thenatog commented on issue #3426: NIFI-6196 Upgrade version of Jetty URL: https://github.com/apache/nifi/pull/3426#issuecomment-488130016 I have verified the endpointIdentificationAlgorithm settings are at least checking for SANs using a clientSocket and serverSocket with certs that did and didn't contain SANs. For the moment, I recommend we set the clientSocket endpointIdenticationAlgorithm to null as well as this could be considered a breaking change that would require users to regenerate server certs for services external to NiFi. However, I think that it's generally accepted practice to expect SANs are set correctly for certificates. So, in future, we should flip this to require SAN validation in a major version change down the line. Once you set the algorithm to null for the serverSocket, +1.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
