ijokarumawak commented on a change in pull request #3404: [WIP] NIFI-5176 Java
11 Build Compatibilty
URL: https://github.com/apache/nifi/pull/3404#discussion_r302862953
##########
File path:
nifi-commons/nifi-site-to-site-client/src/main/java/org/apache/nifi/remote/client/SiteToSiteClient.java
##########
@@ -888,7 +888,7 @@ public SSLContext getSslContext() {
if (keyManagerFactory != null && trustManagerFactory != null) {
try {
// initialize the ssl context
- final SSLContext sslContext =
SSLContext.getInstance("TLS");
+ final SSLContext sslContext =
SSLContext.getInstance("TLSv1.2"); // FIXME TLSv1.3 not working under Java 11,
setting explicitly to TLSv1.2 works.
Review comment:
Got a response, here is the ML thread.
http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201907.mbox/browser
The test fails due to this JDK issue. After I upgraded JDK from 11.0.1 to
11.0.3, the test passed.
https://bugs.openjdk.java.net/browse/JDK-8212885
With JDK 11.0.1,
`org.apache.nifi.remote.client.http.TestHttpClient.testSendSuccessHTTPS()` and
`testSendLargeFileHTTPS()` tests failed with following exception:
```
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at
java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:464)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at
org.apache.nifi.remote.util.SiteToSiteRestApiClient.commitTransferFlowFiles(SiteToSiteRestApiClient.java:1498)
at
org.apache.nifi.remote.protocol.http.HttpClientTransaction.readTransactionResponse(HttpClientTransaction.java:96)
at
org.apache.nifi.remote.AbstractTransaction.complete(AbstractTransaction.java:296)
... 29 more
```
@jtstorck The JDK issue happens always with these tests if I changed the
code to use TLS 1.3. But secure HTTPS S2S works fine if I actually run NiFi
with JDK 11.0.1. Is that the same behavior on your environment?
If the error doesn't (normally) happen with a running NiFi, just marking
these failing tests with `@Ignore` with a TODO note, reverting the changes to
use `TLS` without specific version and document about a possibility of getting
`javax.net.ssl.SSLPeerUnverifiedException` due to JDK-8212885 to guide users to
upgrade their JDK to 11.0.3 would suffice. OR we could say Java 11.0.3 is the
minimum requirement. How do you think?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
