[jira] [Resolved] (NIFI-10929) NiFi generated certificates (e.g. Single User, or nifi-toolkit) are not compatible with OpenSSL 3.x+

[David Handermann (Jira)]

     [ 
https://issues.apache.org/jira/browse/NIFI-10929?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

David Handermann resolved NIFI-10929.
-------------------------------------
    Fix Version/s: 1.20.0
       Resolution: Fixed

Thanks for the reference to the other issue [~Chris S].

I tested {{truststore.p12}} generated on startup using Java 11.0.16 and it is 
readable using OpenSSL 3 without the {{-legacy}} option. When using Java 
1.8.0-332, OpenSSL still required the {{-legacy}} option due to the use of the 
old PBE algorithm mentioned.

Recent versions of Java improved the default Password-Based Encryption 
algorithm for PKCS12, so in the end, this comes down to the version of Java. 
With NIFI-10932 merged and NiFi now using the SunJSSE Provider for PKCS12 
reading and writing, this particular should be addressed when using recent Java 
versions.

> NiFi generated certificates (e.g. Single User, or nifi-toolkit) are not 
> compatible with OpenSSL 3.x+
> ----------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-10929
>                 URL: https://issues.apache.org/jira/browse/NIFI-10929
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.19.0, 1.19.1
>            Reporter: Chris Sampson
>            Assignee: David Handermann
>            Priority: Major
>             Fix For: 1.20.0
>
>
> The certificates (keystore, truststore) generated by NiFi are not compatible 
> with OpenSSL 3+ because they are created using old/insecure algorithms.
> When starting NiFi 1.19.0 (using the {{apache/nifi}} Docker image) and 
> confguring a single-user auth, which is the default for NiFi, the generated 
> {{truststore.p12}} and {{keystore.p12}} cannot be decrypted (e.g. to extract 
> the public cert/private key into PEM format files so they can be used with 
> {{curl}}) using the OpenSSL version present within the Docker Image.
> {quote}
> OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
> {quote}
> Attempted command:
> {code:bash}
> openssl pkcs12 -in "truststore.p12" -out "nifi-cert.pem" -cacerts -nokeys 
> -password "pass:${TRUSTSTORE_PASSWORD}"
> {code}
> Error:
> {quote}
> 4047C0AF997F0000:error:0308010C:digital envelope 
> routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global
>  default library context, Algorithm (RC2-40-CBC : 0), Properties ()
> {quote}
> This can be worked around by adding the {{-legacy}} flag to the {{openssl}} 
> command (see [this Stack Overflow 
> answer|https://stackoverflow.com/a/72600724]).
> Using the command suggested from the linked article, we see that the NiFi 
> generated truststure uses:
> {quote}
> PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 51200
> {quote}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)