[
https://issues.apache.org/jira/browse/NIFI-3695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15977599#comment-15977599
]
ASF GitHub Bot commented on NIFI-3695:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1669#discussion_r112567879
--- Diff:
nifi-toolkit/nifi-toolkit-admin/src/main/groovy/org/apache/nifi/toolkit/admin/client/NiFiClientFactory.groovy
---
@@ -116,22 +121,27 @@ class NiFiClientFactory implements ClientFactory{
return sslContext;
}
- private static class NiFiHostnameVerifier implements HostnameVerifier {
+ static class NiFiHostnameVerifier implements HostnameVerifier {
@Override
public boolean verify(final String hostname, final SSLSession
ssls) {
try {
- for (final Certificate peerCertificate :
ssls.getPeerCertificates()) {
- if (peerCertificate instanceof X509Certificate) {
- final X509Certificate x509Cert = (X509Certificate)
peerCertificate;
- final List<String> subjectAltNames =
getSubjectAlternativeNames(x509Cert);
- if
(subjectAltNames.contains(hostname.toLowerCase())) {
- return true;
- }
+
+ final Certificate peerCertificate =
ssls.getPeerCertificates()[0]
+ final X509Certificate x509Cert =
CertificateUtils.convertAbstractX509Certificate(peerCertificate)
+ final String dn = x509Cert.getSubjectDN().getName().trim()
+ final String cn = dn.tokenize(",").find { cn ->
cn.startsWith("CN=")}
--- End diff --
Unfortunately I think this could be susceptible to situations where the CN
contains a `,` -- `CN=notmysite.com,mysite.com, OU=MySite, C=US` would tokenize
into `CN=notmysite.com`, `mysite.com`, ` OU=MySite`, and ` C=US`.
See this [StackOverflow answer](http://stackoverflow.com/a/7933650/70465)
for a code sample using `javax.naming.ldap.LdapName` to parse the DN into
"RDN"s (*Relative Distinguished Name*, or the component terms of a DN).
> Create Node Manager & Notification Utilities
> --------------------------------------------
>
> Key: NIFI-3695
> URL: https://issues.apache.org/jira/browse/NIFI-3695
> Project: Apache NiFi
> Issue Type: Sub-task
> Components: Tools and Build
> Reporter: Yolanda M. Davis
> Assignee: Yolanda M. Davis
>
> The node manager utility should allow system administrators to connect,
> disconnect or remove a node from a cluster on the command line. If a node is
> not part of a cluster an error message should display if node is not part of
> a cluster. If a node is disconnected from a cluster and needs to be
> connected or removed from that cluster the tool should support receiving a
> list of urls to connected nodes which can be used to send the required
> command to the active cluster.
> The notification utility should allow administrators to send messages as
> bulletins to the NiFi with levels of INFO, WARN or ERROR.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
