You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by "Jean-Damien HATZENBUHLER (Jira)" <ji...@apache.org> on 2022/07/12 13:06:00 UTC

[jira] [Created] (FLINK-28521) Hostname verification in ssl context is not working

Jean-Damien HATZENBUHLER created FLINK-28521:
------------------------------------------------

             Summary: Hostname verification in ssl context is not working
                 Key: FLINK-28521
                 URL: https://issues.apache.org/jira/browse/FLINK-28521
             Project: Flink
          Issue Type: Bug
          Components: Runtime / Network
    Affects Versions: 1.15.1, 1.15.0, 1.14.5, 1.14.4, 1.14.3, 1.13.6, 1.14.2
            Reporter: Jean-Damien HATZENBUHLER


The hostname certificate is not check in ssl context.
Moreover the {{security.ssl.verify-hostname}} is not used anywhere in the code.

The issue come from {{netty4}} where the hostname verification is not enable by default. See [documentation|https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newEngine-io.netty.buffer.ByteBufAllocator-]

h2. How to fix this issue:

In {{org.apache.flink.runtime.io.network.netty.SSLHandlerFactory}}:
* Add a new parameter on instance creation: {{isHostnameVerificationEnabled}}
* Add the following code after creating an {{SSLEngine}}: 
{code:java}
SSLEngine sslEngine = sslContext.newEngine(...)
if (isHostnameVerificationEnabled){
    SSLParameters sslParameters = sslEngine.getSSLParameters();
    sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
    sslEngine.setSSLParameters(sslParameters);
}
return sslEngine;
{code}

In {{org.apache.flink.runtime.net.SSLUtils}} add new parameter on each {{new SSLHandlerFactory}}




--
This message was sent by Atlassian Jira
(v8.20.10#820010)