[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16148394#comment-16148394
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/1986
  
Ran `contrib-check` and all tests pass. +1, merging. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
> Fix For: 1.4.0
>
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16148391#comment-16148391
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user asfgit closed the pull request at:

https://github.com/apache/nifi/pull/1986


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF subversion and git services (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16148390#comment-16148390
 ] 

ASF subversion and git services commented on NIFI-2528:
---

Commit d28e61c5ddc7486747d431dfd82e17dc435ca817 in nifi's branch 
refs/heads/master from m-hogue
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=d28e61c ]

NIFI-2528 Added RestrictedSSLContextService interface with implementation. 
Changed ListenHTTP to allow only new StandardRestrictedSSLContextService.

This closes #1986.

Signed-off-by: Andy LoPresto 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16148348#comment-16148348
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r136231936
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java
 ---
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.ValidationContext;
+import org.apache.nifi.processor.util.StandardValidators;
+
+/**
+ * This class is functionally the same as {@link 
StandardSSLContextService}, but it restricts the allowable
--- End diff --

I meant to add TLS in addition to SSL (some people will still search for or 
only recognize SSL). This is a minor thing and I'll fix it before merging. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16146288#comment-16146288
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@alopresto : All of your recommendations have been implemented. Please let 
me know if you'd like any more changes.


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16146012#comment-16146012
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135896956
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/SSLContextServiceUtils.java
 ---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import javax.net.ssl.SSLContext;
+
+import org.apache.nifi.components.AllowableValue;
+
+public class SSLContextServiceUtils {
--- End diff --

Mike, I did read the SO link you had posted but I also read [Java 8 Default 
and Static 
Methods](https://www.intertech.com/Blog/java-8-tutorial-default-and-static-methods-guide/)
 and I think as long as the definitions are on the interfaces, it will be ok. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16146007#comment-16146007
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135896059
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/SSLContextServiceUtils.java
 ---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import javax.net.ssl.SSLContext;
+
+import org.apache.nifi.components.AllowableValue;
+
+public class SSLContextServiceUtils {
--- End diff --

You can indeed have static methods in interfaces, but they cannot be 
overridden by child classes. They 'belong' to the interface. There were also 
default methods added in Java 8, which can be overridden by child classes, but 
they aren't static meaning that they can't be used in statically initialized 
variables. For these reasons, i elected to put the methods in a util class - 
but i totally understand the concern here.

See this SO article: 
https://stackoverflow.com/questions/27833168/difference-between-static-and-default-methods-in-interface


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16146002#comment-16146002
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135895369
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java
 ---
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.ValidationContext;
+import org.apache.nifi.processor.util.StandardValidators;
+
+/**
+ * This class is functionally the same as {@link 
StandardSSLContextService}, but it restricts the allowable
+ * values that can be selected for SSL protocols.
+ */
+@Tags({"ssl", "secure", "certificate", "keystore", "truststore", "jks", 
"p12", "pkcs12", "pkcs"})
+@CapabilityDescription("Restricted implementation of the 
SSLContextService. Provides the ability to configure "
++ "keystore and/or truststore properties once and reuse that 
configuration throughout the application, "
++ "but only allows a restricted set of SSL protocols to be chosen. 
The set of protocols selectable will "
++ "evolve over time as new protocols emerge and older protocols 
are deprecated. This service is recommended "
++ "over StandardSSLContextService if a component doesn't expect to 
communicate with legacy systems since it's "
++ "unlikely that legacy systems will support these protocols.")
+public class StandardRestrictedSSLContextService extends 
StandardSSLContextService implements RestrictedSSLContextService {
+
+public static final PropertyDescriptor RESTRICTED_SSL_ALGORITHM = new 
PropertyDescriptor.Builder()
+.name("SSL Protocol")
+.defaultValue("TLSv1.2")
--- End diff --

Gotcha. I can make this change.


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16145942#comment-16145942
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135886286
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java
 ---
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.ValidationContext;
+import org.apache.nifi.processor.util.StandardValidators;
+
+/**
+ * This class is functionally the same as {@link 
StandardSSLContextService}, but it restricts the allowable
+ * values that can be selected for SSL protocols.
+ */
+@Tags({"ssl", "secure", "certificate", "keystore", "truststore", "jks", 
"p12", "pkcs12", "pkcs"})
+@CapabilityDescription("Restricted implementation of the 
SSLContextService. Provides the ability to configure "
++ "keystore and/or truststore properties once and reuse that 
configuration throughout the application, "
++ "but only allows a restricted set of SSL protocols to be chosen. 
The set of protocols selectable will "
++ "evolve over time as new protocols emerge and older protocols 
are deprecated. This service is recommended "
++ "over StandardSSLContextService if a component doesn't expect to 
communicate with legacy systems since it's "
++ "unlikely that legacy systems will support these protocols.")
+public class StandardRestrictedSSLContextService extends 
StandardSSLContextService implements RestrictedSSLContextService {
+
+public static final PropertyDescriptor RESTRICTED_SSL_ALGORITHM = new 
PropertyDescriptor.Builder()
+.name("SSL Protocol")
+.defaultValue("TLSv1.2")
--- End diff --

