[jira] [Commented] (NIFI-13987) Use SSL Context Service in GitHubFlowRegistryClient and GitLabFlowRegistryClient

Wed, 19 Feb 2025 08:21:09 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17928475#comment-17928475
 ] 

Michael W Moser commented on NIFI-13987:
----------------------------------------

I took a look at what it would take to implement this.

GitHubFlowRegistryClient uses the org.kohsuke:github-api library.  This library 
supports using a custom GitHubConnector.  We could build one (based on its 
GitHubConnectorHttpConnectorAdapter) that supports a custom SSLContext.

GitLabFlowRegistryClient uses the org.gitlab4j:gitlab4j-api library.  This 
library only has GitLabApi.setIgnoreCertificateErrors(true), which disables 
verification of a server certificate chain of trust.  Using this is definitely 
not recommended.  The library has related open issues 
https://github.com/gitlab4j/gitlab4j-api/issues/924 and 
https://github.com/gitlab4j/gitlab4j-api/issues/778 which discuss allowing 
users to inject their own HTTP client.

Not sure about the pending BitBucketFlowRegistryClient.

> Use SSL Context Service in GitHubFlowRegistryClient and 
> GitLabFlowRegistryClient
> --------------------------------------------------------------------------------
>
>                 Key: NIFI-13987
>                 URL: https://issues.apache.org/jira/browse/NIFI-13987
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>    Affects Versions: 2.0.0
>            Reporter: René Zeidler
>            Priority: Major
>              Labels: certificate, client, git, github, gitlab, https, 
> registry, ssl
>
> The Git Flow Registry Clients currently don't use the SSL Context Service. It 
> always uses the default Java truststore for certificate validation, which 
> prevents the use of privately hosted GitHub/GitLab instances without a public 
> certificate.
> Adding a configurable SSL Context Service would allow using a custom 
> truststore, as is the case for most other NiFi components using SSL.
> h2. Workaround
> Custom certificates can be added to the default Java truststore using:
> {code:bash}
> keytool -cacerts -importcert -noprompt -file /path/to/custom/ca.cert{code}
> This will affect all SSL connections not using a custom truststore, including 
> those made by the Git registry clients.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to