most of the actions are made as scripts and stored [here|[https://github.com/bioker/flink-ssl-test].] (Docker image - bioker/ubuntu is not more than simple ubuntu image with pre-installed openssh)
Keys and certificates created by official documentation instruction (with a small correction to simplifying the process).
Now I am going to perform further investigation about what of this behavior is wrong. Any comments are appreciated.
> Flink allowing TLS 1.1 in spite of configuring TLS 1.2
> ------------------------------------------------------
>
> Key: FLINK-9643
> URL: https://issues.apache.org/jira/browse/FLINK-9643
> Project: Flink
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.3.2
> Reporter: Vinay
> Assignee: Viktor Vlasov
> Priority: Major
> Attachments: result.csv
>
>
> I have deployed Flink 1.3.2 and enabled SSL settings. From the ssl debug
> logs it shows that Flink is using TLSv1.2. However based on the security
> scans we have observed that it also allows TLSv1.0 and TLSv1.1.
>
> In order to strictly use TLSv1.2 we have updated the following property of
> java.security file:
> jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1,
> TLSv1.1
> But still it allows TLSv1.1 , verified this by hitting the following command
> from master node:
> openssl s_client -connect taskmanager1:<listening_address_port> -tls1
> (here listening_address_port is part of
> akka.ssl.tcp://flink@taskmanager1:port/user/taskmanager)
> Now, when I hit the above command for the data port, it does not allow
> TLSv1.1 and only allows TLSv1.2
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)