No, I left `.name()` the same to be backward compatible (changing the name 
means that the value stored in the flow will not be retrieved on load). This is 
the whole reason `.displayName()` was introduced -- it provides a human-facing 
value that isn't used for value resolution. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16145939#comment-16145939
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135885847
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/SSLContextServiceUtils.java
 ---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import javax.net.ssl.SSLContext;
+
+import org.apache.nifi.components.AllowableValue;
+
+public class SSLContextServiceUtils {
--- End diff --

With Java 8, you can provide a `static` method implementation on an 
`interface`. I'd define a static method `buildAllowableValues()` in 
`SSLContextService` and implement it with the complete list, and "override" 
(define a method with the same signature but it's not technically an override 
in this case) in `RestrictedSSLContextService` which returns the limited list. 

Am I missing something here? I haven't tried it myself but I think this 
should work. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16143865#comment-16143865
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@alopresto : I've replied with a couple of questions on your comments.

Also, i'll create an issue to update the SSL Context Service interface for 
the listed processors (once confirmed).


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16143864#comment-16143864
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135548481
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java
 ---
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.ValidationContext;
+import org.apache.nifi.processor.util.StandardValidators;
+
+/**
+ * This class is functionally the same as {@link 
StandardSSLContextService}, but it restricts the allowable
+ * values that can be selected for SSL protocols.
+ */
+@Tags({"ssl", "secure", "certificate", "keystore", "truststore", "jks", 
"p12", "pkcs12", "pkcs"})
+@CapabilityDescription("Restricted implementation of the 
SSLContextService. Provides the ability to configure "
++ "keystore and/or truststore properties once and reuse that 
configuration throughout the application, "
++ "but only allows a restricted set of SSL protocols to be chosen. 
The set of protocols selectable will "
++ "evolve over time as new protocols emerge and older protocols 
are deprecated. This service is recommended "
++ "over StandardSSLContextService if a component doesn't expect to 
communicate with legacy systems since it's "
++ "unlikely that legacy systems will support these protocols.")
+public class StandardRestrictedSSLContextService extends 
StandardSSLContextService implements RestrictedSSLContextService {
+
+public static final PropertyDescriptor RESTRICTED_SSL_ALGORITHM = new 
PropertyDescriptor.Builder()
+.name("SSL Protocol")
+.defaultValue("TLSv1.2")
--- End diff --

Do you suggest that i change the `.name()` to "TLS Protocol" here as well?


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16143860#comment-16143860
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135547306
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/SSLContextServiceUtils.java
 ---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import javax.net.ssl.SSLContext;
+
+import org.apache.nifi.components.AllowableValue;
+
+public class SSLContextServiceUtils {
+
+/**
+ * Build a set of allowable SSL protocol algorithms based on JVM 
configuration and whether
+ * or not the list should be restricted to include only certain 
protocols.
+ *
+ * @param restricted whether the set of allowable protocol values 
should be restricted.
+ *
+ * @return the computed set of allowable values
+ */
+public static AllowableValue[] buildSSLAlgorithmAllowableValues(final 
boolean restricted) {
+final Set supportedProtocols = new HashSet<>();
+
+// if restricted, only allow the below set of protocols.
+if(restricted) {
+supportedProtocols.add("TLSv1.2");
--- End diff --

Good call. I'll add this.


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16143852#comment-16143852
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135545489
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/SSLContextServiceUtils.java
 ---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import javax.net.ssl.SSLContext;
+
+import org.apache.nifi.components.AllowableValue;
+
+public class SSLContextServiceUtils {
--- End diff --

@alopresto : I agree and I looked into doing this. However, the problem is 
that the allowable values for the SSL algorithm PropertyDescriptors are 
statically initialized with the appropriate values. Adding a method to the 
`SSLContextService` interface wouldn't enable you to build the values before 
the class is loaded, which is why i threw a static method into a utility class. 
This actually reminded me that i forgot to remove the original 
`buildAllowableValues()` method in `StandardSSLContextService`. I'll do that on 
my next push.

I can approach this in a different way if you have a recommendation. Thanks!


