Andy LoPresto created NIFI-1981:
-----------------------------------
Summary: Cluster communication requires client certificates even
if needClientAuth set to false
Key: NIFI-1981
URL: https://issues.apache.org/jira/browse/NIFI-1981
Project: Apache NiFi
Issue Type: Bug
Components: Core Framework
Affects Versions: 0.6.1
Reporter: Andy LoPresto
Assignee: Andy LoPresto
Priority: Critical
Fix For: 1.0.0, 0.7.0
A user reported having issues with "peer not authenticated" errors appearing in
the NCM app log when a node tried to connect. Upon debugging, it was discovered
that the certificates issues to the client specifically prohibited being used
as a client certificate ({{Extended Key Usage}} was set to {{serverAuth}}
only). Setting {{nifi.security.needClientAuth}} to {{false}} in
{{nifi.properties}} did not solve the problem because while the TLS handshake
negotiation is successful without the client certificate, cluster communication
in {{SocketProtocolListener}} still attempts to resolve the DN of the node
requestor regardless of the {{needClientAuth}} setting.
The error message should be improved and the requestor DN extraction should
respect the {{needClientAuth}} setting rather than throwing an unnecessary
exception.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
