[
https://issues.apache.org/jira/browse/NIFI-10929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17679999#comment-17679999
]
Chris Sampson commented on NIFI-10929:
--------------------------------------
A little more info, the ticket was raised when attempting to extract the CA,
Certificate and Private Key generated by NiFi for the {{Single User Auth}}
setup in 1.19.0+.
This was done on an {{alpine}} based Docker Image into which {{openssl}} was
installed with
{code:bash}
apk --no-cache --update add openssl
{code}
which gives us:
{quote}
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
{quote}
And then a command such as
{code:bash}
openssl pkcs12 -in "${TRUSTSTORE_PATH}" -out "${NIFI_CONF_DIR}/nifi-cert.pem"
-cacerts -nokeys -password "pass:${TRUSTSTORE_PASSWORD}"
{code}
fails with the above error. Adding {{-legacy}} to the {{openssl pkcs12}}
command allows for the operation to succeed.
When doing the same thing in a Debian ({{bullseye}}) based Image, the error
does not occur, but presumably because of the different OpenSSL versions:
{code:bash}
apt-get update && apt-get install -qq openssl
{code}
gives
{quote}
OpenSSL 1.1.1n 15 Mar 2022
{quote}
So this is something to bear in mind (for anyone finding this ticket). NiFi
doesn't use OpenSSL directly (to my knowledge), but members of the user
community might use it to convert keystores into other certificate formats for
use in 3rd party utilities (e.g. {{curl}}). So there may be need to use the
{{-legacy}} flag in OpenSSL for newer versions, but **not** in order versions
(where the flag doesn't exist).
NiFi may need to consider how it generates certificates to ensure different
versions of OpenSSL/3rd party tools can continue to use the output (and/or
provide guidance for any use cases that are known to be common throughout the
community).
> NiFi generated certificates (e.g. Single User, or nifi-toolkit) are not
> compatible with OpenSSL 3.x+
> ----------------------------------------------------------------------------------------------------
>
> Key: NIFI-10929
> URL: https://issues.apache.org/jira/browse/NIFI-10929
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.19.0, 1.19.1
> Reporter: Chris Sampson
> Priority: Major
>
> The certificates (keystore, truststore) generated by NiFi are not compatible
> with OpenSSL 3+ because they are created using old/insecure algorithms.
> When starting NiFi 1.19.0 (using the {{apache/nifi}} Docker image) and
> confguring a single-user auth, which is the default for NiFi, the generated
> {{truststore.p12}} and {{keystore.p12}} cannot be decrypted (e.g. to extract
> the public cert/private key into PEM format files so they can be used with
> {{curl}}) using the OpenSSL version present within the Docker Image.
> {quote}
> OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
> {quote}
> Attempted command:
> {code:bash}
> openssl pkcs12 -in "truststore.p12" -out "nifi-cert.pem" -cacerts -nokeys
> -password "pass:${TRUSTSTORE_PASSWORD}"
> {code}
> Error:
> {quote}
> 4047C0AF997F0000:error:0308010C:digital envelope
> routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global
> default library context, Algorithm (RC2-40-CBC : 0), Properties ()
> {quote}
> This can be worked around by adding the {{-legacy}} flag to the {{openssl}}
> command (see [this Stack Overflow
> answer|https://stackoverflow.com/a/72600724]).
> Using the command suggested from the linked article, we see that the NiFi
> generated truststure uses:
> {quote}
> PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 51200
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
