[GitHub] nifi issue #2869: NIFI-5370 Resolve wildcard certificate issue in secure clu...

Mon, 09 Jul 2018 18:03:48 -0700 

Github user alopresto commented on the issue:

    https://github.com/apache/nifi/pull/2869
  
    This PR is to resolve the user-reported issue in 
[NIFI-5370](https://issues.apache.org/jira/browse/NIFI-5370) where a secure 
cluster with nodes using wildcard certificates would not allow UI login. The 
issue was because the introduced `NiFiHostnameVerifier` did not evaluate 
wildcard entries properly. This patch fixes the immediate issue. 
    
    **However**, wildcard certificates are not officially supported and are 
**not recommended** for use in a secure cluster environment. There are numerous 
disadvantages to using wildcard certificates, they have been actively 
discouraged in the past, and have worked to this point only out of luck. The 
Admin Guide will be updated to state this explicitly 
[NIFI-5399](https://issues.apache.org/jira/browse/NIFI-5399). 
    
    Disadvantages of wildcard certificates for cluster:
    * we use certificate identities many times throughout the codebase to 
identify a node, and if the certificate simply presents a wildcard DN, that 
doesn’t resolve to anything (see 
[NIFI-5398](https://issues.apache.org/jira/browse/NIFI-5398))
    * you need to provide a custom node identity in your `authorizers.xml` for 
`*.whatever.com` because all proxy actions only resolve to the cert DN
    * no traceability into which node performed an action because they all 
resolve to the same DN
    * if you’re running multiple instances on the same machine using 
different ports to identify them, and you accidentally put `node1` hostname 
with `node2` port, it will resolve fine because it’s using the same 
certificate, but the host header handler will block it because the `node1` 
hostname is not listed as an acceptable `host` for `node2` instance (correctly)
    * if the cert is compromised, all nodes are compromised
    
    Advantages of wildcard certificates for cluster:
    * nominally faster to deploy in dynamically-scaled clusters, however the 
NiFi TLS Toolkit automates the process of generating correctly-signed, 
uniquely-identified certificates in the proper format. The deployment script or 
process for adding a node should leverage this tool rather than use a repeated 
wildcard certificate. Using a wildcard in the SAN is fine as long as a unique 
value exists in the SAN as well. 


---

Reply via email to