[
https://issues.apache.org/jira/browse/NIFI-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16560156#comment-16560156
]
ASF GitHub Bot commented on NIFI-5400:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/2919#discussion_r205872437
--- Diff:
nifi-toolkit/nifi-toolkit-admin/src/main/groovy/org/apache/nifi/toolkit/admin/client/NiFiClientFactory.groovy
---
@@ -17,38 +17,19 @@
package org.apache.nifi.toolkit.admin.client
import org.apache.commons.lang3.StringUtils
-import org.apache.nifi.security.util.CertificateUtils
+import org.apache.http.conn.ssl.DefaultHostnameVerifier
import org.apache.nifi.util.NiFiProperties
-import org.slf4j.Logger
-import org.slf4j.LoggerFactory
-import org.apache.http.conn.ssl.DefaultHostnameVerifier;
-
-
-import javax.naming.ldap.LdapName
-import javax.naming.ldap.Rdn
-import javax.net.ssl.HostnameVerifier
import javax.net.ssl.KeyManagerFactory
import javax.net.ssl.SSLContext
-import javax.net.ssl.SSLPeerUnverifiedException
-import javax.net.ssl.SSLSession
import javax.net.ssl.TrustManagerFactory
import javax.ws.rs.client.Client
import javax.ws.rs.client.ClientBuilder
-import java.security.KeyManagementException
-import java.security.KeyStore
-import java.security.KeyStoreException
-import java.security.NoSuchAlgorithmException
-import java.security.SecureRandom
-import java.security.UnrecoverableKeyException
-import java.security.cert.Certificate
+import java.security.*
import java.security.cert.CertificateException
-import java.security.cert.CertificateParsingException
-import java.security.cert.X509Certificate
class NiFiClientFactory implements ClientFactory{
- private static final Logger logger =
LoggerFactory.getLogger(NiFiClientFactory.class)
--- End diff --
Ok, figured that; it's good practice to have it there anyway so that it's
consistent across classes and the use stays aligned with the pattern we've
established.
> NiFiHostnameVerifier should be replaced
> ---------------------------------------
>
> Key: NIFI-5400
> URL: https://issues.apache.org/jira/browse/NIFI-5400
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.7.0
> Reporter: Andy LoPresto
> Priority: Major
> Labels: certificate, hostname, security, tls
>
> The {{NiFiHostnameVerifier}} does not handle wildcard certificates or complex
> {{SubjectAlternativeNames}}. It should be replaced with a more full-featured
> implementation, like {{OkHostnameVerifier}} from {{okhttp}} or
> {{DefaultHostnameVerifier}} from {{http-client}}. Either of these options
> requires introducing a new Maven dependency to {{nifi-commons}} and requires
> further investigation.
> *Note: * the {{sun.net.www.protocol.httpsDefaultHostnameVerifier}} simply
> returns {{false}} on all inputs and is not a valid solution.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
