alopresto commented on a change in pull request #3204: NIFI-1364 - Removed
custom OCSP certificate revocation checking code and replaced with just using
Java native implementation.
URL: https://github.com/apache/nifi/pull/3204#discussion_r304192415
##########
File path:
nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-security/src/main/java/org/apache/nifi/framework/security/util/SslContextFactory.java
##########
@@ -60,8 +65,8 @@ public static SSLContext createSslContext(final
NiFiProperties props)
} else {
trustStore = null;
}
- final TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
- trustManagerFactory.init(trustStore);
+
+ final TrustManagerFactory trustManagerFactory =
getTrustManagerFactory(trustStore, props.isOCSPEnabled(),
props.getProperty(NiFiProperties.SECURITY_OCSP_RESPONDER_URL));
Review comment:
The behavior implemented in this PR is that if OCSP is configured, it is
configured and used universally across the application. Is there any plan for
or expected need for `SSLContext` instances which _do not_ use OCSP in this
case?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
