[
https://issues.apache.org/jira/browse/FLINK-9643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16534794#comment-16534794
]
Viktor Vlasov commented on FLINK-9643:
--------------------------------------
After more deep investigation I can tell next.
For now, the SSL/TLS protocol configuration in Flink (security.ssl.protocol)
affects two areas, Akka and Netty configuration.
If in the first case it's just a parameter, in the second case configuration
performs manually, by using SSLContext.
The protocol in both cases set the maximum of supported version, not exactly
value.
According to the algorithm of the handshake in SSL/TLS, the server picks the
highest possible version of available in both sides.
So, if we have TLSv1.1 on the client side, and the server supports TLSv1.2, it
will choose TLSv1.1.
We know that the server chooses the version for connection. Also, I can make a
conclusion that JDK parameter jdk.tls.disabledAlgorithms affects the only case
of the server role. Such opinion based on previous and current results.
I figured out that if I configure the master node only
(jdk.tls.disabledAlgorithms with specific version), then, because of the slave
node plays server role in some cases of connection, it works even with the
disabled version. Just because the slave node doesn't contain this
configuration (jdk.tls.disabledAlgorithms). My previous result based on the
case when the only master node protocol is configured. When I added the
parameter to the slave node JDK config, it stopped the support of the
connection with disabled protocol even with 1.3.2 version of Flink.
Probably, [~vinaypatil18] need to sure that this parameter contains the same
value on all nodes.
I will put new results and will perform some research, whether they contain
something incorrect.
> Flink allowing TLS 1.1 in spite of configuring TLS 1.2
> ------------------------------------------------------
>
> Key: FLINK-9643
> URL: https://issues.apache.org/jira/browse/FLINK-9643
> Project: Flink
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.3.2, 1.5.0, 1.4.2
> Reporter: Vinay
> Assignee: Viktor Vlasov
> Priority: Major
> Attachments: result.csv, result_2.csv
>
>
> I have deployed Flink 1.3.2 and enabled SSL settings. From the ssl debug
> logs it shows that Flink is using TLSv1.2. However based on the security
> scans we have observed that it also allows TLSv1.0 and TLSv1.1.
>
> In order to strictly use TLSv1.2 we have updated the following property of
> java.security file:
> jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1,
> TLSv1.1
> But still it allows TLSv1.1 , verified this by hitting the following command
> from master node:
> openssl s_client -connect taskmanager1:<listening_address_port> -tls1
> (here listening_address_port is part of
> akka.ssl.tcp://flink@taskmanager1:port/user/taskmanager)
> Now, when I hit the above command for the data port, it does not allow
> TLSv1.1 and only allows TLSv1.2
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
