martinzink commented on code in PR #1600:
URL: https://github.com/apache/nifi-minifi-cpp/pull/1600#discussion_r1298506082
##########
extensions/standard-processors/tests/unit/PutTCPTests.cpp:
##########
@@ -400,9 +403,9 @@ TEST_CASE("PutTCP test missing client cert", "[PutTCP]") {
auto port = test_fixture.addSSLServer();
test_fixture.setPutTCPPort(port);
- trigger_expect_failure(test_fixture, "message for invalid-cert server");
+ test_fixture.trigger("message for invalid-cert server");
Review Comment:
I know this is due to a change in TLS (you mentioned in the PR aswell)
`Fix tests to not expect error failed handshake in case of missing
certificate as of TLS 1.3 handshake failure is only detected by the client on
the first read operation:
https://stackoverflow.com/questions/62459802/tls-1-3-client-does-not-report-failed-handshake-when-client-certificate-verifica`
But I think we should emphasize the meaning of this:
If someone has an invalid client certification on a minifi client which is
not accepted by the server (the message will be disregarded), then using
TLSV1.2 will route the messages to `failure` however using TLSv1.3 can (most
often than not based on my testing) route these to `success` (sometimes
`failure`)
This means feature loss on v1.3 compared to v1.2.
Do you see any way how we can resolve this?
If not then I think we should thoroughly document this phenomenon in
PROCESSORS.md
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
