Hi Andy, Sorry - poor use of words (it was late when I wrote the email). When I said "client" certificate I meant the certificate for the NiFi server (no idea why I wrote "client")
I'm not trying to use certificate authentication yet - simply to get NiFi operating over TLS. When I test with OpenSSL, I get the same Nifi server log output as seen with a connection attempt from a browser. On the Cipher issue, when I use OpenSSL to connect using said certificate using httpd, it lists the successful cipher as one of those ignored by Jetty, albeit with less underscores in the onscreen output: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 All machines involved are CentOS 7 - the only add-ons being Java 1.8 (current release) and NiFi 1.6.0 (also current release) On Sat, 5 May 2018 at 01:26, Andy LoPresto <[email protected]> wrote: > Hi Phil, > > Sorry to hear you are having this problem. I have a couple steps you can > try to resolve this. > > First, to clarify the terminology for NiFi, a “client certificate” refers > to a public certificate and private key which in combination allow a client > to uniquely identify itself and authenticate on a mutual authentication TLS > connection. In NiFi terminology, the client certificate identifies a user > or service which connects to NiFi. The “server certificate” identifies the > NiFi service, and the CA is what signs one (or both) of those certificates. > > The “no cipher suites in common” error can occur when there are > legitimately no cipher suites that both the client and server support. This > can be verified by using the OpenSSL s_client tool to make a connection > from the client to the server. I’ve pasted a sample invocation below. > > $ openssl s_client -connect <host:port> -debug -state -cert > <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile > <path_to_your_CA_cert.pem> > > However, that error can also appear when the keystore does not contain a > valid private key to be used. I suspect the keystore you generated for NiFi > does not have the private key. You can verify this by examining the > nifi1.crt file you imported. If you run `$ more nifi1.crt`, you should see > a line “-----BEGIN PRIVATE KEY-----“ and then some Base64-encoded output. > If you do not see this, you have only the public certificate in the file. > Importing that into a keystore means that NiFi (or any other service using > that keystore) will not be able to sign or decrypt any information > encrypted with the public key, so it won’t be able to support any cipher > suites that rely on RSA encryption or signatures. > > The nifi1.crt you imported into the keystore may also not have the > complete certificate chain encoded, in which case when the server presents > that certificate on an incoming connection, the client (command-line or > browser) won’t be able to verify and trust it. You’ll get a different > error, but it is something to be aware of. > > Is there a reason you chose to use a PKCS12 keystore in this scenario? > Usually we recommend using JKS for both the keystore and the truststore. > > I hope this helps. If none of this resolves your issues, please let us > know and we can continue to help. > > Andy LoPresto > [email protected] > *[email protected] <[email protected]>* > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On May 4, 2018, at 4:03 AM, Phil H <[email protected]> wrote: > > Hi all, > > I am trying to secure my NiFi installation. I have a client certificate > (nifi1.crt) and the CA for the intranet (ca.crt). I created the trust and > keystores as below: > > keytool -import -trustcacerts -alias nifi1 -file nifi1.crt -keystore > server_keystore.p12 -storetype PKCS12 > > keytool -import -file ca.crt -alias cacert -keystore truststore.jks > > And the relevant nifi.properties are set as follows > > nifi.security.keystore=./conf/server_keystore.p12 > nifi.security.keystoreType=PKCS12 > nifi.security.keystorePasswd=<Password> > nifi.security.keyPasswd=<Password> > nifi.security.truststore=./conf/truststore.jks > nifi.security.truststoreType=JKS > nifi.security.truststorePasswd=<Password> > > When I try and access the site via https, I receive the above error in > Firefox, and the following in the nifi-bootstrap.log (I have enabled > additional debugging). > > Using both of these certificates inside Apache httpd works on the client as > expected, so the certificates are fine. I have seen some references to > bugs/features in Jetty under Java 1.8 related to older TLS versions, but > I'm at a loss to explain this! Help!! > > Thanks, > Phil > > 2018-05-04 20:57:17,406 INFO [NiFi logging handler] org.apache.nifi.StdOut > Using SSLEngineImpl. > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Allow unsafe renegotiation: false > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Allow legacy hello messages: true > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Is initial handshake: true > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Is secure renegotiation: false > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > NiFi Web Server-20, READ: TLSv1 Handshake, length = 171 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > *** ClientHello, TLSv1.2 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > RandomCookie: GMT: 1840697519 bytes = { 105, 139, 207, 1, 25, 185, 102, > 192, 232, 71, 128, 61, 66, 104, 220, 248, 126, 53, 133, 115, 216, 129, 238, > 15, 202, 164, 110, 9 } > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Session ID: {} > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa8, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA] > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Compression Methods: { 0 } > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Extension server_name, server_name: [type=host_name (0), value=nifi1] > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Extension extended_master_secret > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Extension renegotiation_info, renegotiated_connection: <empty> > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, > secp384r1, secp521r1} > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Extension ec_point_formats, formats: [uncompressed] > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Unsupported extension type_35, data: > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Unsupported extension type_16, data: > 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Unsupported extension status_request, data: 01:00:00:00:00 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > Extension signature_algorithms, signature_algorithms: SHA256withECDSA, > SHA384withECDSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, > SHA512withRSA, SHA1withECDSA, SHA1withRSA > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > *** > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > %% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL] > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > NiFi Web Server-20, fatal error: 40: no cipher suites in common > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > javax.net.ssl.SSLHandshakeException: no cipher suites in common > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > %% Invalidated: [Session-4, SSL_NULL_WITH_NULL_NULL] > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > NiFi Web Server-20, SEND TLSv1.2 ALERT: fatal, description = > handshake_failure > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > NiFi Web Server-20, WRITE: TLSv1.2 Alert, length = 2 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > NiFi Web Server-20, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLHandshakeException: no cipher suites in common > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > NiFi Web Server-20, called closeOutbound() > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut > NiFi Web Server-20, closeOutboundInternal() > > >
