Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-9310

Update default cyphersuites

          Details

          • Type: Task
          • Status: Closed
          • Priority: Major
          • Resolution: Fixed
          • Affects Version/s: 1.4.2
          • Fix Version/s: 1.5.0
          • Component/s: Runtime / Coordination
          • Labels:
            None
          • Release Note:
            Hide
            Due to a limitation in Netty's SsLHandler (v4.0.27), it does not work well together with GCM enabled cypher suites. It can cause transmission failures between Flink TaskManager's which manifest in a LocalTransportException. Therefore, it is highly recommended to set the {{security.ssl.algorithms}} configuration to TLS_RSA_WITH_AES_128_CBC_SHA when enabling ssl encryption between TaskManagers.
            Show
            Due to a limitation in Netty's SsLHandler (v4.0.27), it does not work well together with GCM enabled cypher suites. It can cause transmission failures between Flink TaskManager's which manifest in a LocalTransportException. Therefore, it is highly recommended to set the {{security.ssl.algorithms}} configuration to TLS_RSA_WITH_AES_128_CBC_SHA when enabling ssl encryption between TaskManagers.

            Description

            The current default cipher suite TLS_RSA_WITH_AES_128_CBC_SHA is no longer recommended.

            RFC 7525 [1] recommends to use the following cipher suites only:

            • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
            • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
            • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
            • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

            [1] https://tools.ietf.org/html/rfc7525

              Attachments

                Issue Links

                relates to

                Bug - A problem which impairs or prevents the functions of the product. FLINK-9437 Revert cypher suite update

                • Blocker - Blocks development and/or testing work, production could not run
                • Closed
                links to

                Web Link GitHub Pull Request #5965

                  Activity

                    People

                    • Assignee:
                      StephanEwen Stephan Ewen
                      Reporter:
                      StephanEwen Stephan Ewen
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      4 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved: