[jira] [Commented] (NIFI-2186) Cluster communication treats client and server sockets identically for peer certificate DN extraction

Fri, 08 Jul 2016 15:47:06 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-2186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15368617#comment-15368617
 ] 

ASF GitHub Bot commented on NIFI-2186:
--------------------------------------

GitHub user alopresto opened a pull request:

    https://github.com/apache/nifi/pull/622

    NIFI-2186 Refactored CertificateUtils to separate logic for DN extrac…

    …tion from server/client sockets. Added logic to detect server/client mode 
encapsulated in exposed method.
    
    Added unit tests for DN extraction.
    Corrected typo in Javadoc.
    Switched server/client socket logic for certificate extraction -- when the 
local socket is in client/server mode, the peer is necessarily the inverse.
    Fixed unit tests.
    Moved lazy-loading authentication access out of isDebugEnabled() control 
branch.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/alopresto/nifi NIFI-2186

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/nifi/pull/622.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #622
    
----
commit b6fec77ccab01664a11518b6f9652bc2cd855040
Author: Andy LoPresto <[email protected]>
Date:   2016-07-05T04:05:58Z

    NIFI-2186 Refactored CertificateUtils to separate logic for DN extraction 
from server/client sockets. Added logic to detect server/client mode 
encapsulated in exposed method.
    Added unit tests for DN extraction.
    Corrected typo in Javadoc.
    Switched server/client socket logic for certificate extraction -- when the 
local socket is in client/server mode, the peer is necessarily the inverse.
    Fixed unit tests.
    Moved lazy-loading authentication access out of isDebugEnabled() control 
branch.

----


> Cluster communication treats client and server sockets identically for peer 
> certificate DN extraction
> -----------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-2186
>                 URL: https://issues.apache.org/jira/browse/NIFI-2186
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.0.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Critical
>              Labels: certificate, cluster, security, tls
>             Fix For: 1.0.0
>
>
> The code to extract the peer certificate DN is identical for client and 
> server {{SSLSocket}}, which means that servers are subject to the 
> {{nifi.security.needClientAuth}} setting being set to {{true}}. Server 
> certificates must be present in a secure connection regardless of this 
> setting. This was fixed in {{0.x}} in [NIFI-2119] and must be ported to the 
> {{master}} branch.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to