[
https://issues.apache.org/jira/browse/FLINK-9878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16552553#comment-16552553
]
ASF GitHub Bot commented on FLINK-9878:
---------------------------------------
Github user pnowojski commented on a diff in the pull request:
https://github.com/apache/flink/pull/6355#discussion_r204328596
--- Diff:
flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java ---
@@ -163,80 +163,188 @@ public static void
setSSLVerifyHostname(Configuration sslConfig, SSLParameters s
}
/**
- * Creates the SSL Context for the client if SSL is configured.
+ * Configuration settings and key/trustmanager instances to set up an
SSL client connection.
+ */
+ public static class SSLClientConfiguration {
+ public final String sslProtocolVersion;
+ public final TrustManagerFactory trustManagerFactory;
+ public final int sessionCacheSize;
+ public final int sessionTimeoutMs;
+ public final int handshakeTimeoutMs;
+ public final int closeNotifyFlushTimeoutMs;
+
+ public SSLClientConfiguration(
+ String sslProtocolVersion,
+ TrustManagerFactory trustManagerFactory,
+ int sessionCacheSize,
+ int sessionTimeoutMs,
+ int handshakeTimeoutMs,
+ int closeNotifyFlushTimeoutMs) {
+ this.sslProtocolVersion = sslProtocolVersion;
+ this.trustManagerFactory = trustManagerFactory;
+ this.sessionCacheSize = sessionCacheSize;
+ this.sessionTimeoutMs = sessionTimeoutMs;
+ this.handshakeTimeoutMs = handshakeTimeoutMs;
+ this.closeNotifyFlushTimeoutMs =
closeNotifyFlushTimeoutMs;
+ }
+ }
+
+ /**
+ * Creates necessary helper objects to use for creating an SSL Context
for the client if SSL is
+ * configured.
*
* @param sslConfig
* The application configuration
- * @return The SSLContext object which can be used by the ssl transport
client
- * Returns null if SSL is disabled
+ * @return The SSLClientConfiguration object which can be used for
creating some SSL context object;
+ * returns <tt>null</tt> if SSL is disabled.
* @throws Exception
* Thrown if there is any misconfiguration
*/
@Nullable
- public static SSLContext createSSLClientContext(Configuration
sslConfig) throws Exception {
-
+ public static SSLClientConfiguration
createSSLClientConfiguration(Configuration sslConfig) throws Exception {
Preconditions.checkNotNull(sslConfig);
- SSLContext clientSSLContext = null;
if (getSSLEnabled(sslConfig)) {
- LOG.debug("Creating client SSL context from
configuration");
+ LOG.debug("Creating client SSL configuration");
String trustStoreFilePath =
sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE);
String trustStorePassword =
sslConfig.getString(SecurityOptions.SSL_TRUSTSTORE_PASSWORD);
String sslProtocolVersion =
sslConfig.getString(SecurityOptions.SSL_PROTOCOL);
+ int sessionCacheSize =
sslConfig.getInteger(SecurityOptions.SSL_SESSION_CACHE_SIZE);
+ int sessionTimeoutMs =
sslConfig.getInteger(SecurityOptions.SSL_SESSION_TIMEOUT);
+ int handshakeTimeoutMs =
sslConfig.getInteger(SecurityOptions.SSL_HANDSHAKE_TIMEOUT);
+ int closeNotifyFlushTimeoutMs =
sslConfig.getInteger(SecurityOptions.SSL_CLOSE_NOTIFY_FLUSH_TIMEOUT);
Preconditions.checkNotNull(trustStoreFilePath,
SecurityOptions.SSL_TRUSTSTORE.key() + " was not configured.");
Preconditions.checkNotNull(trustStorePassword,
SecurityOptions.SSL_TRUSTSTORE_PASSWORD.key() + " was not configured.");
KeyStore trustStore =
KeyStore.getInstance(KeyStore.getDefaultType());
- FileInputStream trustStoreFile = null;
- try {
- trustStoreFile = new FileInputStream(new
File(trustStoreFilePath));
+ try (FileInputStream trustStoreFile = new
FileInputStream(new File(trustStoreFilePath))) {
trustStore.load(trustStoreFile,
trustStorePassword.toCharArray());
- } finally {
- if (trustStoreFile != null) {
- trustStoreFile.close();
- }
}
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
- clientSSLContext =
SSLContext.getInstance(sslProtocolVersion);
- clientSSLContext.init(null,
trustManagerFactory.getTrustManagers(), null);
+ return new SSLClientConfiguration(
+ sslProtocolVersion,
+ trustManagerFactory,
+ sessionCacheSize,
+ sessionTimeoutMs,
+ handshakeTimeoutMs,
+ closeNotifyFlushTimeoutMs);
+ }
+
+ return null;
+ }
+
+ /**
+ * Creates the SSL Context for the client assuming SSL is configured.
