[ https://issues.apache.org/jira/browse/NIFI-6196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Storck updated NIFI-6196: ------------------------------ Description: Upgrade version of Jetty to 9.4.15.v20190215 from 9.4.11.v20180605. This upgrade is needed for building NiFi with Java 11. As of Jetty 9.4.15.v20190215, certificate verification has changed. Previous to version 9.4.15.v20190215, {{org.eclipse.jetty.util.ssl.SslContextFactory.getEndpointIdentificationAlgorithm()}} returned {{null}}. As of version 9.4.15.v20190215, that method returns {{"HTTPS"}}. This causes the {{SslContextFactory}} to verify the SANs of the cert on the other end of the connection, regardless of being used by a client or server. This works correctly for clients but results in a {{CertificateException}} on the server if the client cert does not contain SANs. The following Jetty JIRAs reference this scenario: * [https://github.com/eclipse/jetty.project/issues/3466] * [https://github.com/eclipse/jetty.project/issues/3154] * [https://github.com/eclipse/jetty.project/issues/3454] * [https://github.com/eclipse/jetty.project/issues/3464] was: Upgrade version of Jetty to 9.4.15.v20190215 from 9.4.11.v20180605. This upgrade is needed for building NiFi with Java 11. > Upgrade version of Jetty > ------------------------ > > Key: NIFI-6196 > URL: https://issues.apache.org/jira/browse/NIFI-6196 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework > Affects Versions: 1.9.2 > Reporter: Jeff Storck > Assignee: Jeff Storck > Priority: Major > > Upgrade version of Jetty to 9.4.15.v20190215 from 9.4.11.v20180605. > This upgrade is needed for building NiFi with Java 11. > > As of Jetty 9.4.15.v20190215, certificate verification has changed. Previous > to version 9.4.15.v20190215, > {{org.eclipse.jetty.util.ssl.SslContextFactory.getEndpointIdentificationAlgorithm()}} > returned {{null}}. As of version 9.4.15.v20190215, that method returns > {{"HTTPS"}}. This causes the {{SslContextFactory}} to verify the SANs of the > cert on the other end of the connection, regardless of being used by a client > or server. This works correctly for clients but results in a > {{CertificateException}} on the server if the client cert does not contain > SANs. The following Jetty JIRAs reference this scenario: > * [https://github.com/eclipse/jetty.project/issues/3466] > * [https://github.com/eclipse/jetty.project/issues/3154] > * [https://github.com/eclipse/jetty.project/issues/3454] > * [https://github.com/eclipse/jetty.project/issues/3464] > -- This message was sent by Atlassian JIRA (v7.6.3#76005)