[jira] [Commented] (NIFI-6178) Certificates generated for "localhost" need to have IP as a SAN in Java 11

[ASF subversion and git services (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-6178?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835113#comment-16835113
 ] 

ASF subversion and git services commented on NIFI-6178:
-------------------------------------------------------

Commit 25d8f64bedc3867f8eab7cd74166cc22edb91527 in nifi's branch 
refs/heads/master from Jeff Storck
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=25d8f64 ]

NIFI-6178: Implemented capability to add IP SANs to certs
Regenerated test certs for nifi-livy-processors and nifi-standard-processors to 
fix some broken SSL tests in those modules

This closes #3416.


> Certificates generated for "localhost" need to have IP as a SAN in Java 11
> --------------------------------------------------------------------------
>
>                 Key: NIFI-6178
>                 URL: https://issues.apache.org/jira/browse/NIFI-6178
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security, Tools and Build
>    Affects Versions: 1.9.1
>            Reporter: Jeff Storck
>            Assignee: Jeff Storck
>            Priority: Blocker
>              Labels: Java11
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> While running tests in {{nifi-standard-processors}} with Jetty 
> 9.4.15.v20190215 (after attempting to update from Jetty 9.4.11.v20180605), 
> several SSL tests failed.  After enabling {{javax.net.debug=ssl,handshake}} 
> the following error occurs:
> {code:java}
> javax.net.ssl|ERROR|1B|ListenHTTP (07d9bfd1-56c3-46f1-b4a7-570eaf13c7cc) Web 
> Server-27|2019-04-02 17:44:57.177 EDT|TransportContext.java:313|Fatal 
> (CERTIFICATE_UNKNOWN): No subject alternative names matching IP address 
> 127.0.0.1 found (
> "throwable" : {
>   java.security.cert.CertificateException: No subject alternative names 
> matching IP address 127.0.0.1 found
> {code}
> It appears that when using a cert for {{localhost}} the hostname is resolved 
> to 127.0.0.1, after which the existing SANs in the cert are checked for a 
> matching IP SAN.
> The TLS Toolkit currently generates certs with SANs assumed to be domain 
> names 
> ([TlsHelper.java:305|https://github.com/apache/nifi/blob/master/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/util/TlsHelper.java#L305],
>  uses GeneralName.dNSName explicitly). Adding the IP as a SAN with the TLS 
> Toolkit currently adds it as a DNS SAN, which does not resolve the issue.
> Support must be added to allow IPs to be added as SANs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)