[
https://issues.apache.org/jira/browse/NIFI-5622?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andy LoPresto updated NIFI-5622:
--------------------------------
Description: During the update of OkHttp from 3.6.0 to 3.11.0 in [NIFI-|],
it was discovered that {{SubjectAlternativeName}} checking is now required, as
described in RFC 6125. The test resource keystore and truststores need to be
updates to provide SAN values. (was: [~JDP10101] was working to upgrade a
library dependency (com.squareup.okhttp.okhttp:2.5.0 to 2.6.0). During this
attempt, the TestInvokeHttpSSL tests began failing. With the help of a Square
engineer[1], it was determined that the TLS cipher suite in use during tests
against Jetty server was restricted to only `TLS_DHE_DSS_WITH_AES_128_CBC_SHA`.
This is an obsolete cipher suite and it was deprecated in OkHttp:2.6.0.
While there is a workaround (code below) to override the OkHttp connector to
use this obsolete cipher suite, the real issue was that Jetty should not be
restricted to allowing that single cipher suite for incoming connections.
Further investigation revealed that the test keystore[2] and truststore[3] in
use did not have any valid RSA or DSA keys. Because of this, Jetty could not
rely on any RSA/DSA-dependent cipher suites, and the removal of
`TLS_DHE_DSS_WITH_AES_128_CBC_SHA` in the client library meant that no
compatible cipher suites were available.
The DSA key issued under alias `mykey` in the keystore expired in 2014. I will
temporarily add a new key (valid for 1 year) into the keystore and truststore
and commit. I will raise another Jira to allow for dynamic code-generated keys
to avoid this problem in the future.
[1]
http://stackoverflow.com/questions/34498023/okhttp-upgrading-from-2-5-to-2-6-breaks-https-tests?noredirect=1#comment56840249_34498023
[2]
https://github.com/alopresto/nifi/blob/aa99884782e54c54ee138f5609b3be84628e96f9/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/localhost-ks.jks
[3]
https://github.com/alopresto/nifi/blob/aa99884782e54c54ee138f5609b3be84628e96f9/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/localhost-ts.jks)
> Test certificates require SAN values
> ------------------------------------
>
> Key: NIFI-5622
> URL: https://issues.apache.org/jira/browse/NIFI-5622
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework, Tools and Build
> Affects Versions: 1.7.1
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Major
> Labels: certificate, security, test
> Fix For: 0.5.0
>
>
> During the update of OkHttp from 3.6.0 to 3.11.0 in [NIFI-|], it was
> discovered that {{SubjectAlternativeName}} checking is now required, as
> described in RFC 6125. The test resource keystore and truststores need to be
> updates to provide SAN values.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
