[jira] [Commented] (FLINK-39635) [security] Support comma-separated list in security.ssl.protocol

[Robert Metzger (Jira)]

    [ 
https://issues.apache.org/jira/browse/FLINK-39635?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18080524#comment-18080524
 ] 

Robert Metzger commented on FLINK-39635:
----------------------------------------

Hey, do you want to work on this?

> [security] Support comma-separated list in security.ssl.protocol
> ----------------------------------------------------------------
>
>                 Key: FLINK-39635
>                 URL: https://issues.apache.org/jira/browse/FLINK-39635
>             Project: Flink
>          Issue Type: Improvement
>          Components: Runtime / RPC
>    Affects Versions: 1.20.0, 2.4.0
>            Reporter: Imre Balassa
>            Priority: Major
>
> Currently {{security.ssl.protocol}} accepts only a single TLS protocol 
> version string. Users who need to enable multiple protocol versions (e.g. 
> both TLSv1.2 and TLSv1.3) simultaneously have no way to do so. This ticket 
> proposes extending the option to accept a comma-separated list.
> h3. Flink is already prepared for multiple protocols — Pekko is not wired up 
> correctly
> Flink's internal SSL stack already works with a list of protocol versions: it 
> splits {{security.ssl.protocol}} on comma ( {{,)}} and calls 
> {{{}SSLEngine.setEnabledProtocols(String[]){}}}, which natively accepts 
> multiple values.
> However, when Flink configures Pekko's RPC transport, only a *single* 
> protocol string is forwarded — written directly into Pekko's {{protocol}} 
> field (e.g. {{{}protocol = TLSv1.2{}}}). Pekko's SSL config actually has *two 
> separate fields* for this purpose:
> ||Pekko field||Purpose||
> |{{protocol}}|Generic SSL context type, should be {{TLS}}|
> |{{enabled-protocols}}|*List* of specific versions to allow, e.g. 
> {{["TLSv1.2", "TLSv1.3"]}}|
> h2. Proposed Change
>  # Split {{security.ssl.protocol}} on comma ({{{},){}}} when building the 
> Pekko config.
>  # Write {{protocol = TLS}} (generic context) and {{enabled-protocols = 
> [TLSv1.2, TLSv1.3, ...]}} (specific versions) — mirroring the existing 
> handling of {{{}security.ssl.algorithms{}}}.
>  # Override {{createServerSSLEngine()}} and {{createClientSSLEngine()}} in 
> {{CustomSSLEngineProvider}} to call {{SSLEngine.setEnabledProtocols()}} with 
> the configured list, ensuring the restriction is enforced at the engine level 
> as well.
>  # Update the description of {{security.ssl.protocol}} to reflect that a 
> comma-separated list is now supported.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)