[jira] [Created] (NIFI-5622) Test certificates require SAN values

Fri, 21 Sep 2018 10:08:18 -0700 

Andy LoPresto created NIFI-5622:
-----------------------------------

             Summary: Test certificates require SAN values
                 Key: NIFI-5622
                 URL: https://issues.apache.org/jira/browse/NIFI-5622
             Project: Apache NiFi
          Issue Type: Bug
          Components: Core Framework
    Affects Versions: 0.4.0, 0.4.1
            Reporter: Andy LoPresto
            Assignee: Andy LoPresto
             Fix For: 0.5.0


[~JDP10101] was working to upgrade a library dependency 
(com.squareup.okhttp.okhttp:2.5.0 to 2.6.0). During this attempt, the 
TestInvokeHttpSSL tests began failing. With the help of a Square engineer[1], 
it was determined that the TLS cipher suite in use during tests against Jetty 
server was restricted to only `TLS_DHE_DSS_WITH_AES_128_CBC_SHA`. This is an 
obsolete cipher suite and it was deprecated in OkHttp:2.6.0. 

While there is a workaround (code below) to override the OkHttp connector to 
use this obsolete cipher suite, the real issue was that Jetty should not be 
restricted to allowing that single cipher suite for incoming connections. 

Further investigation revealed that the test keystore[2] and truststore[3] in 
use did not have any valid RSA or DSA keys. Because of this, Jetty could not 
rely on any RSA/DSA-dependent cipher suites, and the removal of 
`TLS_DHE_DSS_WITH_AES_128_CBC_SHA` in the client library meant that no 
compatible cipher suites were available. 

The DSA key issued under alias `mykey` in the keystore expired in 2014. I will 
temporarily add a new key (valid for 1 year) into the keystore and truststore 
and commit. I will raise another Jira to allow for dynamic code-generated keys 
to avoid this problem in the future. 

[1] 
http://stackoverflow.com/questions/34498023/okhttp-upgrading-from-2-5-to-2-6-breaks-https-tests?noredirect=1#comment56840249_34498023
[2] 
https://github.com/alopresto/nifi/blob/aa99884782e54c54ee138f5609b3be84628e96f9/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/localhost-ks.jks
[3] 
https://github.com/alopresto/nifi/blob/aa99884782e54c54ee138f5609b3be84628e96f9/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/localhost-ts.jks



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to