Github user alopresto commented on the issue: https://github.com/apache/nifi/pull/1275 I set up a Docker container running OpenLDAP with certificates I generated using the NiFI TLS toolkit. If I configure `TLS_VERIFY_CLIENT=never` on OpenLDAP and `<property name="TLS - Client Auth">NONE</property>` in `login-identity-providers.xml`, the LDAP login provider works fine. <img width="1920" alt="Successful user authentication via LDAPS" src="https://cloud.githubusercontent.com/assets/798465/20823670/2c913e58-b80b-11e6-8353-a98746c5dfb6.png"> However, if I switch to `TLS_VERIFY_CLIENT=demand` and `<property name="TLS - Client Auth">REQUIRED</property>`, I get a "Unable to validate the supplied credentials" error on login and the `logs/nifi-bootstrap.log` fills with TLS negotiation output including the lines below: ``` 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut *** CertificateVerify 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut Signature Algorithm SHA256withRSA 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Handshake, length = 264 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Change Cipher Spec, length = 1 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut *** Finished 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut verify_data: { 12, 201, 103, 33, 205, 116, 165, 164, 117, 65, 44, 206 } 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut *** 2016-12-01 21:19:12,954 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Handshake, length = 96 2016-12-01 21:19:12,956 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, READ: TLSv1.2 Change Cipher Spec, length = 1 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, READ: TLSv1.2 Handshake, length = 96 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut *** Finished 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut verify_data: { 67, 162, 103, 118, 253, 199, 182, 215, 157, 89, 207, 22 } 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut *** 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut %% Cached client session: [Session-346, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, setSoTimeout(0) called 2016-12-01 21:19:12,957 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 112 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, received EOFException: ignored 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeInternal(false) 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, SEND TLSv1.2 ALERT: warning, description = close_notify 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, WRITE: TLSv1.2 Alert, length = 80 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeSocket(false) 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called close() 2016-12-01 21:19:12,958 INFO [NiFi logging handler] org.apache.nifi.StdOut Thread-36, called closeInternal(true) 2016-12-01 21:19:12,970 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 250 2016-12-01 21:19:12,970 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-95, WRITE: TLSv1.2 Application Data, length = 7 ``` I want to continue investigating this tomorrow because I can produce odd results even using the `ldapsearch` tool locally (OpenLDAP configured with client verify `never`): ``` ### Trying on port 389 (no TLS) hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto ð 4s @ 21:41:04 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 389 -v ldap_initialize( ldap://localhost:389 ) filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=example,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.org dn: dc=example,dc=org objectClass: top objectClass: dcObject objectClass: organization o: Example Inc. dc: example # admin, example.org dn: cn=admin,dc=example,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9NWsyemxnYmc3dk1wR2RqVERRQkJCVVlIQ0tQYm04aUo= # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 ### Trying on port 636 (LDAPS) hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto ð 23s @ 21:41:28 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 636 -v ldap_initialize( ldap://localhost:636 ) ldap_result: Can't contact LDAP server (-1) ### Trying to force TLS (-Z is actually for START_TLS) hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto ð 6s @ 21:42:54 $ ldapsearch -x -h localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin -p 636 -v -Z ldap_initialize( ldap://localhost:636 ) ldap_start_tls: Can't contact LDAP server (-1) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ### Verifying that a successful TLS session is negotiated on port 636 hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto ð 3s @ 21:42:57 $ openssl s_client -connect localhost:636 -debug -state -CAfile cacert.crt -cert ldaps.pem -key ldaps.key CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x7f87c1dc3a00 [0x7f87c2811600] (308 bytes => 308 (0x134)) 0000 - 16 03 01 01 2f 01 00 01-2b 03 03 09 b3 3c a2 de ..../...+....<.. ... --- SSL handshake has read 2195 bytes and written 434 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 4B35F1...5641E8 Session-ID-ctx: Master-Key: DBCB82...996654 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1480657473 Timeout : 300 (sec) Verify return code: 0 (ok) --- Q DONE write to 0x7f87c1dc3a00 [0x7f87c281b203] (31 bytes => 31 (0x1F)) 0000 - 15 03 03 00 1a 0b 43 b5-33 0f 65 b2 0a 9d 80 e5 ......C.3.e..... 0010 - ef e5 54 12 a9 e5 a9 da-1f d5 87 31 5f 5c d7 ..T........1_\. SSL3 alert write:warning:close notify ### Verifying that a TLS session is not negotiated over port 389 hw12203:/Users/alopresto/Workspace/certificates/ldaps (master) alopresto ð 102s @ 21:44:40 $ openssl s_client -connect localhost:389 -debug -state -CAfile cacert.crt -cert ldaps.pem -key ldaps.key CONNECTED(00000003) SSL_connect:before/connect initialization write to 0x7f9808700450 [0x7f9809001c00] (308 bytes => 308 (0x134)) 0000 - 16 03 01 01 2f 01 00 01-2b 03 03 98 11 20 40 b6 ..../...+.... @. ... --- SSL handshake has read 0 bytes and written 308 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1480657486 Timeout : 300 (sec) Verify return code: 0 (ok) --- ```
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---