[jira] [Commented] (NIFI-13962) Overrride trusted hostname verification

Mon, 04 Nov 2024 07:10:57 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-13962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895325#comment-17895325
 ] 

Joe Witt commented on NIFI-13962:
---------------------------------

{quote}This occurs when the server returns a certificate with an old hostname 
because it is not possible to generate a new certificate with the actual 
hostname.
{quote}

Can you please more fully describe the what/why of a scenario whereby it is not 
possible or desirable to issue certificates tied to the actual hostname?

As far as the presence of this option many years ago that it was removed sends 
a strong signal of our intent relative to its risk.  It is very common for 
users to, with good intent, actively try to reduce the security posture of a 
nifi installation and we used to want to be flexible in this regard.  However, 
it creates significant risks and those then reflect poorly on nifi overall.  We 
are much more focused these days on helping users do it the right way.

I dont think this will proceed as suggested here but please do share much more 
about the motivations/scenarios for the team to consider.

> Overrride trusted hostname verification 
> ----------------------------------------
>
>                 Key: NIFI-13962
>                 URL: https://issues.apache.org/jira/browse/NIFI-13962
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>            Reporter: Pedro Oliveira
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Add a property "Trusted Hostname" to the configuration of the 
> StandardSSLContextService Controller Service to allow to override the trusted 
> hostname verification on the establishment of the HTTP connection to the HTTP 
> server.
> This property if not empty should be set with the hostname and will be used 
> to validate the hostname in the certificate.
> The property is need because there are situations in which the hostname in 
> the certificate is different from the hostname of the server.
> This occurs when the server returns a certificate with an old hostname 
> because it is not possible to generate a new certificate with the actual 
> hostname.
> This property existed in NiFi old versions (<1.14) in the configuration of 
> the processor InvokeHTTP but was removed in later versions. 
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to