Martijn Visser created FLINK-39794:
--------------------------------------
Summary: StreamNetworkBenchmarkEnvironment uses
InetAddress.getLocalHost(), causing SSL hostname-verification failures on cloud
CI runners
Key: FLINK-39794
URL: https://issues.apache.org/jira/browse/FLINK-39794
Project: Flink
Issue Type: Bug
Components: Test Infrastructure, Tests
Reporter: Martijn Visser
flink-runtime/src/test/java/.../StreamNetworkBenchmarkEnvironment.java
initialises its bind address as:
{code:java}
private static final InetAddress LOCAL_ADDRESS;
static {
try {
LOCAL_ADDRESS = InetAddress.getLocalHost();
} catch (UnknownHostException e) {
throw new Error(e);
}
}
{code}
This address is passed straight into NettyConfig{ and used as the server bind
address by every benchmark that extends StreamNetworkBenchmarkEnvironment,
including the SSL/OpenSSL variants of StreamNetworkThroughputBenchmark and
StreamNetworkBroadcastThroughputBenchmark.
On any host where InetAddress.getLocalHost() resolves the local hostname to a
non-loopback IP whose reverse DNS does not match the test certificate
(flink-runtime/src/test/resources/local127.keystore, SANs: localhost,
127.0.0.1, ::1), the SSL handshake in NettyClient.connect() fails with
SSLHandshakeException: No subject alternative DNS name matching <fqdn> found.
This is what caused FLINK-39787
Proposed fix: the benchmark has no need for an externally-routable address - it
always connects to itself within the same JVM. Replace getLocalHost() with
getLoopbackAddress():
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
