[jira] [Commented] (NIFI-5692) InvokeHttp fails to initialize if SSL context doesn't have truststore set

Tue, 06 Apr 2021 08:03:07 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17315644#comment-17315644
 ] 

David Handermann commented on NIFI-5692:
----------------------------------------

It is also worth noting that {{OkHttpClient.Builder.sslSocketFactory()}} 
requires a value for the {{X509TrustManager}} parameter in addition to the 
{{SSLContext}} parameter.  As noted in the [OkHttpClient.Builder 
documentation|https://square.github.io/okhttp/4.x/okhttp/okhttp3/-ok-http-client/-builder/ssl-socket-factory/],
 not invoking this method results in using the system default configuration, 
which works for hosts using certificates issued by public certificate 
authorities.

Based on this implementation, a Truststore Filename and associated parameters 
are always required when InvokeHTTP is configured with an SSL Context Service.  
The Keystore properties are not necessary if the remote host does not require 
mutual TLS.

> InvokeHttp fails to initialize if SSL context doesn't have truststore set
> -------------------------------------------------------------------------
>
>                 Key: NIFI-5692
>                 URL: https://issues.apache.org/jira/browse/NIFI-5692
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.7.1
>            Reporter: Joe Percivall
>            Priority: Major
>
> Impact: not able to use InvokeHttp to talk over HTTPS without using a 
> truststore and verifying the server.
> To reproduce, create an InvokeHttp configured to use a 
> StandardRestrictedSSLContextService. Configure a keystore in the SSL context 
> but no truststore. Then enable the context. Attempting to run the processor 
> will fail with the following bulletin and log message:
> {noformat}
> InvokeHTTP[id=6875554d-0166-1000-5f09-c0e320896bfb] Failed to properly 
> initialize Processor. If still scheduled to run, NiFi will attempt to 
> initialize and run the Processor again after the 'Administrative Yield 
> Duration' has elapsed. Failure is due to 
> java.lang.reflect.InvocationTargetException: 
> java.lang.reflect.InvocationTargetException
> {noformat}
>  
> {noformat}
> 2018-10-12 10:30:38,384 ERROR [Timer-Driven Process Thread-1] 
> o.a.nifi.processors.standard.InvokeHTTP 
> InvokeHTTP[id=6875554d-0166-1000-5f09-c0e320896bfb] Failed to properly 
> initialize Processor. If still scheduled to run, NiFi will attempt to 
> initialize and run the Processor again after the 'Administrative Yield 
> Duration' has elapsed. Failure is due to 
> java.lang.reflect.InvocationTargetException: 
> java.lang.reflect.InvocationTargetException 
> java.lang.reflect.InvocationTargetException: null         at 
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>          at java.lang.reflect.Method.invoke(Method.java:498)         at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:142)
>          at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:130)
>          at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotations(ReflectionUtils.java:75)
>          at 
> org.apache.nifi.util.ReflectionUtils.invokeMethodsWithAnnotation(ReflectionUtils.java:52)
>          at 
> org.apache.nifi.controller.StandardProcessorNode.lambda$initiateStart$4(StandardProcessorNode.java:1499)
>          at java.util.concurrent.FutureTask.run(FutureTask.java:266)         
> at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>          at 
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>          at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>          at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>          at java.lang.Thread.run(Thread.java:745) Caused by: 
> java.lang.IllegalStateException: TrustManagerFactoryImpl is not initialized   
>       at 
> sun.security.ssl.TrustManagerFactoryImpl.engineGetTrustManagers(TrustManagerFactoryImpl.java:100)
>          at 
> javax.net.ssl.TrustManagerFactory.getTrustManagers(TrustManagerFactory.java:285)
>          at 
> org.apache.nifi.processors.standard.InvokeHTTP.setSslSocketFactory(InvokeHTTP.java:699)
>          at 
> org.apache.nifi.processors.standard.InvokeHTTP.setUpClient(InvokeHTTP.java:631)
>          ... 15 common frames omitted
> {noformat}
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to