(DEPRECATED) Apache Flink User Mailing List archive.

Strictly use TLSv1.2

Classic

List

Threaded

6 messages Options

Vinay Patil

Strictly use TLSv1.2

Hi,

I have deployed Flink 1.3.2 and enabled SSL settings. From the ssl debug
logs it shows that Flink is using TLSv1.2. However based on the security
scans we have observed that it also allows TLSv1.0 and TLSv1.1.

In order to strictly use TLSv1.2 we have updated the following property of
java.security file:
jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1,
TLSv1.1

But still it allows TLSv1.1 , verified this by hitting the following command
from master node:

openssl s_client -connect taskmanager1:<listening_address_port> -tls1

(here listening_address_port is part of
akka.ssl.tcp://flink@taskmanager1:port/user/taskmanager)

Now, when I hit the above command for the data port, it does not allow
TLSv1.1 and only allows TLSv1.2

Can you please let me know how can I enforce all the flink ports to use
TLSv1.2.

Regards,
Vinay Patil

--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/

Vinay Patil

Re: Strictly use TLSv1.2

Hi,

Can someone please help me with this issue.

Regards,
Vinay Patil

--
Sent from: http://apache-flink-user-mailing-list-archive.2336050.n4.nabble.com/

Vinay Patil

Re: Strictly use TLSv1.2

Fabian Hueske-2

Re: Strictly use TLSv1.2

Hi Vinay,

This looks like a bug.

Would you mind creating a Jira ticket [1] for this issue?

Thank you very much,

Fabian

[1] https://issues.apache.org/jira/projects/FLINK

2018-06-21 9:25 GMT+02:00 Vinay Patil <[hidden email]>:

Hi,

I have deployed Flink 1.3.2 and enabled SSL settings. From the ssl debug
logs it shows that Flink is using TLSv1.2. However based on the security
scans we have observed that it also allows TLSv1.0 and TLSv1.1.

In order to strictly use TLSv1.2 we have updated the following property of
java.security file:
jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1,
TLSv1.1

But still it allows TLSv1.1 , verified this by hitting the following command
from master node:

openssl s_client -connect taskmanager1:<listening_address_port> -tls1

(here listening_address_port is part of
akka.ssl.tcp://flink@taskmanager1:port/user/taskmanager)

Now, when I hit the above command for the data port, it does not allow
TLSv1.1 and only allows TLSv1.2

Can you please let me know how can I enforce all the flink ports to use
TLSv1.2.

Regards,
Vinay Patil

Vinay Patil

Re: Strictly use TLSv1.2

Hi Fabian,

Created a JIRA ticket : https://issues.apache.org/jira/browse/FLINK-9643

Regards,

Vinay Patil

On Fri, Jun 22, 2018 at 1:25 PM Fabian Hueske <[hidden email]> wrote:

Hi Vinay,

This looks like a bug.
Would you mind creating a Jira ticket [1] for this issue?

Thank you very much,
Fabian

[1] https://issues.apache.org/jira/projects/FLINK

2018-06-21 9:25 GMT+02:00 Vinay Patil <[hidden email]>:
Hi,

I have deployed Flink 1.3.2 and enabled SSL settings. From the ssl debug
logs it shows that Flink is using TLSv1.2. However based on the security
scans we have observed that it also allows TLSv1.0 and TLSv1.1.

In order to strictly use TLSv1.2 we have updated the following property of
java.security file:
jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1,
TLSv1.1

But still it allows TLSv1.1 , verified this by hitting the following command
from master node:

openssl s_client -connect taskmanager1:<listening_address_port> -tls1

(here listening_address_port is part of
akka.ssl.tcp://flink@taskmanager1:port/user/taskmanager)

Now, when I hit the above command for the data port, it does not allow
TLSv1.1 and only allows TLSv1.2

Can you please let me know how can I enforce all the flink ports to use
TLSv1.2.

Regards,
Vinay Patil

Fabian Hueske-2

Re: Strictly use TLSv1.2

Great, thank you!

2018-06-22 10:16 GMT+02:00 Vinay Patil <[hidden email]>:

Hi Fabian,

Created a JIRA ticket : https://issues.apache.org/jira/browse/FLINK-9643

Regards,
Vinay Patil

On Fri, Jun 22, 2018 at 1:25 PM Fabian Hueske <[hidden email]> wrote:
Hi Vinay,

This looks like a bug.
Would you mind creating a Jira ticket [1] for this issue?

Thank you very much,
Fabian

[1] https://issues.apache.org/jira/projects/FLINK

2018-06-21 9:25 GMT+02:00 Vinay Patil <[hidden email]>:
Hi,

I have deployed Flink 1.3.2 and enabled SSL settings. From the ssl debug
logs it shows that Flink is using TLSv1.2. However based on the security
scans we have observed that it also allows TLSv1.0 and TLSv1.1.

In order to strictly use TLSv1.2 we have updated the following property of
java.security file:
jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, TLSv1,
TLSv1.1

But still it allows TLSv1.1 , verified this by hitting the following command
from master node:

openssl s_client -connect taskmanager1:<listening_address_port> -tls1

(here listening_address_port is part of
akka.ssl.tcp://flink@taskmanager1:port/user/taskmanager)

Now, when I hit the above command for the data port, it does not allow
TLSv1.1 and only allows TLSv1.2

Can you please let me know how can I enforce all the flink ports to use
TLSv1.2.

Regards,
Vinay Patil