[
https://issues.apache.org/jira/browse/FLINK-28521?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Damien HATZENBUHLER updated FLINK-28521:
---------------------------------------------
Description:
The hostname certificate is not check in ssl context.
Moreover the {{security.ssl.verify-hostname}} is not used anywhere in the code.
The issue come from {{netty4}} where the hostname verification is not enable by
default. See
[documentation|https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newEngine-io.netty.buffer.ByteBufAllocator-]
h2. How to fix this issue:
In {{org.apache.flink.runtime.io.network.netty.SSLHandlerFactory}}:
* Add a new parameter on instance creation: {{isHostnameVerificationEnabled}}
* This parameter will be set to {{false}} if
{{security.ssl.internal.cert.fingerprint}} or
{{security.ssl.rest.cert.fingerprint}} is setup
* Add the following code after creating an {{SSLEngine}}:
{code:java}
SSLEngine sslEngine = sslContext.newEngine(...)
if (isHostnameVerificationEnabled){
SSLParameters sslParameters = sslEngine.getSSLParameters();
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParameters);
}
return sslEngine;
{code}
In {{org.apache.flink.runtime.net.SSLUtils}} add new parameter on each {{new
SSLHandlerFactory}}
was:
The hostname certificate is not check in ssl context.
Moreover the {{security.ssl.verify-hostname}} is not used anywhere in the code.
The issue come from {{netty4}} where the hostname verification is not enable by
default. See
[documentation|https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newEngine-io.netty.buffer.ByteBufAllocator-]
h2. How to fix this issue:
In {{org.apache.flink.runtime.io.network.netty.SSLHandlerFactory}}:
* Add a new parameter on instance creation: {{isHostnameVerificationEnabled}}
* Add the following code after creating an {{SSLEngine}}:
{code:java}
SSLEngine sslEngine = sslContext.newEngine(...)
if (isHostnameVerificationEnabled){
SSLParameters sslParameters = sslEngine.getSSLParameters();
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParameters);
}
return sslEngine;
{code}
In {{org.apache.flink.runtime.net.SSLUtils}} add new parameter on each {{new
SSLHandlerFactory}}
> Hostname verification in ssl context is not working
> ---------------------------------------------------
>
> Key: FLINK-28521
> URL: https://issues.apache.org/jira/browse/FLINK-28521
> Project: Flink
> Issue Type: Bug
> Components: Runtime / Network
> Affects Versions: 1.13.6, 1.14.5, 1.15.1
> Reporter: Jean-Damien HATZENBUHLER
> Assignee: Jean-Damien HATZENBUHLER
> Priority: Major
> Labels: security
>
> The hostname certificate is not check in ssl context.
> Moreover the {{security.ssl.verify-hostname}} is not used anywhere in the
> code.
> The issue come from {{netty4}} where the hostname verification is not enable
> by default. See
> [documentation|https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newEngine-io.netty.buffer.ByteBufAllocator-]
> h2. How to fix this issue:
> In {{org.apache.flink.runtime.io.network.netty.SSLHandlerFactory}}:
> * Add a new parameter on instance creation: {{isHostnameVerificationEnabled}}
> * This parameter will be set to {{false}} if
> {{security.ssl.internal.cert.fingerprint}} or
> {{security.ssl.rest.cert.fingerprint}} is setup
> * Add the following code after creating an {{SSLEngine}}:
> {code:java}
> SSLEngine sslEngine = sslContext.newEngine(...)
> if (isHostnameVerificationEnabled){
> SSLParameters sslParameters = sslEngine.getSSLParameters();
> sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
> sslEngine.setSSLParameters(sslParameters);
> }
> return sslEngine;
> {code}
> In {{org.apache.flink.runtime.net.SSLUtils}} add new parameter on each {{new
> SSLHandlerFactory}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
