Skip to content

[FLINK-38953] Cleanup configurations for SSL hostname verification #27457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mateczagany wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[FLINK-38953] Cleanup configurations for SSL hostname verification #27457

mateczagany wants to merge 2 commits into from

Conversation

@mateczagany
Copy link
Contributor

@mateczagany mateczagany commented Jan 22, 2026

What is the purpose of the change

As described in this ML thread, the SSL endpoint verification configuration is not working as expected. This was mitigated in #27407 but the change in that PR enables endpoint verification for internal communication as well.

This PR will address that according to the ML thread, and only REST client will use hostname verification using the new configuration.

Brief change log

  • Remove configuration security.ssl.verify-hostname which is not used in any recent released Flink version
  • Add security.ssl.rest.verify-hostname which will only add hostname verification for REST connections
  • Add test cases

Verifying this change

  • By adding new tests with the already existing certificates found in the test suite

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): no
  • The public API, i.e., is any changed class annotated with @Public(Evolving): no
  • The serializers: no
  • The runtime per-record code paths (performance sensitive): no
  • Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
  • The S3 file system connector: no

Documentation

  • Does this pull request introduce a new feature? yes
  • If yes, how is the feature documented? Updated documentation

@flinkbot
Copy link
Collaborator

flinkbot commented Jan 22, 2026
edited
Loading

CI report:

Bot commands The @flinkbot bot supports the following commands:
  • @flinkbot run azure re-run the last Azure build

davidradl
davidradl reviewed Jan 22, 2026
View reviewed changes
flink-core/src/main/java/org/apache/flink/configuration/SecurityOptions.java

/** Flag to enable/disable hostname verification for the ssl connections. */
@Documentation.Section(Documentation.Sections.SECURITY_SSL)
public static final ConfigOption<Boolean> SSL_VERIFY_HOSTNAME =
Copy link
Contributor

@davidradl davidradl Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not think we should remove options. We should deprecate the old option and still allow it to work and have the documentation reference the new option as the preferred way of now doing things. Otherwise we get a failure when adopting this code.

Copy link
Contributor Author

@mateczagany mateczagany Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for reviewing this PR, I've tried to explain this as best as I could in the description of the PR. This configuration was not used before the mentioned PR merged yesterday. However in the ML discussion it's clear that the implementation in that PR is wrong, and we should not have hostname verification for internal communication.

There will be a migration guide probably in the release blog post that this configuration was not working properly in any other recent release, and that users should use the new configuration.

Copy link
Contributor Author

@mateczagany mateczagany Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you prefer to have it marked as deprecated, we can do that, but overall this configuration should have no effect to stay consistent with previous Flink releases.

We can note in the description that the user should use the new configuration option to have hostname verification for external connections.

Copy link
Contributor Author

@mateczagany mateczagany Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have re-added the old configuration as deprecated, and hidden from the docs.

@github-actions github-actions bot added the community-reviewed PR has been reviewed by the community. label Jan 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@davidradl davidradl davidradl left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

community-reviewed PR has been reviewed by the community.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mateczagany @flinkbot @davidradl