[jira] [Commented] (FLINK-9643) Flink allowing TLS 1.1 in spite of configuring TLS 1.2

[Stephan Ewen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FLINK-9643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16533019#comment-16533019
 ] 

Stephan Ewen commented on FLINK-9643:
-------------------------------------

Thanks for reporting this. The port you checked is the SSL endpoint managed by 
akka for RPC.

The SSL endpoints that the Flink code explicitly configures should accept only 
TLSv1.2 (at least that is the default only accepted protocol). Could you check 
if the TM data port has the same problem?

Concerning fixing the problem that the akka port accepts all TLS versions: The 
code configures akka remoting with TLSv1.2 only by default:
  - 
https://github.com/apache/flink/blob/master/flink-runtime/src/main/scala/org/apache/flink/runtime/akka/AkkaUtils.scala#L443
  - 
https://github.com/apache/flink/blob/master/flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java#L141

Not sure why it should accept all TLS versions despite that config. In the end, 
we use the standard Java SSL infrastructure: 
https://github.com/apache/flink/blob/master/flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java#L83

Do you have any insights into this?



> Flink allowing TLS 1.1 in spite of configuring TLS 1.2
> ------------------------------------------------------
>
>                 Key: FLINK-9643
>                 URL: https://issues.apache.org/jira/browse/FLINK-9643
>             Project: Flink
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.3.2, 1.5.0, 1.4.2
>            Reporter: Vinay
>            Assignee: Viktor Vlasov
>            Priority: Major
>         Attachments: result.csv
>
>
> I have deployed Flink 1.3.2 and enabled SSL settings. From the ssl debug 
> logs it shows that Flink is using TLSv1.2. However based on the security 
> scans we have observed that it also allows TLSv1.0 and TLSv1.1. 
>   
> In order to strictly use TLSv1.2 we have updated the following property of 
> java.security file: 
> jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1, 
> TLSv1.1 
> But still it allows TLSv1.1 , verified this by hitting the following command 
> from master node: 
> openssl s_client -connect taskmanager1:<listening_address_port> -tls1 
> (here listening_address_port is part of 
> akka.ssl.tcp://flink@taskmanager1:port/user/taskmanager) 
> Now, when I hit the above command for the data port, it does not allow 
> TLSv1.1 and only allows TLSv1.2 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)