[
https://issues.apache.org/jira/browse/NIFI-1354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15086093#comment-15086093
]
Aldrin Piri commented on NIFI-1354:
-----------------------------------
I applied the patch for the generated keystores as provided by [~alopresto] and
additionally copied these over the other locations listed above. Updated a
test class that was reliant on the associated DN.
These changes are available in a branch at
https://github.com/apiri/incubator-nifi/commit/e34fae7db35fdc2d3da1653afde484e494a3663b
> InvokeHTTP test certificates have expired
> -----------------------------------------
>
> Key: NIFI-1354
> URL: https://issues.apache.org/jira/browse/NIFI-1354
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 0.4.0, 0.4.1
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Labels: certificate, security, test
> Fix For: 0.5.0
>
>
> [~JDP10101] was working to upgrade a library dependency
> (com.squareup.okhttp.okhttp:2.5.0 to 2.6.0). During this attempt, the
> TestInvokeHttpSSL tests began failing. With the help of a Square engineer[1],
> it was determined that the TLS cipher suite in use during tests against Jetty
> server was restricted to only `TLS_DHE_DSS_WITH_AES_128_CBC_SHA`. This is an
> obsolete cipher suite and it was deprecated in OkHttp:2.6.0.
> While there is a workaround (code below) to override the OkHttp connector to
> use this obsolete cipher suite, the real issue was that Jetty should not be
> restricted to allowing that single cipher suite for incoming connections.
> Further investigation revealed that the test keystore[2] and truststore[3] in
> use did not have any valid RSA or DSA keys. Because of this, Jetty could not
> rely on any RSA/DSA-dependent cipher suites, and the removal of
> `TLS_DHE_DSS_WITH_AES_128_CBC_SHA` in the client library meant that no
> compatible cipher suites were available.
> The DSA key issued under alias `mykey` in the keystore expired in 2014. I
> will temporarily add a new key (valid for 1 year) into the keystore and
> truststore and commit. I will raise another Jira to allow for dynamic
> code-generated keys to avoid this problem in the future.
> [1]
> http://stackoverflow.com/questions/34498023/okhttp-upgrading-from-2-5-to-2-6-breaks-https-tests?noredirect=1#comment56840249_34498023
> [2]
> https://github.com/alopresto/nifi/blob/aa99884782e54c54ee138f5609b3be84628e96f9/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/localhost-ks.jks
> [3]
> https://github.com/alopresto/nifi/blob/aa99884782e54c54ee138f5609b3be84628e96f9/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/localhost-ts.jks
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
