Pierre, That has done the trick! I thought I had deleted those files, but with all the changes it's hard to keep track. maybe I should have set up a git repository in my config directory!
Thanks, Phil On Sat, May 5, 2018 at 8:52 PM, Pierre Villard <[email protected]> wrote: > Hi Phil, > > Not sure that's reason of your issue but just in case... the values you set > for Initial User Identities are used at startup by NiFi to populate the > users.xml and authorizations.xml files. However, if the files already > exist, NiFi won't do anything. A usual mistake is to fix the > authorizers.xml file but not delete users.xml and authorizations.xml files > before restarting. Could it be the case here? > > Pierre > > 2018-05-05 6:36 GMT+02:00 Phil H <[email protected]>: > > > No worries Andy, > > > > I have another issue - I'm sure it's a much simpler one, but it has me > > stumped. > > > > I still get the insufficient permissions error, even after adding myself > to > > the authorizers.xml file as per the admin guide. > > > > I added the "EMAILADDRESS=" part of the subject after receiving an unkown > > user error with that as part of the DN (checking the certificate and the > > subject contains the email address part). > > > > Output from nifi-user.log > > > > 2018-05-05 14:10:29,034 INFO [NiFi Web Server-21] > > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > > Kerberos ticket login not supported by this NiFi.. Returning Conflict > > response. > > 2018-05-05 14:10:29,249 INFO [NiFi Web Server-19] > > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > > OpenId Connect is not configured.. Returning Conflict response. > > 2018-05-05 14:10:29,310 INFO [NiFi Web Server-76] > > o.a.n.w.s.NiFiAuthenticationFilter Attempting request for > > (EMAILADDRESS=phil@blah, CN=Phil H, OU=Blah) GET > > https://nifi1.blah/nifi-api/flow/current-user (source ip: > 192.168.10.192) > > 2018-05-05 14:10:29,310 INFO [NiFi Web Server-76] > > o.a.n.w.s.NiFiAuthenticationFilter Authentication success for > > EMAILADDRESS=phil@blah, CN=Phil H, OU=Blah > > 2018-05-05 14:10:29,312 INFO [NiFi Web Server-76] > > o.a.n.w.a.c.AccessDeniedExceptionMapper identity[EMAILADDRESS=phil@blah, > > CN=Phil H, OU=Blah], groups[] does not have permission to access the > > requested resource. Unable to view the user interface. Returning > Forbidden > > response. > > > > Partial authorizers.xml (the only changes I have made from the install > are > > in red) > > > > <userGroupProvider> > > <identifier>file-user-group-provider</identifier> > > <class>org.apache.nifi.authorization. > FileUserGroupProvider</class> > > <property name="Users File">./conf/users.xml</property> > > <property name="Legacy Authorized Users File"></property> > > > > <property name="Initial User Identity 1">EMAILADDRESS=phil@blah, > > CN=Phil H, OU=Blah</property> > > </userGroupProvider> > > > > <accessPolicyProvider> > > <identifier>file-access-policy-provider</identifier> > > > > <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> > > <property name="User Group > > Provider">file-user-group-provider</property> > > <property name="Authorizations > > File">./conf/authorizations.xml</property> > > <property name="Initial Admin Identity">EMAILADDRESS=phil@blah, > > CN=Phil H, OU=Blah</property> > > <property name="Legacy Authorized Users File"></property> > > > > <property name="Node Identity 1"></property> > > </accessPolicyProvider> > > > > > > > > > > > > > > > > > > > > On Sat, May 5, 2018 at 11:35 AM, Andy LoPresto <[email protected]> > > wrote: > > > > > Phil, > > > > > > Thanks for documenting the steps you took to get it working. This will > > > definitely be helpful to anyone who has a similar problem in the > future. > > I > > > suspected it was the missing private key and I forgot to explain that > > yes, > > > to import a PEM-encoded public key and private key into a JKS keystore, > > you > > > do have to go through the PKCS12 intermediary. > > > > > > > > > Andy LoPresto > > > [email protected] > > > *[email protected] <[email protected]>* > > > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > > > > On May 4, 2018, at 4:36 PM, Phil H <[email protected]> wrote: > > > > > > Sorry for talking to myself so much. I have solved the problem! > > > > > > Once I realised that I had never supplied the private key to keytool > > when I > > > imported the certificate, I started googling along those lines. > > > > > > I found this link from 2008 which provided the solution > > > http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html > > > > > > Basically you use OpenSSL to create a PKCS12 file from the cert and > key, > > > and then keytool to import that (as an existing keystore, not as a > > > certificate) > > > > > > From there, everything else just worked (including client > authentication > > > through the browser). Now I have the "Insufficient permissions" > problem, > > > which there is loads of documentation as to how to move forwards. > > > > > > Thanks! > > > Phil > > > > > > On Sat, May 5, 2018 at 8:27 AM, Phil H <[email protected]> wrote: > > > > > > Further info > > > > > > In the httpd installation, I need the private key for the certificate > and > > > it's paraphrase. That private key has not played a part of the NiFi > > install > > > thus far (seems like an important thing - the "keystore" only has a > > > certificate, not a key) > > > > > > The reason why I used PKCS12 for the keystore was some Jetty debug > output > > > telling me that was preferred to JKS. Interestingly it gave me contrary > > > advice for the trust store. > > > > > > On Sat, 5 May 2018 at 