Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-9310

Update default cyphersuites

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.4.2
    • Fix Version/s: 1.5.0
    • Component/s: Runtime / Coordination
    • Labels:
      None
    • Release Note:
      Hide
      Due to a limitation in Netty's SsLHandler (v4.0.27), it does not work well together with GCM enabled cypher suites. It can cause transmission failures between Flink TaskManager's which manifest in a LocalTransportException. Therefore, it is highly recommended to set the {{security.ssl.algorithms}} configuration to TLS_RSA_WITH_AES_128_CBC_SHA when enabling ssl encryption between TaskManagers.
      Show
      Due to a limitation in Netty's SsLHandler (v4.0.27), it does not work well together with GCM enabled cypher suites. It can cause transmission failures between Flink TaskManager's which manifest in a LocalTransportException. Therefore, it is highly recommended to set the {{security.ssl.algorithms}} configuration to TLS_RSA_WITH_AES_128_CBC_SHA when enabling ssl encryption between TaskManagers.

      Description

      The current default cipher suite TLS_RSA_WITH_AES_128_CBC_SHA is no longer recommended.

      RFC 7525 [1] recommends to use the following cipher suites only:

      • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
      • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
      • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

      [1] https://tools.ietf.org/html/rfc7525

        Attachments

          Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. FLINK-9437 Revert cypher suite update

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed
          links to

          Web Link GitHub Pull Request #5965

            Activity

              People

              • Assignee:
                sewen Stephan Ewen
                Reporter:
                sewen Stephan Ewen
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: