[
https://issues.apache.org/jira/browse/NIFI-1981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15329640#comment-15329640
]
ASF GitHub Bot commented on NIFI-1981:
--------------------------------------
Github user mattyb149 commented on a diff in the pull request:
https://github.com/apache/nifi/pull/508#discussion_r66990173
--- Diff: nifi-commons/nifi-security-utils/pom.xml ---
@@ -30,6 +30,21 @@
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk15on</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk15on</artifactId>
--- End diff --
Missed this the first time, a duplicate definition of this artifact. Gives
the following warning upon build:
[WARNING] Some problems were encountered while building the effective model
for org.apache.nifi:nifi-security-utils:jar:1.0.0-SNAPSHOT
[WARNING] 'dependencies.dependency.(groupId:artifactId:type:classifier)'
must be unique: org.bouncycastle:bcpkix-jdk15on:jar -> duplicate declaration of
version (?) @ org.apache.nifi:nifi-security-utils:[unknown-version],
/Users/mburgess/git-apache/nifi/nifi-commons/nifi-security-utils/pom.xml, line
43, column 21
> Cluster communication requires client certificates even if needClientAuth set
> to false
> --------------------------------------------------------------------------------------
>
> Key: NIFI-1981
> URL: https://issues.apache.org/jira/browse/NIFI-1981
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 0.6.1
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Critical
> Labels: certificate, client-auth, cluster, ssl, tls
> Fix For: 1.0.0, 0.7.0
>
>
> A user reported having issues with "peer not authenticated" errors appearing
> in the NCM app log when a node tried to connect. Upon debugging, it was
> discovered that the certificates issues to the client specifically prohibited
> being used as a client certificate ({{Extended Key Usage}} was set to
> {{serverAuth}} only). Setting {{nifi.security.needClientAuth}} to {{false}}
> in {{nifi.properties}} did not solve the problem because while the TLS
> handshake negotiation is successful without the client certificate, cluster
> communication in {{SocketProtocolListener}} still attempts to resolve the DN
> of the node requestor regardless of the {{needClientAuth}} setting.
> The error message should be improved and the requestor DN extraction should
> respect the {{needClientAuth}} setting rather than throwing an unnecessary
> exception.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
