David Handermann created NIFI-8019:
--------------------------------------
Summary: SSL Enabled Protocol test failures when TLSv1 and TLSv1.1
disabled in java.security
Key: NIFI-8019
URL: https://issues.apache.org/jira/browse/NIFI-8019
Project: Apache NiFi
Issue Type: Bug
Components: Security
Affects Versions: 1.12.1
Environment: Fedora 33 OpenJDK 11.0.9
Reporter: David Handermann
The SslContextFactoryTest in nifi-security-utils and other test classes
evaluate the array of enabled protocols during various unit tests after
constructing an SSLContext. This unit test and others contain a static array
of expected protocols that include TLSv1 and TLSv1.1.
Recent versions of Java 8 and 11 continue to allow these protocols, however,
Fedora 33 introduced changes to the default cryptographic policies that disable
TLSv1 and TLSv1.1. The following Fedora Wiki page describes the changes:
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
The Fedora 33 _crypto-policies_ RPM includes the following policy file:
/usr/share/crypto-policies/DEFAULT/java.txt
The Java policy includes TLSv1 and TLSv1.1 in the property for
jdk.tls.disabledAlgorithms. This policy is included at runtime due to the
java.security policy enabling security.useSystemPropertiesFile.
The SslContextFactoryTest and other tests that evaluate enabled SSL protocols
should be updated to dynamically determine which protocols to expect using the
SSLEngine.getSupportedProtocols() method.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
