flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Viktor Vlasov (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (FLINK-9643) Flink allowing TLS 1.1 in spite of configuring TLS 1.2
Date Wed, 04 Jul 2018 07:53:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-9643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16532399#comment-16532399
] 

Viktor Vlasov edited comment on FLINK-9643 at 7/4/18 7:52 AM:
--------------------------------------------------------------

Affected field is updated. I have an assumption that the Flink parameter (security.ssl.protocol)
somehow overwrites the JDK parameter (jdk.tls.disabledAlgorithms). It based on this sample:

('jdk', 'flink' and 'req' columns contain TLS version value)
ver      jdk    flink    req   result (0 - connection success)
1.3.2  1.0    1.0      1.0       0
1.3.2  1.1    1.1      1.1       0
1.3.2  1.2    1.2      1.2       0
1.4.2  1.0    1.0      1.0       0
1.4.2  1.1    1.1      1.1       0
1.4.2  1.2    1.2      1.2       0
1.5.0  1.2    1.2      1.2       0

Is this behavior acceptable? Or priority of JVM configuration need to be higher?


was (Author: bioker):
Affected field is updated. I have an assumption that the Flink parameter (security.ssl.protocol)
overwrites the JDK parameter (jdk.tls.disabledAlgorithms). It based on this sample: 
('jdk', 'flink' and 'req' columns contain TLS version value)
ver      jdk    flink    req   result (0 - connection success)
1.3.2  1.0    1.0      1.0       0
1.3.2  1.1    1.1      1.1       0
1.3.2  1.2    1.2      1.2       0
1.4.2  1.0    1.0      1.0       0
1.4.2  1.1    1.1      1.1       0
1.4.2  1.2    1.2      1.2       0
1.5.0  1.2    1.2      1.2       0

Is this behavior acceptable? Or priority of JVM configuration need to be higher?

> Flink allowing TLS 1.1 in spite of configuring TLS 1.2
> ------------------------------------------------------
>
>                 Key: FLINK-9643
>                 URL: https://issues.apache.org/jira/browse/FLINK-9643
>             Project: Flink
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.3.2, 1.5.0, 1.4.2
>            Reporter: Vinay
>            Assignee: Viktor Vlasov
>            Priority: Major
>         Attachments: result.csv
>
>
> I have deployed Flink 1.3.2 and enabled SSL settings. From the ssl debug 
> logs it shows that Flink is using TLSv1.2. However based on the security 
> scans we have observed that it also allows TLSv1.0 and TLSv1.1. 
>   
> In order to strictly use TLSv1.2 we have updated the following property of 
> java.security file: 
> jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1, 
> TLSv1.1 
> But still it allows TLSv1.1 , verified this by hitting the following command 
> from master node: 
> openssl s_client -connect taskmanager1:<listening_address_port> -tls1 
> (here listening_address_port is part of 
> akka.ssl.tcp://flink@taskmanager1:port/user/taskmanager) 
> Now, when I hit the above command for the data port, it does not allow 
> TLSv1.1 and only allows TLSv1.2 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message