[jira] [Commented] (NIFI-7468) Improve internal handling of SSL channels

Tue, 22 Jun 2021 19:32:07 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17367819#comment-17367819
 ] 

ASF subversion and git services commented on NIFI-7468:
-------------------------------------------------------

Commit 6a83115d6aea68a857c7cd409f33b6ba1d519a1e in nifi's branch 
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=6a83115 ]

NIFI-7468 Updated SSLSocketChannel to support TLS 1.3

- Handling additional FINISHED Handshake Status for TLS 1.3 Post-Handshake 
Messages per RFC 8446 Section 4.6
- Removed clearing buffers after handshake to avoid losing packets
- Updated read() method to check Handshake Status after SSLEngine.unwrap()
- Changed SSLSocketChannelSender to close SSLSocketChannel before other 
resources
- Added ChannelStatus enum and convenience logging methods for tracing status
- Added unit tests for TLS 1.2 and 1.3 using Netty server and client handlers

NIFI-8704 Updated netty-handler to 4.1.65.Final

NIFI-7468 Corrected SSLSocketChannel.read() to return byte read

NIFI-7468 Adjusted comment formatting

Signed-off-by: Nathan Gough <[email protected]>

This closes #5152.


> Improve internal handling of SSL channels
> -----------------------------------------
>
>                 Key: NIFI-7468
>                 URL: https://issues.apache.org/jira/browse/NIFI-7468
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework, Extensions
>    Affects Versions: 1.11.4, 1.13.2
>            Reporter: Andy LoPresto
>            Assignee: David Handermann
>            Priority: Major
>              Labels: security, ssl, tcp, tls, tlsv1.3
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> While refactoring the TLS protocol version issue in NIFI-7407, I discovered 
> that some processors make use of NiFi custom implementations of 
> {{SSLSocketChannel}}, {{SSLCommsSession}}, and 
> {{SSLSocketChannelInputStream}}. These implementations break on TLSv1.3. 
> Further investigation is needed to determine why these custom implementations 
> were provided originally, whether they are still required, and why they do 
> not handle TLSv1.3 successfully. 
> Diagnostic error:
> {code}
> Error reading from channel due to Tag mismatch!: javax.net.ssl.SSLException: 
> Tag mismatch!
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to