08:22, Phil H <[email protected]> wrote: > > > > > > Hi Andy, > > > > > > Sorry - poor use of words (it was late when I wrote the email). When I > > > said "client" certificate I meant the certificate for the NiFi server > (no > > > idea why I wrote "client") > > > > > > I'm not trying to use certificate authentication yet - simply to get > NiFi > > > operating over TLS. > > > > > > When I test with OpenSSL, I get the same Nifi server log output as seen > > > with a connection attempt from a browser. > > > > > > On the Cipher issue, when I use OpenSSL to connect using said > certificate > > > using httpd, it lists the successful cipher as one of those ignored by > > > Jetty, albeit with less underscores in the onscreen output: > > > TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 > > > > > > All machines involved are CentOS 7 - the only add-ons being Java 1.8 > > > (current release) and NiFi 1.6.0 (also current release) > > > > > > On Sat, 5 May 2018 at 01:26, Andy LoPresto <[email protected]> > wrote: > > > > > > Hi Phil, > > > > > > Sorry to hear you are having this problem. I have a couple steps you > can > > > try to resolve this. > > > > > > First, to clarify the terminology for NiFi, a “client certificate” > > > refers to a public certificate and private key which in combination > > allow a > > > client to uniquely identify itself and authenticate on a mutual > > > authentication TLS connection. In NiFi terminology, the client > > certificate > > > identifies a user or service which connects to NiFi. The “server > > > certificate” identifies the NiFi service, and the CA is what signs one > > (or > > > both) of those certificates. > > > > > > The “no cipher suites in common” error can occur when there are > > > legitimately no cipher suites that both the client and server support. > > This > > > can be verified by using the OpenSSL s_client tool to make a connection > > > from the client to the server. I’ve pasted a sample invocation below. > > > > > > $ openssl s_client -connect <host:port> -debug -state -cert > > > <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile > > > <path_to_your_CA_cert.pem> > > > > > > However, that error can also appear when the keystore does not contain > a > > > valid private key to be used. I suspect the keystore you generated for > > NiFi > > > does not have the private key. You can verify this by examining the > > > nifi1.crt file you imported. If you run `$ more nifi1.crt`, you should > > see > > > a line “-----BEGIN PRIVATE KEY-----“ and then some Base64-encoded > output. > > > If you do not see this, you have only the public certificate in the > file. > > > Importing that into a keystore means that NiFi (or any other service > > using > > > that keystore) will not be able to sign or decrypt any information > > > encrypted with the public key, so it won’t be able to support any > cipher > > > suites that rely on RSA encryption or signatures. > > > > > > The nifi1.crt you imported into the keystore may also not have the > > > complete certificate chain encoded, in which case when the server > > presents > > > that certificate on an incoming connection, the client (command-line or > > > browser) won’t be able to verify and trust it. You’ll get a different > > > error, but it is something to be aware of. > > > > > > Is there a reason you chose to use a PKCS12 keystore in this scenario? > > > Usually we recommend using JKS for both the keystore and the > truststore. > > > > > > I hope this helps. If none of this resolves your issues, please let us > > > know and we can continue to help. > > > > > > Andy LoPresto > > > [email protected] > > > *[email protected] <[email protected]>* > > > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > > > > > On May 4, 2018, at 4:03 AM, Phil H <[email protected]> wrote: > > > > > > Hi all, > > > > > > I am trying to secure my NiFi installation. I have a client > certificate > > > (nifi1.crt) and the CA for the intranet (ca.crt). I created the trust > > > and > > > keystores as below: > > > > > > keytool -import -trustcacerts -alias nifi1 -file nifi1.crt -keystore > > > server_keystore.p12 -storetype PKCS12 > > > > > > keytool -import -file ca.crt -alias cacert -keystore truststore.jks > > > > > > And the relevant nifi.properties are set as follows > > > > > > nifi.security.keystore=./conf/server_keystore.p12 > > > nifi.security.keystoreType=PKCS12 > > > nifi.security.keystorePasswd=<Password> > > > nifi.security.keyPasswd=<Password> > > > nifi.security.truststore=./conf/truststore.jks > > > nifi.security.truststoreType=JKS > > > nifi.security.truststorePasswd=<Password> > > > > > > When I try and access the site via https, I receive the above error in > > > Firefox, and the following in the nifi-bootstrap.log (I have enabled > > > additional debugging). > > > > > > Using both of these certificates inside Apache httpd works on the > client > > > as > > > expected, so the certificates are fine. I have seen some references to > > > bugs/features in Jetty under Java 1.8 related to older TLS versions, > but > > > I'm at a loss to explain this! Help!! > > > > > > Thanks, > > > Phil > > > > > > 2018-05-04 20:57:17,406 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Using SSLEngineImpl. > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Allow unsafe renegotiation: false > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Allow legacy hello messages: true > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Is initial handshake: true > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Is secure renegotiation: false > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_ > > > CBC_SHA384 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_ > CBC_SHA384 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_ > > > CBC_SHA384 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_ > SHA384 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_ > > > CBC_SHA256 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_ > CBC_SHA256 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_ > > > CBC_SHA256 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_ > SHA256 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_ > > > GCM_SHA384 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_ > > > GCM_SHA256 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_ > GCM_SHA384 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_ > > > GCM_SHA384 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_ > SHA384 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_ > GCM_SHA256 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_ > > > GCM_SHA256 > > > for TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_ > SHA256 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 > > > for > > > TLSv1 > > > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_ > > > CBC_SHA384 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_ > CBC_SHA384 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_ > > > CBC_SHA384 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_ > SHA384 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_ > > > CBC_SHA256 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_ > CBC_SHA256 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_ > > > CBC_SHA256 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_ > SHA256 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_ > > > GCM_SHA384 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_ > > > GCM_SHA256 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_ > GCM_SHA384 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_ > > > GCM_SHA384 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_ > SHA384 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_ > GCM_SHA256 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_ > > > GCM_SHA256 > > > for TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_ > SHA256 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 > > > for > > > TLSv1.1 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > NiFi Web Server-20, READ: TLSv1 Handshake, length = 171 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > *** ClientHello, TLSv1.2 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > RandomCookie: GMT: 1840697519 bytes = { 105, 139, 207, 1, 25, 185, > 102, > > > 192, 232, 71, 128, 61, 66, 104, 220, 248, 126, 53, 133, 115, 216, 129, > > > 238, > > > 15, 202, 164, 110, 9 } > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Session ID: {} > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, > > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9, > > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_ > > > CBC_SHA, > > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa8, > > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, > > > TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA] > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Compression Methods: { 0 } > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Extension server_name, server_name: [type=host_name (0), value=nifi1] > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Extension extended_master_secret > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Extension renegotiation_info, renegotiated_connection: <empty> > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, > > > secp384r1, secp521r1} > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Extension ec_point_formats, formats: [uncompressed] > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Unsupported extension type_35, data: > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Unsupported extension type_16, data: > > > 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Unsupported extension status_request, data: 01:00:00:00:00 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > Extension signature_algorithms, signature_algorithms: SHA256withECDSA, > > > SHA384withECDSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, > > > SHA512withRSA, SHA1withECDSA, SHA1withRSA > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > *** > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > %% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL] > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > NiFi Web Server-20, fatal error: 40: no cipher suites in common > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > javax.net.ssl.SSLHandshakeException: no cipher suites in common > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > %% Invalidated: [Session-4, SSL_NULL_WITH_NULL_NULL] > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > NiFi Web Server-20, SEND TLSv1.2 ALERT: fatal, description = > > > handshake_failure > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > NiFi Web Server-20, WRITE: TLSv1.2 Alert, length = 2 > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > NiFi Web Server-20, fatal: engine already closed. Rethrowing > > > javax.net.ssl.SSLHandshakeException: no cipher suites in common > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > NiFi Web Server-20, called closeOutbound() > > > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > > > org.apache.nifi.StdOut > > > NiFi Web Server-20, closeOutboundInternal() > > > > > > > > > > > > > > > > > >
