Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-9643

Flink allowing TLS 1.1 in spite of configuring TLS 1.2

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.3.2
    • 1.4.2
    • Runtime / Coordination
    • None

    Description

      I have deployed Flink 1.3.2 and enabled SSL settings. From the ssl debug 
      logs it shows that Flink is using TLSv1.2. However based on the security 
      scans we have observed that it also allows TLSv1.0 and TLSv1.1. 
        
      In order to strictly use TLSv1.2 we have updated the following property of 
      java.security file: 
      jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1, 
      TLSv1.1 

      But still it allows TLSv1.1 , verified this by hitting the following command 
      from master node: 

      openssl s_client -connect taskmanager1:<listening_address_port> -tls1 

      (here listening_address_port is part of 
      akka.ssl.tcp://flink@taskmanager1:port/user/taskmanager) 

      Now, when I hit the above command for the data port, it does not allow 
      TLSv1.1 and only allows TLSv1.2 

      Attachments

        1. test.png
          128 kB
          Viktor Vlasov
        2. result2_rpc.csv
          2 kB
          Viktor Vlasov
        3. result.csv
          2 kB
          Viktor Vlasov
        4. result_2.csv
          2 kB
          Viktor Vlasov

        Activity

          People

            bioker Viktor Vlasov
            vinaypatil18 Vinay
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: