chedim commented on PR #10031: URL: https://github.com/apache/nifi/pull/10031#issuecomment-3275933396
Hi @mark-bathori! If I read the code and conversation correctly, I would not recommend extending Authenticator interface. It looks that code in this PR configures a TLS connection to a CB cluster by providing our client with list of acceptable issuer or CA certificates, which is [basic channel-level TLS](https://docs.couchbase.com/operator/current/concept-tls.html#basic-tls-configuration) that prevents MiM attacks. The CertificateAuthenticator is used for [mutual tls connection and client authorization via certificate](https://docs.couchbase.com/operator/current/concept-tls.html#tls-client-authentication). Going back to @exceptionfactory's original concern, it looks like `org.apache.nifi.ssl.SSLContextProvider#createTrustManager` and `javax.net.ssl.X509TrustManager#getAcceptedIssuers` can be used to obtain a list of CA certificates to configure TLS. Upon further inspection, if mTLS is desired then I would recommend using `com.couchbase.client.core.env.CertificateAuthenticator#fromKeyManagerFactory` together with `com.couchbase.client.core.deps.io.netty.handler.ssl.util.KeyManagerFactoryWrapper` to bridge the `SSLContextProvider` with Couchbase mTLS configuration: ``` SSLContextProvider scp = <...>; CertificateAuthenticator.fromKeyManagerFactory(() -> new KeyManagerFactoryWrapper(scp.createKeyManager())); ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
