[ 
https://issues.apache.org/jira/browse/NIFI-4222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16120937#comment-16120937
 ] 

ASF GitHub Bot commented on NIFI-4222:
--------------------------------------

Github user alopresto commented on the issue:

    https://github.com/apache/nifi/pull/2042
  
    Verified that all tests and contrib-check pass. When run with no SAN 
arguments, the CN is present as a SAN. When run with additional SAN arguments, 
all are present. +1, merging. 
    
    No SAN:
    ```
    
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
 (pr2042) alopresto
    πŸ”“ 186058s @ 18:43:33 $ ./bin/tls-toolkit.sh standalone -n 
'nifi.nifi.apache.org' -P password -S password -f 
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
    2017/08/09 18:58:45 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: Using 
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
 as template.
    2017/08/09 18:58:46 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone 
certificate generation with output directory ../nifi-toolkit-1.4.0-SNAPSHOT
    2017/08/09 18:58:46 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generated new CA 
certificate ../nifi-toolkit-1.4.0-SNAPSHOT/nifi-cert.pem and key 
../nifi-toolkit-1.4.0-SNAPSHOT/nifi-key.key
    2017/08/09 18:58:46 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl 
configuration to ../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
    2017/08/09 18:58:46 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully 
generated TLS configuration for nifi.nifi.apache.org 1 in 
../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
    2017/08/09 18:58:46 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn 
specified, not generating any client certificates.
    2017/08/09 18:58:46 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit 
standalone completed successfully
    
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
 (pr2042) alopresto
    πŸ”“ 186980s @ 18:58:55 $ cd nifi.nifi.apache.org/
    
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
 (pr2042) alopresto
    πŸ”“ 186988s @ 18:59:03 $ keytool -list -v -keystore keystore.jks
    Enter keystore password:
    
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    Alias name: nifi-key
    Creation date: Aug 9, 2017
    Entry type: PrivateKeyEntry
    Certificate chain length: 2
    Certificate[1]:
    Owner: CN=nifi.nifi.apache.org, OU=NIFI
    Issuer: CN=localhost, OU=NIFI
    Serial number: 15dc9dd8f3900000000
    Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
    Certificate fingerprints:
         MD5:  E4:E8:C4:19:C1:06:86:17:C8:E5:13:F6:6F:54:0F:AE
         SHA1: 92:6B:FD:9D:89:55:A5:48:AD:31:A3:FD:A3:A6:6C:A5:C4:A8:31:0E
         SHA256: 
54:8D:30:D2:ED:9A:B0:AE:8C:37:40:9F:2F:80:2D:4A:DC:5D:14:2E:15:57:4C:71:CF:77:D6:F0:3F:92:6D:04
         Signature algorithm name: SHA256withRSA
         Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 6B 65 AB 68 5A 0A CB 59   A2 B9 0B 9E 36 2D 60 47  ke.hZ..Y....6-`G
    0010: 21 08 08 25                                        !..%
    ]
    ]
    
    #2: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
      CA:false
      PathLen: undefined
    ]
    
    #3: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
      clientAuth
      serverAuth
    ]
    
    #4: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
      DigitalSignature
      Non_repudiation
      Key_Encipherment
      Data_Encipherment
      Key_Agreement
    ]
    
    #5: ObjectId: 2.5.29.17 Criticality=false
    SubjectAlternativeName [
      DNSName: nifi.nifi.apache.org
    ]
    
    #6: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: D9 18 43 B3 38 24 18 89   E6 1B 62 D7 AB 35 C5 14  ..C.8$....b..5..
    0010: 88 E9 19 E3                                        ....
    ]
    ]
    
