[
https://issues.apache.org/jira/browse/NIFI-1478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15217440#comment-15217440
]
Andy LoPresto commented on NIFI-1478:
-------------------------------------
I configured a default NiFi 0.6.0 instance with a server certificate and
enabled HTTPS in {{nifi.properties}} and ran a preliminary evaluation of the
TLS configuration [1] using cipherscan [2].
High priority issues:
* Weak DHE parameters
* Server-side enforcement of cipher suite ordering
* Cipher suite ordering
Intermediate priority issues:
* Legacy cipher suites available (necessary for compatibility maximization)
* TLSv1 and TLSv1.1 supported (necessary for compatibility maximization)
* OCSP stapling not enabled
Low priority issues:
* Self-signed certificate (not a NiFi problem and only used in dev environment
for this scan)
I am going to work to allow NiFi to be quickly admin-configurable to one of the
Mozilla recommended levels [3] (i.e. {{old}}, {{intermediate}}, and {{modern}})
along with a custom level, in conjunction with [NIFI-1480] to ensure the SSL
settings for processors/controller services connecting to external endpoints
can be configured independently from the NiFi server behavior.
[1] https://gist.github.com/alopresto/ff9bbe693b0e7043a7c468bb2ca5adfa
[2] https://github.com/jvehent/cipherscan
[3] https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
> Audit SSLContextFactory and SSLSocketFactory usage throughout application
> -------------------------------------------------------------------------
>
> Key: NIFI-1478
> URL: https://issues.apache.org/jira/browse/NIFI-1478
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 0.5.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Critical
> Labels: certificate, security, tls
> Original Estimate: 336h
> Remaining Estimate: 336h
>
> The internal use of {{SSLSocketFactory}} and {{SSLContextFactory}} is
> inconsistent, as the application has grown around the concept of secure
> communications. NiFi can act as both a server and as a client for
> communications, and the default configuration should make it easy for new
> users to quickly secure the application for incoming and outgoing
> connections.
> In addition, {{SSLSocketFactory}} has some inconsistencies and idiosyncrasies
> which may confuse users [1].
> [1] http://stackoverflow.com/a/23365536/70465
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
