exceptionfactory commented on a change in pull request #5018:
URL: https://github.com/apache/nifi/pull/5018#discussion_r617916108
##########
File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
##########
@@ -3494,6 +3516,14 @@ Providing three total network interfaces, including
`nifi.web.http.network.inte
|`nifi.web.https.host`|The HTTPS host. It is blank by default.
|`nifi.web.https.port`|The HTTPS port. It is blank by default. When
configuring NiFi to run securely, this port should be configured.
|`nifi.web.https.port.forwarding`|Same as `nifi.web.http.port.forwarding`, but
with HTTPS for secure communication. It is blank by default.
+|`nifi.web.https.includeciphersuites`|Cipher suites used to initialize the
SSLContext of the Jetty https port. If unspecified, the runtime SSLContext
defaults are used.
+|`nifi.web.https.excludeciphersuites`|Cipher suites that may not be used by an
SSL client to establish a connection to Jetty. If unspecified, the runtime
SSLContext defaults are used.
Review comment:
This property name also needs to be updated:
```suggestion
|`nifi.web.https.ciphersuites.exclude`|Cipher suites that may not be used by
an SSL client to establish a connection to Jetty. If unspecified, the runtime
SSLContext defaults are used.
```
##########
File path: nifi-docs/src/main/asciidoc/administration-guide.adoc
##########
@@ -3494,6 +3516,14 @@ Providing three total network interfaces, including
`nifi.web.http.network.inte
|`nifi.web.https.host`|The HTTPS host. It is blank by default.
|`nifi.web.https.port`|The HTTPS port. It is blank by default. When
configuring NiFi to run securely, this port should be configured.
|`nifi.web.https.port.forwarding`|Same as `nifi.web.http.port.forwarding`, but
with HTTPS for secure communication. It is blank by default.
+|`nifi.web.https.includeciphersuites`|Cipher suites used to initialize the
SSLContext of the Jetty https port. If unspecified, the runtime SSLContext
defaults are used.
Review comment:
Looks like this property name needs to be updated, also recommend
changing `https` to uppercase `HTTPS`:
```suggestion
|`nifi.web.https.ciphersuites.include`|Cipher suites used to initialize the
SSLContext of the Jetty HTTPS port. If unspecified, the runtime SSLContext
defaults are used.
```
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java
##########
@@ -1012,6 +1016,28 @@ protected static void
configureSslContextFactory(SslContextFactory.Server contex
contextFactory.setIncludeProtocols(TlsConfiguration.getCurrentSupportedTlsProtocolVersions());
contextFactory.setExcludeProtocols("TLS", "TLSv1", "TLSv1.1", "SSL",
"SSLv2", "SSLv2Hello", "SSLv3");
+ // on configuration, replace default application cipher suites with
those configured
+ final String includeCipherSuitesProps =
props.getProperty(NiFiProperties.WEB_HTTPS_CIPHERSUITES_INCLUDE);
+ if (StringUtils.isNotEmpty(includeCipherSuitesProps)) {
+ final String[] includeCipherSuitesRuntime =
contextFactory.getIncludeCipherSuites();
+ final String[] includeCipherSuites =
includeCipherSuitesProps.split(REGEX_SPLIT_PROPERTY);
+ logger.info("Replacing include cipher suites with configuration;
runtime = {}, raw property = {}, parsed property = {}.",
Review comment:
Do you think it is likely that the raw property will be that different
from the parsed property? It seems like the only difference should be the
number of spaces, in which case, logging both doesn't seem very useful.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
