Andy LoPresto created NIFI-3788:
-----------------------------------
Summary: Support wildcard certificates in SSLStandardContextService
Key: NIFI-3788
URL: https://issues.apache.org/jira/browse/NIFI-3788
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Affects Versions: 1.1.1
Reporter: Andy LoPresto
Assignee: Andy LoPresto
Some users have reported issues when attempting to connect to an external
service which is secured for TLS via a wildcard certificate (i.e. hostname is
{{https://example.domain.com}} and the certificate DN contains
{{CN=*.domain.com}}. This requires changes in the {{SSLStandardContextService}}
to correctly parse the CN and evaluate wildcard entries if present.
In addition, as specified by [RFC 2818|https://tools.ietf.org/html/rfc2818],
certificate evaluation (specifically hostname validation) should prioritize
Subject Alternative Names over DN parsing. Chrome 58+ has begun to implement
this prioritization, which can cause issues with certificate validation even if
the CN matches the hostname but SANs are present but do not include the
hostname.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
