[jira] [Commented] (NIFI-5400) NiFiHostnameVerifier should be replaced

Thu, 26 Jul 2018 20:13:03 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16559182#comment-16559182
 ] 

ASF GitHub Bot commented on NIFI-5400:
--------------------------------------

Github user alopresto commented on the issue:

    https://github.com/apache/nifi/pull/2919
  
    This PR removes the locally-defined inner class `NiFiHostnameVerifier` from 
`NiFiClientFactory` and adds unit tests but does not cover the class 
[`org.apache.nifi.web.util.NiFiHostnameVerifier`](https://github.com/apache/nifi/blob/master/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/NiFiHostnameVerifier.java#L18)
 which is used in 
[`org.apache.nifi.web.util.WebUtils#createClientHelper()`](https://github.com/apache/nifi/blob/master/nifi-commons/nifi-web-utils/src/main/java/org/apache/nifi/web/util/WebUtils.java#L98).
 Please remove that class entirely and instantiate a 
`org.apache.http.conn.ssl.DefaultHostnameVerifier` in 
`WebUtils#createClientHelper()` and verify that the calling references (uses of 
`WebUtils#createClient(ClientConfig)` and `WebUtils#createClient(ClientConfig, 
SSLContext)` listed below) continue to work properly (i.e. add unit tests & 
regression tests for edge case hostnames). 
    
    ```
    Method
        createClient(ClientConfig, SSLContext)
    Found usages  (5 usages found)
        Unclassified usage  (5 usages found)
            nifi-confluent-schema-registry-service  (1 usage found)
                org.apache.nifi.confluent.schemaregistry.client  (1 usage found)
                    RestSchemaRegistryClient  (1 usage found)
                        RestSchemaRegistryClient(List<String>, int, SSLContext, 
ComponentLog)  (1 usage found)
                            77 client = WebUtils.createClient(clientConfig, 
sslContext);
            nifi-framework-core  (1 usage found)
                org.apache.nifi.remote  (1 usage found)
                    RemoteNiFiUtils  (1 usage found)
                        getClient(SSLContext)  (1 usage found)
                            50 client = WebUtils.createClient(clientConfig, 
sslContext);
            nifi-web-api  (2 usages found)
                org.apache.nifi.integration.accesscontrol  (1 usage found)
                    ITAccessTokenEndpoint  (1 usage found)
                        setup()  (1 usage found)
                            88 final Client client = 
WebUtils.createClient(null, createTrustContext(props));
                org.apache.nifi.integration.util  (1 usage found)
                    NiFiTestServer  (1 usage found)
                        getClient()  (1 usage found)
                            170 return WebUtils.createClient(null, 
SslContextFactory.createSslContext(properties));
            nifi-web-security  (1 usage found)
                org.apache.nifi.web.security.x509.ocsp  (1 usage found)
                    OcspCertificateValidator  (1 usage found)
                        OcspCertificateValidator(NiFiProperties)  (1 usage 
found)
                            110 client = WebUtils.createClient(clientConfig, 
SslContextFactory.createSslContext(properties));
    ```
    
    ```
    Method
        createClient(ClientConfig)
    Found usages  (3 usages found)
        Unclassified usage  (3 usages found)
            nifi-framework-core  (1 usage found)
                org.apache.nifi.remote  (1 usage found)
                    RemoteNiFiUtils  (1 usage found)
                        getClient(SSLContext)  (1 usage found)
                            48 client = WebUtils.createClient(clientConfig);
            nifi-web-security  (1 usage found)
                org.apache.nifi.web.security.x509.ocsp  (1 usage found)
                    OcspCertificateValidator  (1 usage found)
                        OcspCertificateValidator(NiFiProperties)  (1 usage 
found)
                            112 client = WebUtils.createClient(clientConfig);
            nifi-yandex-processors  (1 usage found)
                org.apache.nifi.processors.yandex  (1 usage found)
                    YandexTranslate  (1 usage found)
                        onScheduled(ProcessContext)  (1 usage found)
                            201 client = WebUtils.createClient(null);
    ```


> NiFiHostnameVerifier should be replaced
> ---------------------------------------
>
>                 Key: NIFI-5400
>                 URL: https://issues.apache.org/jira/browse/NIFI-5400
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.7.0
>            Reporter: Andy LoPresto
>            Priority: Major
>              Labels: certificate, hostname, security, tls
>
> The {{NiFiHostnameVerifier}} does not handle wildcard certificates or complex 
> {{SubjectAlternativeNames}}. It should be replaced with a more full-featured 
> implementation, like {{OkHostnameVerifier}} from {{okhttp}} or 
> {{DefaultHostnameVerifier}} from {{http-client}}. Either of these options 
> requires introducing a new Maven dependency to {{nifi-commons}} and requires 
> further investigation. 
> *Note: * the {{sun.net.www.protocol.httpsDefaultHostnameVerifier}} simply 
> returns {{false}} on all inputs and is not a valid solution. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to