Edward Rojas created FLINK-9103:
-----------------------------------
Summary: SSL verification on TaskManager when parallelism > 1
Key: FLINK-9103
URL: https://issues.apache.org/jira/browse/FLINK-9103
Project: Flink
Issue Type: Bug
Components: Docker, Security
Affects Versions: 1.4.0
Reporter: Edward Rojas
Attachments: job.log, task0.log
In dynamic environments like Kubernetes, the SSL certificates can be generated
to use only the DNS addresses for validation of the identity of servers, given
that the IP can change eventually.
In this cases when executing Jobs with Parallelism set to 1, the SSL
validations are good and the Jobmanager can communicate with Task manager and
vice versa.
But with parallelism set to more than 1, SSL validation fails when Task
Managers communicate to each other as it seems to try to validate against IP
address:
Caused by: java.security.cert.CertificateException: No subject alternative
names matching IP address 172.xx.xxx.xxx found
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
... 21 more
>From the logs, it seems the task managers register successfully its full
>address to Netty, but still the IP is used.
Attached pertinent logs from JobManager and a TaskManager.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