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16142557#comment-16142557
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/1986
  
Also, as @joewitt noted earlier, we should change the available interface 
for other "listener" processors. Here's a preliminary list I put together, but 
I would like confirmation from another member:
* `HandleHTTPRequest`
* `ListenBeats`
* 
`DistributedCacheServer`/`DistributedSetCacheServer`/`DistributedMapCacheServer`
* `ListenSMTP`
* `ListenGRPC`
* `ListenLumberjack` (*Deprecated*)
* `ListenRELP`
* `ListenSyslog`
* `ListenTCP`/`ListenTCPRecord`

Also:
* `AbstractSiteToSiteReportingTask`
* `org.apache.nifi.processors.slack.TestServer`
* `WebSocketService`/`JettyWebSocketService`



> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16142537#comment-16142537
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/1986
  
Ok I left some minor comments on the code. If Michael can reply to those 
and make the changes, I think this is good and ready to be merged. I set up a 
flow with a `ListenHTTP` processor and verified that I could only provide it 
with a `StandardRestrictedSSLContextService` implementation. I verified that it 
received incoming requests (*only*) over TLS v1.2. 

```
hw12203:/Users/alopresto/Workspace/scratch (master) alopresto
 27314s @ 18:11:29 $ openssl s_client -connect localhost: -debug 
-showcerts
CONNECTED(0003)
write to 0x7f80b0d89fd0 [0x7f80b1807e00] (308 bytes => 308 (0x134))
 - 16 03 01 01 2f 01 00 01-2b 03 03 29 cb d3 e6 54   /...+..)...T
...
0050 - 64 f9 0d 7b c4 03 6b 71-03 4d a4 1d 8a f7 4d 45   d..{..kq.MME
---
Certificate chain
 0 s:/OU=NIFI/CN=nifi.nifi.apache.org
   i:/OU=NIFI/CN=localhost
...
---
Server certificate
subject=/OU=NIFI/CN=nifi.nifi.apache.org
issuer=/OU=NIFI/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2241 bytes and written 490 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES256-SHA384
Session-ID: 
59A0CAC680787984AD9B43E8A39BCFB0F4C5EA4F8AC10223C073296EDB8FB66B
Session-ID-ctx:
Master-Key: 
236BC9B03CD3F7B02C363C8DA15F36EA908A631DB0D3828A0CE05E3834D07BB58E9D1A7023A5161DCE13BF58029BCD61
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1503709893
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
Q
DONE
hw12203:/Users/alopresto/Workspace/scratch (master) alopresto
 27323s @ 18:11:38 $ openssl s_client -connect localhost: -debug 
-showcerts -tls1_1
CONNECTED(0003)
write to 0x7fd06181a060 [0x7fd06280f003] (200 bytes => 200 (0xC8))
 - 16 03 01 00 c3 01 00 00-bf 03 02 18 09 95 74 f0   ..t.
...   .(
140735215808592:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert 
handshake failure:s3_pkt.c:1494:SSL alert number 40
140735215808592:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake 
failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.1
Cipher: 
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1503712071
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
---
hw12203:/Users/alopresto/Workspace/scratch (master) alopresto
 29497s @ 18:47:53 $
```
I also set up two `InvokeHTTP` processors and used a 
`StandardSSLContextService` and `StandardRestrictedSSLContextService` for each. 
Both were able to successfully make outgoing `GET` requests to 
`https://nifi.apache.org`. 

Contrib-check and all tests pass. Just need Michael to respond to the few 
comments above. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16142415#comment-16142415
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135371152
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java
 ---
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.ValidationContext;
+import org.apache.nifi.processor.util.StandardValidators;
+
+/**
+ * This class is functionally the same as {@link 
StandardSSLContextService}, but it restricts the allowable
+ * values that can be selected for SSL protocols.
+ */
+@Tags({"ssl", "secure", "certificate", "keystore", "truststore", "jks", 
"p12", "pkcs12", "pkcs"})
+@CapabilityDescription("Restricted implementation of the 
SSLContextService. Provides the ability to configure "
++ "keystore and/or truststore properties once and reuse that 
configuration throughout the application, "
++ "but only allows a restricted set of SSL protocols to be chosen. 
The set of protocols selectable will "
++ "evolve over time as new protocols emerge and older protocols 
are deprecated. This service is recommended "
++ "over StandardSSLContextService if a component doesn't expect to 
communicate with legacy systems since it's "
++ "unlikely that legacy systems will support these protocols.")
+public class StandardRestrictedSSLContextService extends 
StandardSSLContextService implements RestrictedSSLContextService {
+
+public static final PropertyDescriptor RESTRICTED_SSL_ALGORITHM = new 
PropertyDescriptor.Builder()
+.name("SSL Protocol")
+.defaultValue("TLSv1.2")
--- End diff --

