[
https://issues.apache.org/jira/browse/FLINK-39969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18090634#comment-18090634
]
József Kuti commented on FLINK-39969:
-------------------------------------
I had unit tests which covers these as well.
> use the same SSL protcol and algorithms on all the flink services and all
> clients
> ---------------------------------------------------------------------------------
>
> Key: FLINK-39969
> URL: https://issues.apache.org/jira/browse/FLINK-39969
> Project: Flink
> Issue Type: Bug
> Components: Runtime / Configuration, Runtime / REST, Runtime / RPC
> Affects Versions: 1.20.1, 1.20.5, 2.4.0
> Environment: I was using yarn-application target with FLINK 1.20.1 ,
> but it is the same for the other targets and other versions as well - I'd
> linked the master code.
>
> Reporter: József Kuti
> Priority: Major
>
> When we enable the internal and rest ssl with:
> * security.ssl.rest.enabled: true
> * security.ssl.internal.enabled: true
> * + adding the required truststore and keystore properties to the
> flink-conf.yaml
> and we want to *override default ssl protocol and* *algorithms* for example
> with - using a non-default cipher for TLSv1.3:
> *
> security.ssl.protocol: TLSv1.3
> *
> security.ssl.algorithms: TLS_CHACHA20_POLY1305_SHA256
> then protocols and algorithms are not set on all the client and services,
> resulting:
> {code:java}
> javax.net.ssl.SSLHandshakeException: no cipher suites in common{code}
> It turned out that org.apache.flink.runtime.net.SSLUtils needs the following
> adjustments:
> *
> {color:#ff8b00}SSLUtils{color}#{color:#00875a}*createSSLClientSocketFactory*{color}
> [*does not sets* the enabled *protocols* and
> *cipherSuites*|https://github.com/apache/flink/blob/9bc156b7faf811ca6940a05e02df900ab9bf6627/flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java#L92-L99]
> ** while its service side
> [SSLUtils#createSSLServerSocketFactory|https://github.com/apache/flink/blob/9bc156b7faf811ca6940a05e02df900ab9bf6627/flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java#L81-L82]
> *does*
> **
> resulting BlobServerConnection-s were dropping its clients - since server
> expects non-default cipher
> * SSLUtils#createRestNettySSLContext [does sets the enabled sslProtocols and
> ciphers ONLY for the
> clients|https://github.com/apache/flink/blob/9bc156b7faf811ca6940a05e02df900ab9bf6627/flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java#L438-L449]
> and skips it for the services
> ** Resulting Flink dashboards - MiniDispatcherRestEndpoint - uses
> incompatible ciphers
> *** one uses the java default tls config - service,
> *** one uses the non-defaults the configured one - client
> I was using yarn-application target with *FLINK 1.20.1* , but it is the same
> for the other targets and other versions as well - *I'd linked the code from
> master.*
> *It would be useful the configure the internal and rest innen clients and
> services the same way.* I had the fix with the related unit tests to achive
> that.
> We have tested it downstream already. I could contribute the fix.
> Additionally I would add some debug level logs to make the printable ssl
> settings visible, it was really useful while I was debugging it - what ssl
> properties are set and where.
> Just assign it to me and I will create the PR.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
