[
https://issues.apache.org/jira/browse/NIFI-3265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15783679#comment-15783679
]
Bryan Rosander edited comment on NIFI-3265 at 12/28/16 8:51 PM:
----------------------------------------------------------------
Server:
{code}
bin/tls-toolkit.sh server -D 'CN=localhost,CN=host,CN=account' -t test
tls-toolkit.sh: JAVA_HOME not set; results may vary
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.util.log: Logging initialized
@1284ms
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.server.Server:
jetty-9.3.9.v20160517
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.server.AbstractConnector:
Started ServerConnector@be34f20{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.server.Server: Started @1460ms
Server Started
{code}
Client:
{code}
bin/tls-toolkit.sh client -t test -D 'CN=client'
tls-toolkit.sh: JAVA_HOME not set; results may vary
2016/12/28 15:51:25 INFO [main]
org.apache.nifi.toolkit.tls.service.client.TlsCertificateAuthorityClient:
Requesting new certificate from localhost:8443
2016/12/28 15:51:25 INFO [main]
org.apache.nifi.toolkit.tls.service.client.TlsCertificateSigningRequestPerformer:
Requesting certificate with dn CN=client from localhost:8443
2016/12/28 15:51:26 INFO [main] org.apache.http.impl.execchain.RetryExec: I/O
exception (java.io.IOException) caught when processing request to
{s}->https://localhost:8443: Expected cn of localhost but got account
2016/12/28 15:51:26 INFO [main] org.apache.http.impl.execchain.RetryExec:
Retrying request to {s}->https://localhost:8443
2016/12/28 15:51:26 INFO [main] org.apache.http.impl.execchain.RetryExec: I/O
exception (java.io.IOException) caught when processing request to
{s}->https://localhost:8443: Expected cn of localhost but got account
2016/12/28 15:51:26 INFO [main] org.apache.http.impl.execchain.RetryExec:
Retrying request to {s}->https://localhost:8443
2016/12/28 15:51:26 INFO [main] org.apache.http.impl.execchain.RetryExec: I/O
exception (java.io.IOException) caught when processing request to
{s}->https://localhost:8443: Expected cn of localhost but got account
2016/12/28 15:51:26 INFO [main] org.apache.http.impl.execchain.RetryExec:
Retrying request to {s}->https://localhost:8443
Service client error: Expected cn of localhost but got account
Usage: tls-toolkit service [-h] [args]
Services:
standalone: Creates certificates and config files for nifi cluster.
server: Acts as a Certificate Authority that can be used by clients to get
Certificates
client: Generates a private key and gets it signed by the certificate
authority.
{code}
was (Author: [email protected]):
Server:
{code}
bin/tls-toolkit.sh server -D 'CN=localhost,CN=host,CN=account' -t test
tls-toolkit.sh: JAVA_HOME not set; results may vary
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.util.log: Logging initialized
@1284ms
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.server.Server:
jetty-9.3.9.v20160517
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.server.AbstractConnector:
Started ServerConnector@be34f20{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.server.Server: Started @1460ms
Server Started
{code}
Client:
{code}
bin/tls-toolkit.sh client -t test
tls-toolkit.sh: JAVA_HOME not set; results may vary
2016/12/28 15:46:05 INFO [main]
org.apache.nifi.toolkit.tls.service.client.TlsCertificateAuthorityClient:
Requesting new certificate from localhost:8443
2016/12/28 15:46:06 INFO [main]
org.apache.nifi.toolkit.tls.service.client.TlsCertificateSigningRequestPerformer:
Requesting certificate with dn CN=HW13384.lan,OU=NIFI from localhost:8443
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec: I/O
exception (java.io.IOException) caught when processing request to
{s}->https://localhost:8443: Expected cn of localhost but got account
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec:
Retrying request to {s}->https://localhost:8443
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec: I/O
exception (java.io.IOException) caught when processing request to
{s}->https://localhost:8443: Expected cn of localhost but got account
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec:
Retrying request to {s}->https://localhost:8443
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec: I/O
exception (java.io.IOException) caught when processing request to
{s}->https://localhost:8443: Expected cn of localhost but got account
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec:
Retrying request to {s}->https://localhost:8443
Service client error: Expected cn of localhost but got account
Usage: tls-toolkit service [-h] [args]
Services:
standalone: Creates certificates and config files for nifi cluster.
server: Acts as a Certificate Authority that can be used by clients to get
Certificates
client: Generates a private key and gets it signed by the certificate
authority.
{code}
> tls-toolkit client fails when tls-toolkit server has multiple cn attributes
> ---------------------------------------------------------------------------
>
> Key: NIFI-3265
> URL: https://issues.apache.org/jira/browse/NIFI-3265
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.1.1, 1.0.1
> Reporter: Bryan Rosander
> Priority: Minor
> Labels: tls-toolkit
>
> Ldap hierarchies can have multiple cn attributes.
> tls-toolkit in client mode validates the first CN attribute parsed from the
> distinguished name against the hostname name of the tls-toolkit server to
> help avoid man-in-the-middle attacks.
> This check fails when multiple CN attributes are present.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
