[
https://issues.apache.org/jira/browse/NIFI-14858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013780#comment-18013780
]
David Handermann commented on NIFI-14858:
-----------------------------------------
It is worth clarifying that SNI checking in Jetty serves multiple purposes,
including as a security measure to ensure that the client is sending a request
to an expected host name, with a matching DNS certificate SAN. This is a
requirement of RFC 2818, on which SNI checking builds.
TLS is challenging, and certificate management is not trivial, so the
complexity is understandable. Introducing less-than-secure configuration
options to make things easier is questionable, and needs to be weighed against
alternatives. If there are no other alternatives, that is one thing, but if
there are all alternatives that work, that does strikes against providing
unsafe options.
> Make SNI checking configurable
> ------------------------------
>
> Key: NIFI-14858
> URL: https://issues.apache.org/jira/browse/NIFI-14858
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 2.5.0
> Reporter: Lars Francke
> Assignee: Lars Francke
> Priority: Minor
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> As of NiFi 2.0 SNI certificates are required and the host must match.
> This is a problem for us (and others) when there is for example a load
> balancer in front which does not match the host name of NiFi.
> Instead of disabling the SNI check by default this makes it configurable.
>
> I propose introducing two new configuration properties:
> * nifi.web.https.sni.required (whether a SNI certificate is required)
> * nifi.web.https.sni.host.check (whether to check the Host from the SNI
> certificate against the incoming request)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
