flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-5981) SSL version and ciper suites cannot be constrained as configured
Date Wed, 15 Mar 2017 11:18:41 GMT

    [ https://issues.apache.org/jira/browse/FLINK-5981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15925930#comment-15925930
] 

ASF GitHub Bot commented on FLINK-5981:
---------------------------------------

Github user StephanEwen commented on a diff in the pull request:

    https://github.com/apache/flink/pull/3486#discussion_r106140551
  
    --- Diff: flink-runtime/src/test/java/org/apache/flink/runtime/net/SSLUtilsTest.java ---
    @@ -125,4 +129,101 @@ public void testCreateSSLServerContextMisconfiguration() {
     		}
     	}
     
    +	/**
    +	 * Tests if SSL Server Context creation fails with bad SSL configuration
    +	 */
    +	@Test
    +	public void testCreateSSLServerContextWithMultiProtocols() {
    +
    +		Configuration serverConfig = new Configuration();
    +		serverConfig.setBoolean(ConfigConstants.SECURITY_SSL_ENABLED, true);
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE, "src/test/resources/local127.keystore");
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE_PASSWORD, "password");
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_KEY_PASSWORD, "password");
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_PROTOCOL, "TLSv1,TLSv1.2");
    +
    +		try {
    +			SSLContext serverContext = SSLUtils.createSSLServerContext(serverConfig);
    +			Assert.fail("SSL server context created even with multiple protocols set ");
    +		} catch (Exception e) {
    +			// Exception here is valid
    +		}
    +	}
    +
    +	/**
    +	 * Tests if SSLUtils set the right ssl version and cipher suites for SSLServerSocket
    +	 */
    +	@Test
    +	public void testSetSSLVersionAndCipherSuitesForSSLServerSocket() throws Exception {
    +
    +		Configuration serverConfig = new Configuration();
    +		serverConfig.setBoolean(ConfigConstants.SECURITY_SSL_ENABLED, true);
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE, "src/test/resources/local127.keystore");
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE_PASSWORD, "password");
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_KEY_PASSWORD, "password");
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_PROTOCOL, "TLSv1.1");
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_ALGORITHMS, "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256");
    +
    +		int port = new Random().nextInt(65535);
    +		SSLContext serverContext = SSLUtils.createSSLServerContext(serverConfig);
    +		ServerSocket socket = null;
    +		try {
    +			socket = serverContext.getServerSocketFactory().createServerSocket(port);
    +
    +			String[] protocols = ((SSLServerSocket) socket).getEnabledProtocols();
    +			String[] algorithms = ((SSLServerSocket) socket).getEnabledCipherSuites();
    +
    +			Assert.assertNotEquals(protocols.length, 1);
    +			Assert.assertNotEquals(algorithms.length, 2);
    +
    +			SSLUtils.setSSLVerAndCipherSuites(socket, serverConfig);
    +			protocols = ((SSLServerSocket) socket).getEnabledProtocols();
    +			algorithms = ((SSLServerSocket) socket).getEnabledCipherSuites();
    +
    +			Assert.assertEquals(protocols.length, 1);
    +			Assert.assertEquals(protocols[0], "TLSv1.1");
    +			Assert.assertEquals(algorithms.length, 2);
    +			Assert.assertTrue(algorithms[0].equals("TLS_RSA_WITH_AES_128_CBC_SHA") || algorithms[0].equals("TLS_RSA_WITH_AES_128_CBC_SHA256"));
    +			Assert.assertTrue(algorithms[1].equals("TLS_RSA_WITH_AES_128_CBC_SHA") || algorithms[1].equals("TLS_RSA_WITH_AES_128_CBC_SHA256"));
    +		} finally {
    +			if (socket != null) {
    +				socket.close();
    +			}
    +		}
    +	}
    +
    +	/**
    +	 * Tests if SSLUtils set the right ssl version and cipher suites for SSLEngine
    +	 */
    +	@Test
    +	public void testSetSSLVersionAndCipherSuitesForSSLEngine() throws Exception {
    +
    +		Configuration serverConfig = new Configuration();
    +		serverConfig.setBoolean(ConfigConstants.SECURITY_SSL_ENABLED, true);
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE, "src/test/resources/local127.keystore");
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_KEYSTORE_PASSWORD, "password");
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_KEY_PASSWORD, "password");
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_PROTOCOL, "TLSv1");
    +		serverConfig.setString(ConfigConstants.SECURITY_SSL_ALGORITHMS, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256");
    +
    +		SSLContext serverContext = SSLUtils.createSSLServerContext(serverConfig);
    +		SSLEngine engine = serverContext.createSSLEngine();
    +
    +		String[] protocols = engine.getEnabledProtocols();
    +		String[] algorithms = engine.getEnabledCipherSuites();
    +
    +		Assert.assertNotEquals(protocols.length, 1);
    +		Assert.assertNotEquals(algorithms.length, 2);
    +
    +		SSLUtils.setSSLVerAndCipherSuites(engine, serverConfig);
    +		protocols = engine.getEnabledProtocols();
    +		algorithms = engine.getEnabledCipherSuites();
    +
    +		Assert.assertEquals(protocols.length, 1);
    --- End diff --
    
    `assertEquals` takes the parameters the other way around: (expected, actual) rather than
(actual, expected).
    
    Will fix that on the fly while merging...


> SSL version and ciper suites cannot be constrained as configured
> ----------------------------------------------------------------
>
>                 Key: FLINK-5981
>                 URL: https://issues.apache.org/jira/browse/FLINK-5981
>             Project: Flink
>          Issue Type: Bug
>          Components: Security
>            Reporter: Tao Wang
>            Assignee: Tao Wang
>
> I configured ssl and start flink job, but found configured properties cannot apply properly:
> akka port: only ciper suites apply right, ssl version not
> blob server/netty server: both ssl version and ciper suites are not like what I configured
> I've found out the reason why:
> http://stackoverflow.com/questions/11504173/sslcontext-initialization (for blob server
and netty server)
> https://groups.google.com/forum/#!topic/akka-user/JH6bGnWE8kY(for akka ssl version, it's
fixed in akka 2.4:https://github.com/akka/akka/pull/21078)
> I'll fix the issue on blob server and netty server, and it seems like only upgrade for
akka can solve issue in akka side(we'll consider later as upgrade is not a small action).



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message