    Certificate[2]:
    Owner: CN=localhost, OU=NIFI
    Issuer: CN=localhost, OU=NIFI
    Serial number: 15dc9dd8d4c00000000
    Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
    Certificate fingerprints:
         MD5:  A1:9E:4A:7C:65:F1:B7:E9:8F:4D:D0:18:74:E8:AA:2E
         SHA1: CD:31:8B:74:85:C7:21:4A:DB:F6:58:34:69:B7:19:6C:3B:9E:CE:00
         SHA256: 
A9:AB:C5:73:9D:B3:ED:C3:D5:79:BD:4B:E0:14:1D:0F:DC:68:41:BC:09:70:5B:2D:BD:E0:AB:49:55:14:79:3B
         Signature algorithm name: SHA256withRSA
         Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 6B 65 AB 68 5A 0A CB 59   A2 B9 0B 9E 36 2D 60 47  ke.hZ..Y....6-`G
    0010: 21 08 08 25                                        !..%
    ]
    ]
    
    #2: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]
    
    #3: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
      clientAuth
      serverAuth
    ]
    
    #4: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
      DigitalSignature
      Non_repudiation
      Key_Encipherment
      Data_Encipherment
      Key_Agreement
      Key_CertSign
      Crl_Sign
    ]
    
    #5: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 6B 65 AB 68 5A 0A CB 59   A2 B9 0B 9E 36 2D 60 47  ke.hZ..Y....6-`G
    0010: 21 08 08 25                                        !..%
    ]
    ]
    
    
    
    *******************************************
    *******************************************
    
    
    
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
 (pr2042) alopresto
    πŸ”“ 186999s @ 18:59:14 $
    ```
    
    Additional SAN:
    ```
    
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
 (pr2042) alopresto
    πŸ”“ 187123s @ 19:01:18 $ ./bin/tls-toolkit.sh standalone -n 
'nifi.nifi.apache.org' -P password -S password -f 
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
 -O --subjectAlternativeNames '127.0.0.1,localhost'
    2017/08/09 19:01:43 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: Using 
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
 as template.
    2017/08/09 19:01:43 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone 
certificate generation with output directory ../nifi-toolkit-1.4.0-SNAPSHOT
    2017/08/09 19:01:44 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA 
certificate ../nifi-toolkit-1.4.0-SNAPSHOT/nifi-cert.pem and key 
../nifi-toolkit-1.4.0-SNAPSHOT/nifi-key.key
    2017/08/09 19:01:44 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Overwriting any 
existing ssl configuration in 
../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
    2017/08/09 19:01:44 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully 
generated TLS configuration for nifi.nifi.apache.org 1 in 
../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
    2017/08/09 19:01:44 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn 
specified, not generating any client certificates.
    2017/08/09 19:01:44 INFO [main] 
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit 
standalone completed successfully
    
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
 (pr2042) alopresto
    πŸ”“ 187150s @ 19:01:45 $ cd nifi.nifi.apache.org/
    
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
 (pr2042) alopresto
    πŸ”“ 187156s @ 19:01:51 $ keytool -list -v -keystore keystore.jks
    Enter keystore password:
    
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    Alias name: nifi-key
    Creation date: Aug 9, 2017
    Entry type: PrivateKeyEntry
    Certificate chain length: 2
    Certificate[1]:
    Owner: CN=nifi.nifi.apache.org, OU=NIFI
    Issuer: CN=localhost, OU=NIFI
    Serial number: 15dc9e0465100000000
    Valid from: Wed Aug 09 19:01:44 PDT 2017 until: Sat Aug 08 19:01:44 PDT 2020
    Certificate fingerprints:
         MD5:  AA:D1:5F:CC:BA:BE:ED:4D:5E:08:DB:2E:6D:E6:95:57
         SHA1: F3:8B:A5:41:28:69:8F:0C:91:08:70:EB:F6:BE:B1:58:EE:F4:7B:8D
         SHA256: 
B1:78:8C:05:11:F1:A8:BD:A7:33:EA:8D:9C:B2:FC:A2:C2:94:7D:30:48:77:0A:05:0F:CB:C1:FD:5D:A2:94:66
         Signature algorithm name: SHA256withRSA
         Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 6B 65 AB 68 5A 0A CB 59   A2 B9 0B 9E 36 2D 60 47  ke.hZ..Y....6-`G
    0010: 21 08 08 25                                        !..%
    ]
    ]
    
    #2: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
      CA:false
      PathLen: undefined
    ]
    
