This indicates that the openssl connection does not trust the server because the server’s certificate was self-signed. You can remedy this in the command by including “-CAfile <path/to/server.pem>” when you invoke it. This will use the public key of the server as the “CA” key and allow openssl to trust that certificate. If this command then results in “0”, the handshake negotiation is then successful.
At that point, ensure you have imported each server public key certificate (“server.der”) into the other server's truststore so that each NiFi instance can verify the certificate presented by the other during site-to-site communication. This would be easier if you were using a CA to sign the certificates instead of self-signing, as you only need to import the CA public key into all truststores (and could effectively use the same truststore file for all nodes). Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jul 17, 2016, at 8:21 PM, Vinay <[email protected]> wrote: > > Andy, > > When i ran the command as suggested i get below for Verify Return Code > > SSL-Session: > Protocol : TLSv1.2 > Cipher : DHE-RSA-AES256-GCM-SHA384 > Session-ID: > 57898563A942ADD1A8F3AB420FED9C68D38C05B9457CEA0B82B57E2CE0DDAA9A > Session-ID-ctx: > Master-Key: > 1432AS9BA2A69843B54D1FF7E8D872937A1CBA1D6F1C23AA7053161BF27DD8DB99DDCB5F6CC309C71E05C4A5413B2534F > Key-Arg : None > Krb5 Principal: None > PSK identity: None > PSK identity hint: None > Start Time: 1468630371 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain) > > > > > Regards, > Vinay > > > > > > > > > > -- > View this message in context: > http://apache-nifi-developer-list.39713.n7.nabble.com/NIFI-Secure-Access-Site-to-Site-tp12735p12844.html > Sent from the Apache NiFi Developer List mailing list archive at Nabble.com.
signature.asc
Description: Message signed with OpenPGP using GPGMail
