Github user EronWright commented on the issue:
https://github.com/apache/flink/pull/3061
@VanessaHenderson nothing at this time. If you're not able to use
hostname verification as-is (given the non-canonical names that are used),
consider carefully controlling the truststore that is used to only accept the
known certificates. Also, here's a draft of the FLIP that would supersede this
earlier work:
[FLIP-?: Service
Authorization](https://docs.google.com/document/d/13IRPb2GdL842rIzMgEn0ibOQHNku6W8aMf1p7gCPJjg/edit?usp=sharing)
---
