[FLINK-9310] Update default cyphersuites - ASF JIRA

XML

Word

Printable

JSON

Release Note:

Hide
Due to a limitation in Netty's SsLHandler (v4.0.27), it does not work well together with GCM enabled cypher suites. It can cause transmission failures between Flink TaskManager's which manifest in a LocalTransportException. Therefore, it is highly recommended to set the {{security.ssl.algorithms}} configuration to TLS_RSA_WITH_AES_128_CBC_SHA when enabling ssl encryption between TaskManagers.

Show
Due to a limitation in Netty's SsLHandler (v4.0.27), it does not work well together with GCM enabled cypher suites. It can cause transmission failures between Flink TaskManager's which manifest in a LocalTransportException. Therefore, it is highly recommended to set the {{security.ssl.algorithms}} configuration to TLS_RSA_WITH_AES_128_CBC_SHA when enabling ssl encryption between TaskManagers.

The current default cipher suite TLS_RSA_WITH_AES_128_CBC_SHA is no longer recommended.

RFC 7525 [1] recommends to use the following cipher suites only:

relates to

FLINK-9437 Revert cypher suite update

links to

GitHub Pull Request #5965