[
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16142537#comment-16142537
]
ASF GitHub Bot commented on NIFI-2528:
--------------------------------------
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/1986
Ok I left some minor comments on the code. If Michael can reply to those
and make the changes, I think this is good and ready to be merged. I set up a
flow with a `ListenHTTP` processor and verified that I could only provide it
with a `StandardRestrictedSSLContextService` implementation. I verified that it
received incoming requests (*only*) over TLS v1.2.
```
hw12203:/Users/alopresto/Workspace/scratch (master) alopresto
🔓 27314s @ 18:11:29 $ openssl s_client -connect localhost:9999 -debug
-showcerts
CONNECTED(00000003)
write to 0x7f80b0d89fd0 [0x7f80b1807e00] (308 bytes => 308 (0x134))
0000 - 16 03 01 01 2f 01 00 01-2b 03 03 29 cb d3 e6 54 ..../...+..)...T
...
0050 - 64 f9 0d 7b c4 03 6b 71-03 4d a4 1d 8a f7 4d 45 d..{..kq.M....ME
---
Certificate chain
0 s:/OU=NIFI/CN=nifi.nifi.apache.org
i:/OU=NIFI/CN=localhost
...
---
Server certificate
subject=/OU=NIFI/CN=nifi.nifi.apache.org
issuer=/OU=NIFI/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2241 bytes and written 490 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID:
59A0CAC680787984AD9B43E8A39BCFB0F4C5EA4F8AC10223C073296EDB8FB66B
Session-ID-ctx:
Master-Key:
236BC9B03CD3F7B02C363C8DA15F36EA908A631DB0D3828A0CE05E3834D07BB58E9D1A7023A5161DCE13BF58029BCD61
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1503709893
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Q
DONE
hw12203:/Users/alopresto/Workspace/scratch (master) alopresto
🔓 27323s @ 18:11:38 $ openssl s_client -connect localhost:9999 -debug
-showcerts -tls1_1
CONNECTED(00000003)
write to 0x7fd06181a060 [0x7fd06280f003] (200 bytes => 200 (0xC8))
0000 - 16 03 01 00 c3 01 00 00-bf 03 02 18 09 95 74 f0 ..............t.
... .(
140735215808592:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:s3_pkt.c:1494:SSL alert number 40
140735215808592:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1503712071
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
hw12203:/Users/alopresto/Workspace/scratch (master) alopresto
🔓 29497s @ 18:47:53 $
```
I also set up two `InvokeHTTP` processors and used a
`StandardSSLContextService` and `StandardRestrictedSSLContextService` for each.
Both were able to successfully make outgoing `GET` requests to
`https://nifi.apache.org`.
Contrib-check and all tests pass. Just need Michael to respond to the few
comments above.
> Update ListenHTTP to honor SSLContextService Protocols
> ------------------------------------------------------
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.0.0, 0.8.0, 0.7.1
> Reporter: Joe Skora
> Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for
> PostHTTP.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
