[
https://issues.apache.org/jira/browse/MINIFI-552?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rene Weidlinger updated MINIFI-552:
-----------------------------------
Description:
Jetty tries to resolve the SAN Name for Clients connecting, but the behaviour
of the constructor changed as seen here:
[https://github.com/eclipse/jetty.project/pull/3480]
Linked: [https://github.com/eclipse/jetty.project/issues/3466]
Linked: [https://github.com/eclipse/jetty.project/issues/3454]
Linked: [apache/nifi-minifi#169|https://github.com/apache/nifi-minifi/pull/169]
This leads to Minifis can't connect to C2 even with correct Certs and this
error:
{code:java}
2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18]
org.eclipse.jetty.io.AbstractEndPoint
close(javax.net.ssl.SSLHandshakeException: No subject alternative names
matching IP address 10.172.220.28 found)
DecryptedEndPoint@3663382d{l=0.0.0.0/0.0.0.0:10081,r=null,CLOSED,fill=-,flush=-,to=13/30000}
2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18]
org.eclipse.jetty.server.HttpConnection
javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP
address 10.172.220.28 found
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700)
at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411)
at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:955)
at java.security.AccessController.doPrivileged(Native Method)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:902)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:639)
at
org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:342)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
at
org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
at
org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No subject alternative
names matching IP address 10.172.220.28 found
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:179)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:100)
at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457)
at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
at
sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:135)
at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682)
... 26 common frames omitted
{code}
Proposed Fix for Minifi-C2 [https://github.com/mattyb149/nifi/pull/17]
was:
Jetty tries to resolve the SAN Name for Clients connecting, but the behaviour
of the constructor changed as seen here:
[https://github.com/eclipse/jetty.project/pull/3480]
Linked: [https://github.com/eclipse/jetty.project/issues/3466]
Linked: [https://github.com/eclipse/jetty.project/issues/3454]
Linked: [apache/nifi-minifi#169|https://github.com/apache/nifi-minifi/pull/169]
This leads to Minifis can't connect to C2 even with correct Certs and this
error:
{code:java}
2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18]
org.eclipse.jetty.io.AbstractEndPoint
close(javax.net.ssl.SSLHandshakeException: No subject alternative names
matching IP address 10.172.220.28 found)
DecryptedEndPoint@3663382d{l=0.0.0.0/0.0.0.0:10081,r=null,CLOSED,fill=-,flush=-,to=13/30000}
2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18]
org.eclipse.jetty.server.HttpConnection
javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP
address 10.172.220.28 found
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700)
at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411)
at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:955)
at java.security.AccessController.doPrivileged(Native Method)
at
sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:902)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:639)
at
org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:342)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
at
org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
at
org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No subject alternative
names matching IP address 10.172.220.28 found
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:179)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:100)
at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457)
at
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
at
sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:135)
at
sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682)
... 26 common frames omitted
{code}
Proposed Fix for Minifi [https://github.com/mattyb149/nifi/pull/17]
> Fix new SSL SAN Behaviour from new Jetty Version in C2 Server
> -------------------------------------------------------------
>
> Key: MINIFI-552
> URL: https://issues.apache.org/jira/browse/MINIFI-552
> Project: Apache NiFi MiNiFi
> Issue Type: Bug
> Affects Versions: 0.6.0
> Reporter: Rene Weidlinger
> Priority: Critical
>
> Jetty tries to resolve the SAN Name for Clients connecting, but the behaviour
> of the constructor changed as seen here:
> [https://github.com/eclipse/jetty.project/pull/3480]
>
> Linked: [https://github.com/eclipse/jetty.project/issues/3466]
> Linked: [https://github.com/eclipse/jetty.project/issues/3454]
> Linked:
> [apache/nifi-minifi#169|https://github.com/apache/nifi-minifi/pull/169]
>
> This leads to Minifis can't connect to C2 even with correct Certs and this
> error:
> {code:java}
> 2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18]
> org.eclipse.jetty.io.AbstractEndPoint
> close(javax.net.ssl.SSLHandshakeException: No subject alternative names
> matching IP address 10.172.220.28 found)
> DecryptedEndPoint@3663382d{l=0.0.0.0/0.0.0.0:10081,r=null,CLOSED,fill=-,flush=-,to=13/30000}
> 2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18]
> org.eclipse.jetty.server.HttpConnection
> javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP
> address 10.172.220.28 found
> at sun.security.ssl.Alert.createSSLException(Alert.java:131)
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
> at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
> at
> sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700)
> at
> sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411)
> at
> sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
> at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
> at
> sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
> at
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
> at
> sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:955)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:902)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:639)
> at
> org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:342)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
> at
> org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
> at
> org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
> at
> org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
> at
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: java.security.cert.CertificateException: No subject alternative
> names matching IP address 10.172.220.28 found
> at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:179)
> at sun.security.util.HostnameChecker.match(HostnameChecker.java:100)
> at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457)
> at
> sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
> at
> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:135)
> at
> sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682)
> ... 26 common frames omitted
> {code}
> Proposed Fix for Minifi-C2 [https://github.com/mattyb149/nifi/pull/17]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
