[
https://issues.apache.org/jira/browse/NIFI-2186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15372116#comment-15372116
]
ASF subversion and git services commented on NIFI-2186:
-------------------------------------------------------
Commit 4b9df7d1e24c8a8fa32ece2ee5d4118ebe5ffe18 in nifi's branch
refs/heads/master from [~alopresto]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=4b9df7d ]
NIFI-2186 Refactored CertificateUtils to separate logic for DN extraction from
server/client sockets. Added logic to detect server/client mode encapsulated in
exposed method.
Added unit tests for DN extraction.
Corrected typo in Javadoc.
Switched server/client socket logic for certificate extraction -- when the
local socket is in client/server mode, the peer is necessarily the inverse.
Fixed unit tests.
Moved lazy-loading authentication access out of isDebugEnabled() control branch.
This closes #622
> Cluster communication treats client and server sockets identically for peer
> certificate DN extraction
> -----------------------------------------------------------------------------------------------------
>
> Key: NIFI-2186
> URL: https://issues.apache.org/jira/browse/NIFI-2186
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.0.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Critical
> Labels: certificate, cluster, security, tls
> Fix For: 1.0.0
>
>
> The code to extract the peer certificate DN is identical for client and
> server {{SSLSocket}}, which means that servers are subject to the
> {{nifi.security.needClientAuth}} setting being set to {{true}}. Server
> certificates must be present in a secure connection regardless of this
> setting. This was fixed in {{0.x}} in [NIFI-2119] and must be ported to the
> {{master}} branch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
