GitHub user alopresto opened a pull request:
https://github.com/apache/nifi/pull/508
NIFI-1981 Cluster communication without client certificate
This PR resolves an issue where cluster communications were failing when
the node sent a heartbeat without a client certificate chain because
`nifi.security.needClientAuth` was set to false on the NCM. Even though the TLS
negotiation did not require or expect a client certificate and the handshake
was successful, the NiFi code in `SocketProtocolListener` immediately attempted
to determine the incoming node's DN from the certificate, which was missing,
and thus `SSLSocketImpl` threw an `SSLPeerNotVerifiedException` saying "peer
not authenticated".
With this patch, the NCM will now respect the `needClientAuth` setting when
attempting to extract the node DN.
This PR is targeted to the `0.x` branch as this is where the issue was
discovered and does not merge cleanly with the `master` branch. These changes
will need to be selectively merged to the `master` branch.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/alopresto/nifi NIFI-1981
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/nifi/pull/508.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #508
----
commit 2c463d13cf9d25ab4af283abb00a88942b2d2f12
Author: Andy LoPresto <[email protected]>
Date: 2016-06-07T23:19:02Z
NIFI-1981 Added ClientAuth enum and CertificateUtil methods to extract this
setting from an SSLSocket.
Added logic to compare X509Certificate DNs regardless of RDN element order.
Added logic to suppress peer certificate exceptions when client
authentication is not required.
commit ace35a23e1b13519b38cdd41839af11f32e4b9d2
Author: Andy LoPresto <[email protected]>
Date: 2016-06-08T00:01:37Z
NIFI-1981 Added test scope dependency on BouncyCastle and BC PKIX modules
for CertificateUtils tests.
commit b50f473d1a65376c8f501b306f3aa0de9c34a81c
Author: Andy LoPresto <[email protected]>
Date: 2016-06-08T00:02:47Z
NIFI-1981 Finished logic to suppress exception on missing client
certificates when clientAuth is set to WANT.
Added unit tests for CertificateUtil methods.
commit 4c3b17418b1740182617753865aaf7fd71a28f9b
Author: Andy LoPresto <[email protected]>
Date: 2016-06-08T00:39:01Z
NIFI-1981 Lowered logging level of client auth setting on cluster
connection receive.
commit 42ddc78933c64d14ca991f99f8ca2b7c7840488b
Author: Andy LoPresto <[email protected]>
Date: 2016-06-08T01:15:12Z
NIFI-1981 Fixed IDE setting for import wildcarding on Groovy files.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
