[
https://issues.apache.org/jira/browse/NIFI-2186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15368625#comment-15368625
]
ASF GitHub Bot commented on NIFI-2186:
--------------------------------------
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/622
This is the fix that was included in `0.7.0` in
[https://github.com/apache/nifi/pull/611](PR 611) for
[https://issues.apache.org/jira/browse/NIFI-2119](NIFI-2119).
I have tested this on a secured `1.0` cluster (2 nodes, one running
embedded Zookeeper). I exercised the cluster with
`nifi.security.needClientAuth` set to both *true* and *false*.
Setting up a ZMC cluster is not fully documented yet as there is still
on-going work, so if anyone reviewing this needs example keystores and
configuration files to get the cluster running, let me know.
> Cluster communication treats client and server sockets identically for peer
> certificate DN extraction
> -----------------------------------------------------------------------------------------------------
>
> Key: NIFI-2186
> URL: https://issues.apache.org/jira/browse/NIFI-2186
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.0.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Critical
> Labels: certificate, cluster, security, tls
> Fix For: 1.0.0
>
>
> The code to extract the peer certificate DN is identical for client and
> server {{SSLSocket}}, which means that servers are subject to the
> {{nifi.security.needClientAuth}} setting being set to {{true}}. Server
> certificates must be present in a secure connection regardless of this
> setting. This was fixed in {{0.x}} in [NIFI-2119] and must be ported to the
> {{master}} branch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
