[jira] [Updated] (NIFI-7064) Support 2-way SSL by InvokeHTTP processor

Thu, 23 Jan 2020 12:08:09 -0800 


     [ 
https://issues.apache.org/jira/browse/NIFI-7064?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dmitry Mashkov updated NIFI-7064:
---------------------------------
    Attachment: InvokeHTTP_2-way_SSL_support.patch

> Support 2-way SSL by InvokeHTTP processor
> -----------------------------------------
>
>                 Key: NIFI-7064
>                 URL: https://issues.apache.org/jira/browse/NIFI-7064
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework, Security
>    Affects Versions: 1.10.0
>            Reporter: Dmitry Mashkov
>            Priority: Major
>              Labels: features, patch, ready-to-commit, security
>         Attachments: InvokeHTTP_2-way_SSL_support.patch
>
>
> HandleHTTPRequest processor as server, supports 2Way SSL( ie client 
> authentication). InvokeHTTP processor as client, unfortunately not. I would 
> like provide my patch for InvokeHTTP processor.See attach.
> Here some comments for code.
> I added Client.Auth methods
> I added hostname validator.
> Due to original code base and chosen HTTP client, I changed OkHttpClient 
> reference to OkHttpClient.Builder for host validation handler. I have not way 
> to support EL in properties and pass them to handler from setupto trigger via 
> context.
> {code:java}
> AtomicReference<OkHttpClient.Builder> okHttpClientBuilderAtomicReferenc{code}
> Most hard and long operations done before while scheduler starts, building 
> client is relatively lightweight.
> Some comments about host validator, reasons to do this. My case is build 
> RESTful services with 2-way SSL authentication by IP. Remote client can be a 
> servers at same time, like mutual communication, but no domains, only IPs in 
> green field. More over, clients can change dynamically their IP due to 
> selected channel, LAN or Cellular, here is not way to provide SAN to 
> certificate at configuration. Now you can provide dynamically via EL/param IP 
> addresses to check hostname for client authentication.
>  
> PS. It's not clear code, why processor build SSLContext in SSL Context 
> Controlller, but not use it anyhow? This is strange and unclear, possibly, 
> here we can reduce the code.
> PPS. It not clear, how to build tests for this case.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to