diff --git a/docs/_includes/generated/security_configuration.html b/docs/_includes/generated/security_configuration.html index fae05255d4d0fffad2dbe9edb1bfe0acaade2d34..cd682ecaf0f7eb92ceea0493714785bb1ad0fe8c 100644 --- a/docs/_includes/generated/security_configuration.html +++ b/docs/_includes/generated/security_configuration.html @@ -9,7 +9,7 @@
security.ssl.algorithms
- "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + "TLS_RSA_WITH_AES_128_CBC_SHA" The comma separated list of standard SSL algorithms to be supported. Read more <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites">here</a>. diff --git a/docs/ops/security-ssl.md b/docs/ops/security-ssl.md index c2ba7df8849f600964b95ae109c37d04e52ac421..1a3c3810250d6babbe482a51a1a2d59ce63fed14 100644 --- a/docs/ops/security-ssl.md +++ b/docs/ops/security-ssl.md @@ -33,6 +33,19 @@ SSL can be enabled for all network communication between Flink components. SSL k * **akka.ssl.enabled**: SSL flag for akka based control connection between the Flink client, jobmanager and taskmanager * **jobmanager.web.ssl.enabled**: Flag to enable https access to the jobmanager's web frontend +**IMPORTANT** + +The [IETF RFC 7525](https://tools.ietf.org/html/rfc7525) recommends to use a specific set of cipher suites for strong security. +Because these cipher suites were not available on many setups out of the box, Flink's default value is set to a slightly +weaker but more compatible cipher suite. +We recommend that SSL setups update to the stronger cipher suites, if possible, by adding the below entry to the Flink configuration: + +{% highlight yaml %} +security.ssl.algorithms: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +{% endhighlight %} + +If these suites are not supported on your setup, you will see that Flink processes will not be able to connect to each other. + ## Deploying Keystores and Truststores You need to have a Java Keystore generated and copied to each node in the Flink cluster. The common name or subject alternative names in the certificate should match the node's hostname and IP address. Keystores and truststores can be generated using the [keytool utility](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html). All Flink components should have read access to the keystore and truststore files. diff --git a/flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java b/flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java index feae5877725059ecd479b16a790ba71c9d42b30a..fc7e39159a64d01b94d5a7ec7673b98f61f347f6 100644 --- a/flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java +++ b/flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java @@ -151,7 +151,7 @@ public class SecurityOptions { */ public static final ConfigOption SSL_ALGORITHMS = key("security.ssl.algorithms") - .defaultValue("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384") + .defaultValue("TLS_RSA_WITH_AES_128_CBC_SHA") .withDescription("The comma separated list of standard SSL algorithms to be supported. Read more" + " here.");