Matt, I think the issue isn't going through the REST api. It's that nodes of a cluster can connect to the cluster, whether or not their certificate has been revoked. In other words, not a rogue random client, but a rouge nifi node...
Brandon On Mon, Dec 19, 2016 at 11:22 AM Matt Gilman <[email protected]> wrote: > Joe, > > If a server connects through the REST API it should be subject to the same > checks as a regular user. Can you provide more details regarding the > requests that aren't being checked correctly? > > Additionally, there was some discussion whether we need the additional > checks in the first place as we may be able to leverage checks built into > Java [1]. > > Matt > > [1] https://issues.apache.org/jira/browse/NIFI-1364 > > On Mon, Dec 19, 2016 at 10:57 AM, Joe Skora <[email protected]> wrote: > > > This could very soon be a show stopper for us. > > > > Does anyone have any thoughts that might help us get this straight? > > > > On Wed, Dec 14, 2016 at 2:23 PM, Joe Skora <[email protected]> wrote: > > > > > Running Apache NiFi 0.7.1, we see clients rejected due to OCSP > revocation > > > of their certificates but we think we are seeing instances where > servers > > > using OCSP revoked certificates are still able to connect to a cluster. > > > > > > Should OCSP revocation cause these servers to be rejected by the > cluster? > > > > > > Could this be a configuration problem even though the revoked clients > > > certificates are rejected? > > > > > > Thanks, > > > Joe > > > > > >
