[jira] [Updated] (FLINK-28521) Hostname verification in ssl context is not working

Thu, 18 Aug 2022 15:40:15 -0700 


     [ 
https://issues.apache.org/jira/browse/FLINK-28521?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Flink Jira Bot updated FLINK-28521:
-----------------------------------
    Labels: security stale-assigned  (was: security)

I am the [Flink Jira Bot|https://github.com/apache/flink-jira-bot/] and I help 
the community manage its development. I see this issue is assigned but has not 
received an update in 30 days, so it has been labeled "stale-assigned".
If you are still working on the issue, please remove the label and add a 
comment updating the community on your progress.  If this issue is waiting on 
feedback, please consider this a reminder to the committer/reviewer. Flink is a 
very active project, and so we appreciate your patience.
If you are no longer working on the issue, please unassign yourself so someone 
else may work on it.


> Hostname verification in ssl context is not working
> ---------------------------------------------------
>
>                 Key: FLINK-28521
>                 URL: https://issues.apache.org/jira/browse/FLINK-28521
>             Project: Flink
>          Issue Type: Bug
>          Components: Runtime / Network
>    Affects Versions: 1.13.6, 1.14.5, 1.15.1
>            Reporter: Jean-Damien HATZENBUHLER
>            Assignee: Jean-Damien HATZENBUHLER
>            Priority: Major
>              Labels: security, stale-assigned
>
> The hostname certificate is not check in ssl context.
> Moreover the {{security.ssl.verify-hostname}} is not used anywhere in the 
> code.
> The issue come from {{netty4}} where the hostname verification is not enable 
> by default. See 
> [documentation|https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newEngine-io.netty.buffer.ByteBufAllocator-]
> h2. How to fix this issue:
> In {{org.apache.flink.runtime.io.network.netty.SSLHandlerFactory}}:
> * Add a new parameter on instance creation: {{isHostnameVerificationEnabled}}
> * This parameter will be set to {{false}} if 
> {{security.ssl.internal.cert.fingerprint}} or 
> {{security.ssl.rest.cert.fingerprint}} is setup
> * Add the following code after creating an {{SSLEngine}}: 
> {code:java}
> SSLEngine sslEngine = sslContext.newEngine(...)
> if (isHostnameVerificationEnabled){
>     SSLParameters sslParameters = sslEngine.getSSLParameters();
>     sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
>     sslEngine.setSSLParameters(sslParameters);
> }
> return sslEngine;
> {code}
> In {{org.apache.flink.runtime.net.SSLUtils}} add new parameter on each {{new 
> SSLHandlerFactory}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to