[
https://issues.apache.org/jira/browse/FLINK-39635?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Imre Balassa updated FLINK-39635:
---------------------------------
Description:
Currently {{security.ssl.protocol}} accepts only a single TLS protocol version
string. Users who need to enable multiple protocol versions (e.g. both TLSv1.2
and TLSv1.3) simultaneously have no way to do so. This ticket proposes
extending the option to accept a comma-separated list.
h3. Flink is already prepared for multiple protocols — single protocol is
forwarded to Pekko
Flink's internal SSL stack already works with a list of protocol versions: it
splits {{security.ssl.protocol}} on comma ( {{,)}} and calls
{{{}SSLEngine.setEnabledProtocols(String[]){}}}, which natively accepts
multiple values.
However, when Flink configures Pekko's RPC transport, only a *single* protocol
string is forwarded — written directly into Pekko's {{protocol}} field (e.g.
{{{}protocol = TLSv1.2{}}}).
Proposed Change
# Split {{security.ssl.protocol}} on comma ({{{},){}}} when building the Pekko
config.
# Write {{protocol = highestAvailableProtocol}} supported by the JVM and
{{enabled-protocols = [TLSv1.2, TLSv1.3, ...]}} (specific versions) — mirroring
the existing handling of {{{}security.ssl.algorithms{}}}.
# Override {{createServerSSLEngine()}} and {{createClientSSLEngine()}} in
{{CustomSSLEngineProvider}} to call {{SSLEngine.setEnabledProtocols()}} with
the configured list, ensuring the restriction is enforced at the engine level
as well.
# Update the description of {{security.ssl.protocol}} to reflect that a
comma-separated list is now supported.
was:
Currently {{security.ssl.protocol}} accepts only a single TLS protocol version
string. Users who need to enable multiple protocol versions (e.g. both TLSv1.2
and TLSv1.3) simultaneously have no way to do so. This ticket proposes
extending the option to accept a comma-separated list.
h3. Flink is already prepared for multiple protocols — Pekko is not wired up
correctly
Flink's internal SSL stack already works with a list of protocol versions: it
splits {{security.ssl.protocol}} on comma ( {{,)}} and calls
{{{}SSLEngine.setEnabledProtocols(String[]){}}}, which natively accepts
multiple values.
However, when Flink configures Pekko's RPC transport, only a *single* protocol
string is forwarded — written directly into Pekko's {{protocol}} field (e.g.
{{{}protocol = TLSv1.2{}}}).
Proposed Change
# Split {{security.ssl.protocol}} on comma ({{{},){}}} when building the Pekko
config.
# Write {{protocol = highestAvailableProtocol}} supported by the JVM and
{{enabled-protocols = [TLSv1.2, TLSv1.3, ...]}} (specific versions) — mirroring
the existing handling of {{{}security.ssl.algorithms{}}}.
# Override {{createServerSSLEngine()}} and {{createClientSSLEngine()}} in
{{CustomSSLEngineProvider}} to call {{SSLEngine.setEnabledProtocols()}} with
the configured list, ensuring the restriction is enforced at the engine level
as well.
# Update the description of {{security.ssl.protocol}} to reflect that a
comma-separated list is now supported.
> [security] Support comma-separated list in security.ssl.protocol
> ----------------------------------------------------------------
>
> Key: FLINK-39635
> URL: https://issues.apache.org/jira/browse/FLINK-39635
> Project: Flink
> Issue Type: Improvement
> Components: Runtime / RPC
> Affects Versions: 1.20.0, 2.4.0
> Reporter: Imre Balassa
> Assignee: Imre Balassa
> Priority: Major
> Labels: pull-request-available
>
> Currently {{security.ssl.protocol}} accepts only a single TLS protocol
> version string. Users who need to enable multiple protocol versions (e.g.
> both TLSv1.2 and TLSv1.3) simultaneously have no way to do so. This ticket
> proposes extending the option to accept a comma-separated list.
> h3. Flink is already prepared for multiple protocols — single protocol is
> forwarded to Pekko
> Flink's internal SSL stack already works with a list of protocol versions: it
> splits {{security.ssl.protocol}} on comma ( {{,)}} and calls
> {{{}SSLEngine.setEnabledProtocols(String[]){}}}, which natively accepts
> multiple values.
> However, when Flink configures Pekko's RPC transport, only a *single*
> protocol string is forwarded — written directly into Pekko's {{protocol}}
> field (e.g. {{{}protocol = TLSv1.2{}}}).
> Proposed Change
> # Split {{security.ssl.protocol}} on comma ({{{},){}}} when building the
> Pekko config.
> # Write {{protocol = highestAvailableProtocol}} supported by the JVM and
> {{enabled-protocols = [TLSv1.2, TLSv1.3, ...]}} (specific versions) —
> mirroring the existing handling of {{{}security.ssl.algorithms{}}}.
> # Override {{createServerSSLEngine()}} and {{createClientSSLEngine()}} in
> {{CustomSSLEngineProvider}} to call {{SSLEngine.setEnabledProtocols()}} with
> the configured list, ensuring the restriction is enforced at the engine level
> as well.
> # Update the description of {{security.ssl.protocol}} to reflect that a
> comma-separated list is now supported.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
