[jira] [Commented] (FLINK-28521) Hostname verification in ssl context is not working

Tue, 19 Jul 2022 08:08:10 -0700 


    [ 
https://issues.apache.org/jira/browse/FLINK-28521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17568600#comment-17568600
 ] 

Jean-Damien HATZENBUHLER commented on FLINK-28521:
--------------------------------------------------


It make sense to skip hostname verification when 
{{security.ssl.internal.cert.fingerprint}} or 
{{security.ssl.rest.cert.fingerprint}} is setup.
However if those options are not set we need to use 
{{security.ssl.verify-hostname}} to control the hostname verification.
I changed the proposed solution regarding your remarks.

> Hostname verification in ssl context is not working
> ---------------------------------------------------
>
>                 Key: FLINK-28521
>                 URL: https://issues.apache.org/jira/browse/FLINK-28521
>             Project: Flink
>          Issue Type: Bug
>          Components: Runtime / Network
>    Affects Versions: 1.13.6, 1.14.5, 1.15.1
>            Reporter: Jean-Damien HATZENBUHLER
>            Assignee: Jean-Damien HATZENBUHLER
>            Priority: Major
>              Labels: security
>
> The hostname certificate is not check in ssl context.
> Moreover the {{security.ssl.verify-hostname}} is not used anywhere in the 
> code.
> The issue come from {{netty4}} where the hostname verification is not enable 
> by default. See 
> [documentation|https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newEngine-io.netty.buffer.ByteBufAllocator-]
> h2. How to fix this issue:
> In {{org.apache.flink.runtime.io.network.netty.SSLHandlerFactory}}:
> * Add a new parameter on instance creation: {{isHostnameVerificationEnabled}}
> * This parameter will be set to {{false}} if 
> {{security.ssl.internal.cert.fingerprint}} or 
> {{security.ssl.rest.cert.fingerprint}} is setup
> * Add the following code after creating an {{SSLEngine}}: 
> {code:java}
> SSLEngine sslEngine = sslContext.newEngine(...)
> if (isHostnameVerificationEnabled){
>     SSLParameters sslParameters = sslEngine.getSSLParameters();
>     sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
>     sslEngine.setSSLParameters(sslParameters);
> }
> return sslEngine;
> {code}
> In {{org.apache.flink.runtime.net.SSLUtils}} add new parameter on each {{new 
> SSLHandlerFactory}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to