[ https://issues.apache.org/jira/browse/NIFI-4222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16106092#comment-16106092 ]
ASF GitHub Bot commented on NIFI-4222: -------------------------------------- GitHub user pvillard31 opened a pull request: https://github.com/apache/nifi/pull/2042 NIFI-4222 - Adding CN by default in SANs for generated certificates w… …ith tls-toolkit Thank you for submitting a contribution to Apache NiFi. In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [ ] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [ ] Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [ ] Has your PR been rebased against the latest commit within the target branch (typically master)? - [ ] Is your initial contribution a single, squashed commit? ### For code changes: - [ ] Have you ensured that the full suite of tests is executed via mvn -Pcontrib-check clean install at the root nifi folder? - [ ] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [ ] If applicable, have you updated the LICENSE file, including the main LICENSE file under nifi-assembly? - [ ] If applicable, have you updated the NOTICE file, including the main NOTICE file found under nifi-assembly? - [ ] If adding new Properties, have you added .displayName in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [ ] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible. You can merge this pull request into a Git repository by running: $ git pull https://github.com/pvillard31/nifi NIFI-4222 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/2042.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2042 ---- commit fa447d3f641214bbe05e936fd9259640b48af4b9 Author: Pierre Villard <pierre.villard...@gmail.com> Date: 2017-07-29T10:38:14Z NIFI-4222 - Adding CN by default in SANs for generated certificates with tls-toolkit ---- > TLS Toolkit should provide SAN by default > ----------------------------------------- > > Key: NIFI-4222 > URL: https://issues.apache.org/jira/browse/NIFI-4222 > Project: Apache NiFi > Issue Type: Improvement > Components: Tools and Build > Affects Versions: 1.3.0 > Reporter: Andy LoPresto > Assignee: Pierre Villard > Labels: security, tls, tls-toolkit > > As of Chrome 58, the browser will only use the *SubjectAlternativeName* > entries to determine hostname verification, rather than the *CN*. This is > specified in RFC 6215 [1], TLS hostname verification must attempt to use the > SAN entries first and may only use the CN entry if no SAN entries are > available. > Chrome takes this a step further [2]: > {quote} > During Transport Layer Security (TLS) connections, Chrome browser checks to > make sure the connection to the site is using a valid, trusted server > certificate. > For Chrome 58 and later, only the subjectAlternativeName extension, not > commonName, is used to match the domain name and site certificate. The > certificate subject alternative name can be a domain name or IP address. If > the certificate doesn’t have the correct subjectAlternativeName extension, > users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that > the connection isn’t private. If the certificate is missing a > subjectAlternativeName extension, users see a warning in the Security panel > in Chrome DevTools that lets them know the subject alternative name is > missing. > {quote} > As this will cause issues for users who do not manually provide a SAN when > generating their certificates using the TLS Toolkit, the toolkit should be > modified to automatically include the provided CN as a SAN entry, in addition > to any manually-provided SAN entries. > [1] https://tools.ietf.org/html/rfc6125#section-6.4.4 > [2] https://support.google.com/chrome/a/answer/7391219?hl=en -- This message was sent by Atlassian JIRA (v6.4.14#64029)