You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Till Rohrmann (JIRA)" <ji...@apache.org> on 2018/04/13 20:19:00 UTC
[jira] [Resolved] (FLINK-9103) SSL verification on TaskManager when
parallelism > 1
[ https://issues.apache.org/jira/browse/FLINK-9103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Till Rohrmann resolved FLINK-9103.
----------------------------------
Resolution: Fixed
Fix Version/s: 1.4.3
1.5.0
Fixed via
master: ffb03821ff118b0949d7d42d6b67312ee8732c2b
1.5.0: 688630c6432dd3318936613a3f657f7de475fce7
1.4.3: e76b10d07c657bcf3250ca08b5649c6a242bb01f
> SSL verification on TaskManager when parallelism > 1
> ----------------------------------------------------
>
> Key: FLINK-9103
> URL: https://issues.apache.org/jira/browse/FLINK-9103
> Project: Flink
> Issue Type: Bug
> Components: Docker, Network, Security
> Affects Versions: 1.4.0
> Reporter: Edward Rojas
> Assignee: Edward Rojas
> Priority: Major
> Fix For: 1.5.0, 1.4.3
>
> Attachments: job.log, task0.log
>
>
> In dynamic environments like Kubernetes, the SSL certificates can be generated to use only the DNS addresses for validation of the identity of servers, given that the IP can change eventually.
>
> In this cases when executing Jobs with Parallelism set to 1, the SSL validations are good and the Jobmanager can communicate with Task manager and vice versa.
>
> But with parallelism set to more than 1, SSL validation fails when Task Managers communicate to each other as it seems to try to validate against IP address:
> Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 172.xx.xxx.xxx found
> at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
> at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
> at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
> ... 21 more
>
> From the logs, it seems the task managers register successfully its full address to Netty, but still the IP is used.
>
> Attached pertinent logs from JobManager and a TaskManager.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)