[
https://issues.apache.org/jira/browse/NIFI-1354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15084018#comment-15084018
]
Andy LoPresto commented on NIFI-1354:
-------------------------------------
To debug this issue, a couple of useful tips:
* {{$ openssl s_client -connect localhost:8443 -debug}} will allow a command
line interaction with the TLS server. This is useful to see certificates,
chains, and negotiated cipher suites
* {{ -Djavax.net.debug=ssl,handshake }} in the {{java}} invocation will output
information about the SSL handshake performed by Java code. In IntelliJ, you
can add this to the "VM Options" field in the "Run/Debug Configurations"
dialog.
> InvokeHTTP test certificates have expired
> -----------------------------------------
>
> Key: NIFI-1354
> URL: https://issues.apache.org/jira/browse/NIFI-1354
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 0.4.0, 0.4.1
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Labels: certificate, security, test
> Fix For: 0.5.0
>
>
> [~JDP10101] was working to upgrade a library dependency
> (com.squareup.okhttp.okhttp:2.5.0 to 2.6.0). During this attempt, the
> TestInvokeHttpSSL tests began failing. With the help of a Square engineer[1],
> it was determined that the TLS cipher suite in use during tests against Jetty
> server was restricted to only `TLS_DHE_DSS_WITH_AES_128_CBC_SHA`. This is an
> obsolete cipher suite and it was deprecated in OkHttp:2.6.0.
> While there is a workaround (code below) to override the OkHttp connector to
> use this obsolete cipher suite, the real issue was that Jetty should not be
> restricted to allowing that single cipher suite for incoming connections.
> Further investigation revealed that the test keystore[2] and truststore[3] in
> use did not have any valid RSA or DSA keys. Because of this, Jetty could not
> rely on any RSA/DSA-dependent cipher suites, and the removal of
> `TLS_DHE_DSS_WITH_AES_128_CBC_SHA` in the client library meant that no
> compatible cipher suites were available.
> The DSA key issued under alias `mykey` in the keystore expired in 2014. I
> will temporarily add a new key (valid for 1 year) into the keystore and
> truststore and commit. I will raise another Jira to allow for dynamic
> code-generated keys to avoid this problem in the future.
> [1]
> http://stackoverflow.com/questions/34498023/okhttp-upgrading-from-2-5-to-2-6-breaks-https-tests?noredirect=1#comment56840249_34498023
> [2]
> https://github.com/alopresto/nifi/blob/aa99884782e54c54ee138f5609b3be84628e96f9/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/localhost-ks.jks
> [3]
> https://github.com/alopresto/nifi/blob/aa99884782e54c54ee138f5609b3be84628e96f9/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/localhost-ts.jks
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
