Hi Devs! I need the community's help in troubleshooting this weird situation.
I have a nifi 2.4.0 cluster set up in a FIPS environment, hosted on RHEL 8.8. Without FIPS enabled, everything works fine, but once it's enabled, I'm getting strange SSL handshake errors whenever I attempt to dial either the REST API, or the Web UI. No errors in the nifi-app.log, and nifi-bootstrap.log is empty (but it is also empty in non-FIPS cases, so I assume this is normal). In overall, NiFi seems to start up fine, and listens on the specified port, but it is not possible to communicate with it, as it immediately closes any incoming connections without reply. I'm using BCFKS as a keystore, and CryptoComplyJava and BCTLS as providers. security.provider.1=com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider > security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider > fips:CCJ With nifi 1.28 in the same FIPS environment, same java configuration, same os config, etc... Everything works fine. Could you give some guidance on how I could troubleshoot this further? Can I have some more verbose logs on the server side, so that I could pinpoint what causes this issue? Does anyone have experience with troubleshooting such early SSL issues? This is what I get on client side: Request execution failed HTTP Method [GET] URI [ > https://uixmks-4.example.com:8443/nifi-api/controller/nar-manager/nars], > root cause [Remote host terminated the handshake]: retrying > > takraj@takraj:~$ curl -vvv https://uixmks-2.example.com:8443/nifi > * Trying 10.65.51.136:8443... > * Connected to uixmks-2.example.com (10.65.51.136) port 8443 (#0) > * ALPN, offering h2 > * ALPN, offering http/1.1 > * CAfile: /etc/ssl/certs/ca-certificates.crt > * CApath: /etc/ssl/certs > * TLSv1.0 (OUT), TLS header, Certificate Status (22): > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > * TLSv1.0 (OUT), TLS header, Unknown (21): > * TLSv1.3 (OUT), TLS alert, decode error (562): > * error:0A000126:SSL routines::unexpected eof while reading > * Closing connection 0 > curl: (35) error:0A000126:SSL routines::unexpected eof while reading > > takraj@takraj:~$ openssl s_client -connect uixmks-2.example.com:8443 > CONNECTED(00000003) > 40A77DAABD7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof > while reading:../ssl/record/rec_layer_s3.c:317: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 341 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 0 (ok) > --- Thanks in advance! Rajmund