    #3: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
      clientAuth
      serverAuth
    ]
    
    #4: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
      DigitalSignature
      Non_repudiation
      Key_Encipherment
      Data_Encipherment
      Key_Agreement
    ]
    
    #5: ObjectId: 2.5.29.17 Criticality=false
    SubjectAlternativeName [
      DNSName: nifi.nifi.apache.org
      DNSName: 127.0.0.1
      DNSName: localhost
    ]
    
    #6: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 8F 4B 1A 98 92 C5 17 70   B7 C8 F6 9D 5D D3 66 4C  .K.....p....].fL
    0010: 8F F9 3C 19                                        ..<.
    ]
    ]
    
    Certificate[2]:
    Owner: CN=localhost, OU=NIFI
    Issuer: CN=localhost, OU=NIFI
    Serial number: 15dc9dd8d4c00000000
    Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
    Certificate fingerprints:
         MD5:  A1:9E:4A:7C:65:F1:B7:E9:8F:4D:D0:18:74:E8:AA:2E
         SHA1: CD:31:8B:74:85:C7:21:4A:DB:F6:58:34:69:B7:19:6C:3B:9E:CE:00
         SHA256: 
A9:AB:C5:73:9D:B3:ED:C3:D5:79:BD:4B:E0:14:1D:0F:DC:68:41:BC:09:70:5B:2D:BD:E0:AB:49:55:14:79:3B
         Signature algorithm name: SHA256withRSA
         Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 6B 65 AB 68 5A 0A CB 59   A2 B9 0B 9E 36 2D 60 47  ke.hZ..Y....6-`G
    0010: 21 08 08 25                                        !..%
    ]
    ]
    
    #2: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]
    
    #3: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
      clientAuth
      serverAuth
    ]
    
    #4: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
      DigitalSignature
      Non_repudiation
      Key_Encipherment
      Data_Encipherment
      Key_Agreement
      Key_CertSign
      Crl_Sign
    ]
    
    #5: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 6B 65 AB 68 5A 0A CB 59   A2 B9 0B 9E 36 2D 60 47  ke.hZ..Y....6-`G
    0010: 21 08 08 25                                        !..%
    ]
    ]
    
    
    
    *******************************************
    *******************************************
    
    
    
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
 (pr2042) alopresto
    πŸ”“ 187163s @ 19:01:57 $
    ```


> TLS Toolkit should provide SAN by default
> -----------------------------------------
>
>                 Key: NIFI-4222
>                 URL: https://issues.apache.org/jira/browse/NIFI-4222
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Tools and Build
>    Affects Versions: 1.3.0
>            Reporter: Andy LoPresto
>            Assignee: Pierre Villard
>              Labels: security, tls, tls-toolkit
>
> As of Chrome 58, the browser will only use the *SubjectAlternativeName* 
> entries to determine hostname verification, rather than the *CN*. This is 
> specified in RFC 6215 [1], TLS hostname verification must attempt to use the 
> SAN entries first and may only use the CN entry if no SAN entries are 
> available. 
> Chrome takes this a step further [2]: 
> {quote}
> During Transport Layer Security (TLS) connections, Chrome browser checks to 
> make sure the connection to the site is using a valid, trusted server 
> certificate.
> For Chrome 58 and later, only the subjectAlternativeName extension, not 
> commonName, is used to match the domain name and site certificate. The 
> certificate subject alternative name can be a domain name or IP address. If 
> the certificate doesn’t have the correct subjectAlternativeName extension, 
> users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that 
> the connection isn’t private. If the certificate is missing a 
> subjectAlternativeName extension, users see a warning in the Security panel 
> in Chrome DevTools that lets them know the subject alternative name is 
> missing.
> {quote}
> As this will cause issues for users who do not manually provide a SAN when 
> generating their certificates using the TLS Toolkit, the toolkit should be 
> modified to automatically include the provided CN as a SAN entry, in addition 
> to any manually-provided SAN entries. 
> [1] https://tools.ietf.org/html/rfc6125#section-6.4.4
> [2] https://support.google.com/chrome/a/answer/7391219?hl=en



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to