[jira] [Commented] (FLINK-9643) Flink allowing TLS 1.1 in spite of configuring TLS 1.2

Fri, 06 Jul 2018 08:43:11 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-9643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16535017#comment-16535017
 ] 

Viktor Vlasov commented on FLINK-9643:
--------------------------------------

Ok, now I figured out that even if the configuration of the Flink 
(security.ssl.protocol) overrides set of protocols gotten after scanning of the 
JDK configuration (jdk.tls.disabledAlgorithms), in process of handshaking 
standard java classes (especially SSLEngine implementation) checks the protocol 
(that is used now) with current JDK configuration (not only with overridden 
set) (Example of the internal JDK class that performs such check: [Handshaker 
that is used in 
SSLEngine|http://cr.openjdk.java.net/~fweimer/8061798/webrev.00/src/java.base/share/classes/sun/security/ssl/Handshaker.java.html]).
 
So, Flink configuration overrides available protocols but doesn't override 
restrictions.

> Flink allowing TLS 1.1 in spite of configuring TLS 1.2
> ------------------------------------------------------
>
>                 Key: FLINK-9643
>                 URL: https://issues.apache.org/jira/browse/FLINK-9643
>             Project: Flink
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.3.2, 1.5.0, 1.4.2
>            Reporter: Vinay
>            Assignee: Viktor Vlasov
>            Priority: Major
>         Attachments: result.csv, result_2.csv
>
>
> I have deployed Flink 1.3.2 and enabled SSL settings. From the ssl debug 
> logs it shows that Flink is using TLSv1.2. However based on the security 
> scans we have observed that it also allows TLSv1.0 and TLSv1.1. 
>   
> In order to strictly use TLSv1.2 we have updated the following property of 
> java.security file: 
> jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1, 
> TLSv1.1 
> But still it allows TLSv1.1 , verified this by hitting the following command 
> from master node: 
> openssl s_client -connect taskmanager1:<listening_address_port> -tls1 
> (here listening_address_port is part of 
> akka.ssl.tcp://flink@taskmanager1:port/user/taskmanager) 
> Now, when I hit the above command for the data port, it does not allow 
> TLSv1.1 and only allows TLSv1.2 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to