Jean-Damien HATZENBUHLER created FLINK-28521:
------------------------------------------------
Summary: Hostname verification in ssl context is not working
Key: FLINK-28521
URL: https://issues.apache.org/jira/browse/FLINK-28521
Project: Flink
Issue Type: Bug
Components: Runtime / Network
Affects Versions: 1.15.1, 1.15.0, 1.14.5, 1.14.4, 1.14.3, 1.13.6, 1.14.2
Reporter: Jean-Damien HATZENBUHLER
The hostname certificate is not check in ssl context.
Moreover the {{security.ssl.verify-hostname}} is not used anywhere in the code.
The issue come from {{netty4}} where the hostname verification is not enable by
default. See
[documentation|https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newEngine-io.netty.buffer.ByteBufAllocator-]
h2. How to fix this issue:
In {{org.apache.flink.runtime.io.network.netty.SSLHandlerFactory}}:
* Add a new parameter on instance creation: {{isHostnameVerificationEnabled}}
* Add the following code after creating an {{SSLEngine}}:
{code:java}
SSLEngine sslEngine = sslContext.newEngine(...)
if (isHostnameVerificationEnabled){
SSLParameters sslParameters = sslEngine.getSSLParameters();
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParameters);
}
return sslEngine;
{code}
In {{org.apache.flink.runtime.net.SSLUtils}} add new parameter on each {{new
SSLHandlerFactory}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
