[jira] [Commented] (NIFI-1907) SiteToSiteClient not properly using keystore and truststore properties

Fri, 20 May 2016 06:13:57 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-1907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15293331#comment-15293331
 ] 

Bryan Bende commented on NIFI-1907:
-----------------------------------

Something important to consider is that the SSLContext should be created as 
late as possible due to the fact that it is not serializable, and many of the 
uses of the SiteToSiteClient is from within stream processing frameworks which 
serialize objects to pass them to the nodes in the cluster.

I believe the solution that would work is to move the code currently in 
SiteToSiteClient.Builder.getSSLContext() to 
StandardSiteToSiteClientConfig.getSSLContext() so that the context will get 
created (if needed) when SockeClient is constructed. As long as the stream 
processing components don't create the actual client until running on the nodes 
in the cluster, then this will work.

> SiteToSiteClient not properly using keystore and truststore properties
> ----------------------------------------------------------------------
>
>                 Key: NIFI-1907
>                 URL: https://issues.apache.org/jira/browse/NIFI-1907
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 0.6.1
>            Reporter: Bryan Bende
>            Assignee: Bryan Bende
>             Fix For: 0.7.0
>
>
> SiteToSiteClient.Builder allows setting an SSLContext or setting all of the 
> individual SSL properties, it then has a method getSSLContext() which says 
> that if the sslContext is null return that, otherwise use the properties to 
> create one:
> https://github.com/apache/nifi/blob/e4b7e47836edf47042973e604005058c28eed23b/nifi-commons/nifi-site-to-site-client/src/main/java/org/apache/nifi/remote/client/SiteToSiteClient.java#L575
> The problem is this getSSLContext() is never called. When the builder's 
> build() method is called, it passes the builder to 
> StandardSiteToSiteClientConfig and just assigns all the member variables with 
> direct access:
> https://github.com/apache/nifi/blob/e4b7e47836edf47042973e604005058c28eed23b/nifi-commons/nifi-site-to-site-client/src/main/java/org/apache/nifi/remote/client/SiteToSiteClient.java#L722
> Later on in SocketClient it will call SiteToSiteClient.getSSLContext():
> https://github.com/apache/nifi/blob/e4b7e47836edf47042973e604005058c28eed23b/nifi-commons/nifi-site-to-site-client/src/main/java/org/apache/nifi/remote/client/socket/SocketClient.java#L52
> This will still be null here if only the SSL properties were initially 
> specified on the builder, and therefore won't end up creating an Https 
> connection and thus failing.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to