Matt, It's not clients we are concerned with, but cluster servers.
The test process used Java 1.8.0_65 and NiFi 0.7.1 to do the following. 1. Configure a cluster with valid certificates for each node, 2. revoke one node's certificate, 3. restart the cluster, 4. confirm with keytool that the node is invalid, and 5. test whether the node can still join the cluster. The expectation was that in #5 the node would not be able to join to the cluster, but it could. Whether the OCSP check should be handled by NiFi or Java, it doesn't appear to be happening. Thanks, Joe On Mon, Dec 19, 2016 at 11:22 AM, Matt Gilman <[email protected]> wrote: > Joe, > > If a server connects through the REST API it should be subject to the same > checks as a regular user. Can you provide more details regarding the > requests that aren't being checked correctly? > > Additionally, there was some discussion whether we need the additional > checks in the first place as we may be able to leverage checks built into > Java [1]. > > Matt > > [1] https://issues.apache.org/jira/browse/NIFI-1364 > > On Mon, Dec 19, 2016 at 10:57 AM, Joe Skora <[email protected]> wrote: > > > This could very soon be a show stopper for us. > > > > Does anyone have any thoughts that might help us get this straight? > > > > On Wed, Dec 14, 2016 at 2:23 PM, Joe Skora <[email protected]> wrote: > > > > > Running Apache NiFi 0.7.1, we see clients rejected due to OCSP > revocation > > > of their certificates but we think we are seeing instances where > servers > > > using OCSP revoked certificates are still able to connect to a cluster. > > > > > > Should OCSP revocation cause these servers to be rejected by the > cluster? > > > > > > Could this be a configuration problem even though the revoked clients > > > certificates are rejected? > > > > > > Thanks, > > > Joe > > > > > >
