[jira] [Commented] (FLINK-9643) Flink allowing TLS 1.1 in spite of configuring TLS 1.2

Thu, 05 Jul 2018 00:15:24 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-9643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16533333#comment-16533333
 ] 

Viktor Vlasov commented on FLINK-9643:
--------------------------------------

Thank you for the comment, [~StephanEwen]. 
Actually, if talk about what exactly port was checked, I forgot to mention that 
I used TM data port (configured in taskmanager.data.port parameter). It's 
because I used a script to check all cases at once, to simplify the logic of it 
I used the same port each time. 

For another port I haven't found config option yet, maybe it will require to 
check it manually, but, I'm wondering, whether we have a single point of SSL 
configuration? If that is true, and what you have shown by links works for each 
port similar way, then maybe it's not necessary (correct me if I'm wrong).

Anyway, taking all information (including your links), I think I will perform 
some experiments with pure Java configuration SSL connection, maybe with only 
Akka to understand the background and be able to tell how it behaves on this 
level.

> Flink allowing TLS 1.1 in spite of configuring TLS 1.2
> ------------------------------------------------------
>
>                 Key: FLINK-9643
>                 URL: https://issues.apache.org/jira/browse/FLINK-9643
>             Project: Flink
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.3.2, 1.5.0, 1.4.2
>            Reporter: Vinay
>            Assignee: Viktor Vlasov
>            Priority: Major
>         Attachments: result.csv
>
>
> I have deployed Flink 1.3.2 and enabled SSL settings. From the ssl debug 
> logs it shows that Flink is using TLSv1.2. However based on the security 
> scans we have observed that it also allows TLSv1.0 and TLSv1.1. 
>   
> In order to strictly use TLSv1.2 we have updated the following property of 
> java.security file: 
> jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1, 
> TLSv1.1 
> But still it allows TLSv1.1 , verified this by hitting the following command 
> from master node: 
> openssl s_client -connect taskmanager1:<listening_address_port> -tls1 
> (here listening_address_port is part of 
> akka.ssl.tcp://flink@taskmanager1:port/user/taskmanager) 
> Now, when I hit the above command for the data port, it does not allow 
> TLSv1.1 and only allows TLSv1.2 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to