+ *
+ * @param sslConfig
+ * SSL configuration
+ * @return The SSLContext object which can be used by the ssl transport
client
+ * @throws Exception
+ * Thrown if there is any misconfiguration
+ */
+ public static SSLContext createSSLClientContext(SSLClientConfiguration
sslConfig) throws Exception {
+ Preconditions.checkNotNull(sslConfig);
+
+ LOG.debug("Creating client SSL context from configuration");
+ SSLContext clientSSLContext =
SSLContext.getInstance(sslConfig.sslProtocolVersion);
+ clientSSLContext.init(null,
sslConfig.trustManagerFactory.getTrustManagers(), null);
+ if (sslConfig.sessionCacheSize >= 0) {
+
clientSSLContext.getClientSessionContext().setSessionCacheSize(sslConfig.sessionCacheSize);
+ }
+ if (sslConfig.sessionTimeoutMs >= 0) {
+
clientSSLContext.getClientSessionContext().setSessionTimeout(sslConfig.sessionTimeoutMs
/ 1000);
}
return clientSSLContext;
}
/**
- * Creates the SSL Context for the server if SSL is configured.
+ * Creates the SSL Context for the client if SSL is configured.
*
* @param sslConfig
* The application configuration
- * @return The SSLContext object which can be used by the ssl transport
server
+ * @return The SSLContext object which can be used by the ssl transport
client
* Returns null if SSL is disabled
* @throws Exception
* Thrown if there is any misconfiguration
*/
@Nullable
- public static SSLContext createSSLServerContext(Configuration
sslConfig) throws Exception {
+ public static SSLContext createSSLClientContext(Configuration
sslConfig) throws Exception {
+ Preconditions.checkNotNull(sslConfig);
+ SSLContext clientSSLContext = null;
+
+ if (getSSLEnabled(sslConfig)) {
+ SSLClientConfiguration clientConfiguration =
createSSLClientConfiguration(sslConfig);
+ clientSSLContext =
createSSLClientContext(clientConfiguration);
+ }
+ return clientSSLContext;
+ }
+
+ /**
+ * Configuration settings and key/trustmanager instances to set up an
SSL server connection.
+ */
+ public static class SSLServerConfiguration {
+ public final String sslProtocolVersion;
+ public final String[] ciphers;
+ public final KeyManagerFactory keyManagerFactory;
+ public final int sessionCacheSize;
+ public final int sessionTimeoutMs;
+ public final int handshakeTimeoutMs;
+ public final int closeNotifyFlushTimeoutMs;
+
+ public SSLServerConfiguration(
+ String sslProtocolVersion,
+ String[] ciphers,
+ KeyManagerFactory keyManagerFactory,
+ int sessionCacheSize,
+ int sessionTimeoutMs,
+ int handshakeTimeoutMs,
+ int closeNotifyFlushTimeoutMs) {
+ this.sslProtocolVersion = sslProtocolVersion;
+ this.ciphers = ciphers;
+ this.keyManagerFactory = keyManagerFactory;
+ this.sessionCacheSize = sessionCacheSize;
+ this.sessionTimeoutMs = sessionTimeoutMs;
+ this.handshakeTimeoutMs = handshakeTimeoutMs;
+ this.closeNotifyFlushTimeoutMs =
closeNotifyFlushTimeoutMs;
+ }
+ }
+
+ /**
+ * Creates necessary helper objects to use for creating an SSL Context
for the server if SSL is
+ * configured.
+ *
+ * @param sslConfig
+ * The application configuration
+ * @return The SSLServerConfiguration object which can be used for
creating some SSL context object;
+ * returns <tt>null</tt> if SSL is disabled.
+ * @throws Exception
+ * Thrown if there is any misconfiguration
+ */
+ @Nullable
+ public static SSLServerConfiguration
createSSLServerConfiguration(Configuration sslConfig) throws Exception {
Preconditions.checkNotNull(sslConfig);
- SSLContext serverSSLContext = null;
if (getSSLEnabled(sslConfig)) {
--- End diff --
1. ditto:
```
if (!getSSLEnabled(sslConfig)) {
return Optional.empty();
}
```
2. possible ditto: code duplication.
> IO worker threads BLOCKED on SSL Session Cache while CMS full gc
> ----------------------------------------------------------------
>
> Key: FLINK-9878
> URL: https://issues.apache.org/jira/browse/FLINK-9878
> Project: Flink
> Issue Type: Bug
> Components: Network
> Affects Versions: 1.5.0, 1.5.1, 1.6.0
> Reporter: Nico Kruber
> Assignee: Nico Kruber
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.5.2, 1.6.0
>
>
> According to https://github.com/netty/netty/issues/832, there is a JDK issue
> during garbage collection when the SSL session cache is not limited. We
> should allow the user to configure this and further (advanced) SSL parameters
> for fine-tuning to fix this and similar issues. In particular, the following
> parameters should be configurable:
> - SSL session cache size
> - SSL session timeout
> - SSL handshake timeout
> - SSL close notify flush timeout
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
