[jira] [Commented] (NIFI-5400) NiFiHostnameVerifier should be replaced

Mon, 06 Aug 2018 20:09:14 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16571071#comment-16571071
 ] 

ASF GitHub Bot commented on NIFI-5400:
--------------------------------------

Github user alopresto commented on the issue:

    https://github.com/apache/nifi/pull/2919
  
    I merged this but made two changes. First, the `nifi-web-utils` tests were 
not running, because they are Groovy tests and there is nothing in 
`src/test/java`. Without a file (even empty) in that directory, the Groovy 
tests do not get picked up (neither compiled nor run). I added the 
`groovy-eclipse-compiler` plugin to `nifi-web-utils/pom.xml` to ensure this is 
run. That commit is 
[5c0232c](https://github.com/alopresto/nifi/commit/5c0232c9dd8009dc69bc5adb1fb1ef7942832911).
 
    
    Second, there was a warning about a duplicate definition of `httpclient` 
dependency in `nifi-web-utils/pom.xml`. I removed it, and that commit is 
[5f538c6](https://github.com/alopresto/nifi/commit/5f538c69f1aebc0b6b0d6dbabf0f09c8e9854a57).
 
    
    Both of those commits were rebased onto Nathan's rebased commits as well. 
    
    A gist demonstrating the issue is 
[here](https://gist.github.com/alopresto/184f3631ec44a4c036d323d622ea97aa). 
    
    Ran `contrib-check` and all tests pass. +1, merging. 


> NiFiHostnameVerifier should be replaced
> ---------------------------------------
>
>                 Key: NIFI-5400
>                 URL: https://issues.apache.org/jira/browse/NIFI-5400
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.7.0
>            Reporter: Andy LoPresto
>            Priority: Major
>              Labels: certificate, hostname, security, tls
>
> The {{NiFiHostnameVerifier}} does not handle wildcard certificates or complex 
> {{SubjectAlternativeNames}}. It should be replaced with a more full-featured 
> implementation, like {{OkHostnameVerifier}} from {{okhttp}} or 
> {{DefaultHostnameVerifier}} from {{http-client}}. Either of these options 
> requires introducing a new Maven dependency to {{nifi-commons}} and requires 
> further investigation. 
> *Note: * the {{sun.net.www.protocol.httpsDefaultHostnameVerifier}} simply 
> returns {{false}} on all inputs and is not a valid solution. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to