alopresto commented on pull request #4263:
URL: https://github.com/apache/nifi/pull/4263#issuecomment-628794810
I made the dropdown for `RestrictedSSLContextService` more explicit where it
now provides `TLS, TLSv1.2` on Java 8 and `TLS, TLSv1.2, TLSv1.3` on Java 11.
Selecting `TLS` will allow connections over `TLSv1.2` _and_ `TLSv1.3`.
# With `TLSv1.2` selected:
```
# TLSv1.2 is successful
..oolkit-1.11.4 master ● echo Q | openssl s_client -connect
node1.nifi:9999 -key nifi-key.key -cert nifi-cert.pem -CAfile nifi-cert.pem
-tls1_2
CONNECTED(00000003)
depth=1 OU = NIFI, CN = ca.nifi
verify return:1
depth=0 OU = NIFI, CN = node1.nifi
verify return:1
---
Certificate chain
0 s:OU = NIFI, CN = node1.nifi
i:OU = NIFI, CN = ca.nifi
1 s:OU = NIFI, CN = ca.nifi
i:OU = NIFI, CN = ca.nifi
---
...
---
SSL handshake has read 2289 bytes and written 1464 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: BA2FC4...0D2790
Session-ID-ctx:
Master-Key: C773AC...A85A19
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1589478477
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
DONE
# TLSv1.3 fails
..oolkit-1.11.4 master ● echo Q | openssl s_client -connect
node1.nifi:9999 -key nifi-key.key -cert nifi-cert.pem -CAfile nifi-cert.pem
-tls1_3
CONNECTED(00000003)
4570201536:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol
version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 234 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
✘ ..oolkit-1.11.4 master ●
```
# With `TLS` selected:
```
# TLSv1.3 is successful
..oolkit-1.11.4 master ● echo Q | openssl s_client -connect
node1.nifi:9999 -key nifi-key.key -cert nifi-cert.pem -CAfile nifi-cert.pem
-tls1_3
CONNECTED(00000003)
depth=1 OU = NIFI, CN = ca.nifi
verify return:1
depth=0 OU = NIFI, CN = node1.nifi
verify return:1
---
Certificate chain
0 s:OU = NIFI, CN = node1.nifi
i:OU = NIFI, CN = ca.nifi
1 s:OU = NIFI, CN = ca.nifi
i:OU = NIFI, CN = ca.nifi
---
...
---
SSL handshake has read 2510 bytes and written 1800 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
# TLSv1.2 is successful
..oolkit-1.11.4 master ● echo Q | openssl s_client -connect
node1.nifi:9999 -key nifi-key.key -cert nifi-cert.pem -CAfile nifi-cert.pem
-tls1_2
CONNECTED(00000003)
depth=1 OU = NIFI, CN = ca.nifi
verify return:1
depth=0 OU = NIFI, CN = node1.nifi
verify return:1
---
Certificate chain
0 s:OU = NIFI, CN = node1.nifi
i:OU = NIFI, CN = ca.nifi
1 s:OU = NIFI, CN = ca.nifi
i:OU = NIFI, CN = ca.nifi
---
...
---
SSL handshake has read 2293 bytes and written 1464 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7E5D46...1F4E63
Session-ID-ctx:
Master-Key: AB80DE...4FCC9A
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1589478427
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
DONE
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
