[jira] [Commented] (NIFI-7786) Bring back Trusted Hostname property from InvokeHTTP processor

Wed, 02 Sep 2020 09:51:19 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-7786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17189375#comment-17189375
 ] 

Andy LoPresto commented on NIFI-7786:
-------------------------------------

The comment on NIFI-6019 says that if the remote endpoint has an "invalid 
certificate", you need to be able to bypass it. Can you elaborate on why the 
certificate is invalid? If it is not signed by a trusted certificate authority, 
it can be imported into the local truststore explicitly. If the certificate 
identifies the wrong service hostname, is expired, or is revoked, it is a good 
idea to reach out to the responsible team, inform them of the issues, and ask 
for a resolution. 

As Joe mentioned, there is a difficult balance between providing security and 
flexibility to users. Providing bypasses (e.g. {{curl -k}}) tends to become 
quickly abused and misunderstood, and opens a number of visible/invisible 
vulnerabilities that not all users are aware of. Because of the broad audience 
for NiFi, there is rarely a single "correct" solution. 

An admin override setting explicitly acknowledging the unsafe decision might be 
the best path forward, but we actually have not received much pushback since 
this decision was enacted (we received a number of issues before on the mailing 
lists). If this is a blocker for you, you might want to also investigate 
workarounds like {{ExecuteProcess}} using {{curl -k}} or forking the 
project/building & deploying a custom processor using the previous version.  

> Bring back Trusted Hostname property from InvokeHTTP processor
> --------------------------------------------------------------
>
>                 Key: NIFI-7786
>                 URL: https://issues.apache.org/jira/browse/NIFI-7786
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Kun Deng
>            Priority: Major
>
> Removing this option is a mistake.  Just google how many people need this 
> option for various reasons. 
> It is an option so that by using it, people are willing to take the risks. 
>  
> Please bring back this option.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to