[
https://issues.apache.org/jira/browse/NIFI-7064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17434632#comment-17434632
]
David Handermann commented on NIFI-7064:
----------------------------------------
[~dreadolph] After reviewing the comments the proposed patch, I updated the
issue title in an attempt to reflect the request more accurately. InvokeHTTP
already performs standard hostname validation through the OkHttp library, so is
there still something that you think should be changed?
> Add Custom TLS Hostname Validation to InvokeHTTP
> ------------------------------------------------
>
> Key: NIFI-7064
> URL: https://issues.apache.org/jira/browse/NIFI-7064
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework, Security
> Affects Versions: 1.10.0
> Reporter: Dmitry Mashkov
> Priority: Major
> Labels: features, patch, ready-to-commit, security
> Attachments: InvokeHTTP_2-way_SSL_hostvalidation_support.patch
>
>
> HandleHTTPRequest processor as server, supports 2Way SSL( ie client
> authentication). InvokeHTTP processor as client, unfortunately not. I would
> like provide my patch for InvokeHTTP processor.See attach.
> Here some comments for code.
> I added Client.Auth methods
> I added hostname validator.
> Due to original code base and chosen HTTP client, I changed OkHttpClient
> reference to OkHttpClient.Builder for host validation handler. I have not way
> to support EL in properties and pass them to handler from setupto trigger via
> context.
> {code:java}
> AtomicReference<OkHttpClient.Builder> okHttpClientBuilderAtomicReferenc{code}
> Most hard and long operations done before trigger, while scheduler starts,
> building client is relatively lightweight.
> Some comments about host validator, reasons to do this.
> My case is build RESTful services with 2-way SSL authentication by IP. Remote
> client can be a servers at same time as a clients, like mutual communication,
> but no domains, only IPs in green field. More over, clients can change
> dynamically their IP due to selected channel, LAN or Cellular, here is not
> way to provide SAN to certificate at configuration. Now you can provide
> dynamically via EL/param IP addresses to check hostname for client
> authentication.
>
> PS. It's not clear code, why processor build SSLContext in SSL Context
> Controlller, but not use it anyhow? This is strange and unclear, possibly,
> here we can reduce the code.
> PPS. It not clear, how to build tests for this case.
>
>
> Sincerely,
> Dmitry.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