We should include `.displayName("TLS Protocol")` here for human-readable 
naming without conflicting with the legacy property descriptor name. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16142413#comment-16142413
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135371045
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardRestrictedSSLContextService.java
 ---
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.nifi.annotation.documentation.CapabilityDescription;
+import org.apache.nifi.annotation.documentation.Tags;
+import org.apache.nifi.components.PropertyDescriptor;
+import org.apache.nifi.components.ValidationContext;
+import org.apache.nifi.processor.util.StandardValidators;
+
+/**
+ * This class is functionally the same as {@link 
StandardSSLContextService}, but it restricts the allowable
--- End diff --

I think in the documentation, tags, and descriptions, *TLS* should be 
emphasized over *SSL*, as SSL is deprecated. I would not recommend changing the 
name of the class though. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16142408#comment-16142408
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135370899
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/SSLContextServiceUtils.java
 ---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import javax.net.ssl.SSLContext;
+
+import org.apache.nifi.components.AllowableValue;
+
+public class SSLContextServiceUtils {
--- End diff --

Does this need to be a separate utility class? It seems to only have one 
method. I would have anticipated this method being added to the 
`SSLContextService` interface and then implemented by each of the concrete 
classes. Thus the logic would be encapsulated in the implementations rather 
than outside of the provided implementations. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16142398#comment-16142398
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r135370201
  
--- Diff: 
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/SSLContextServiceUtils.java
 ---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import javax.net.ssl.SSLContext;
+
+import org.apache.nifi.components.AllowableValue;
+
+public class SSLContextServiceUtils {
+
+/**
+ * Build a set of allowable SSL protocol algorithms based on JVM 
configuration and whether
+ * or not the list should be restricted to include only certain 
protocols.
+ *
+ * @param restricted whether the set of allowable protocol values 
should be restricted.
+ *
+ * @return the computed set of allowable values
+ */
+public static AllowableValue[] buildSSLAlgorithmAllowableValues(final 
boolean restricted) {
+final Set supportedProtocols = new HashSet<>();
+
+// if restricted, only allow the below set of protocols.
+if(restricted) {
+supportedProtocols.add("TLSv1.2");
--- End diff --

I know having `{TLS, TLSv1.2}` may look ambiguous or confusing in the 
restricted set, but I think including `TLS` is good here because when 
[TLSv1.3](https://blog.cloudflare.com/introducing-tls-1-3/) (see also 
[2](https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/) 
[3](https://kinsta.com/blog/tls-1-3/)) and so on are supported, users won't 
have to revisit this and explicitly enable/upgrade to that protocol version. We 
should improve the `TLS` tooltip to explain that it chooses the highest 
supported TLS protocol version automatically, and perhaps identify the minimum 
supported version. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16100360#comment-16100360
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user joewitt commented on the issue:

https://github.com/apache/nifi/pull/1986
  
Some thoughts on this thread.  First it is good to get this cleaned up and 
easier for the user so this is a great discussion.

1. It sounds prudent that we delineate our SSLContextService along two 
lines.  One is StandardSSLContextService which works as our current one does, 
supports numerous protocols including those we do not recommend be in continued 
use but that we need to support for interacting/initiating connections to 
systems using legacy protocols.  The other would be a more 
restricted/conservative set of protocols like TLSv1.2.  I recommend we call 
that RestrictedSSLContextService.  We can document on the existing Standard 
service what it is for and allowable for.  And we can do the same on restricted 
indicating it is only for 'safe' protocols and may evolve as more is 
learned/made available.  Both would follow the same interface most likely.
2. We update ListenHTTP,HandleRequest,(any proc that acts as a 
listen/server) to allow only the RestrictedSSLContextService.  This is within 
the documented transition changes between minor versions, can be captured in 
our release/migration notes, and will improve the user experience to only 
accept allowed protocols.
3.  We should avoid to the extent possible ever doing validation of a given 
configuration of a component/processor only once started.  And we should avoid 
using onScheduled to block startup/etc..  Once a user is passed the validation 
phase this is what process yielding is for.  The logic to test whether the 
protocols used, which would not matter if (1) and (2) above are done, should be 
done as early in the lifecycle as possible to let the user resolve the issue 
before we slap their hand by stopping their process (and that is only when 
considering this done in a non-programmatic case).  I realize this isn't purely 
clear all the time but am saying this from an intent of the API, thinking about 
when we bind validation issues, and considering that the API is for both 
programmatic and human interaction.




> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16100071#comment-16100071
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@alopresto @jskora : So i mentioned above that there were two reasons why I 
opted for this approach. Previous to this PR and confirmed by @alopresto and 
@trkurc, the protocol used by ListenHTTP was automatically negotiated with the 
client and the configured SSLContextService protocol was ignored. Since the 
fact that this is misleading and in an effort to not change processor 
communications behavior, i decided to stop the processor on startup if an 
invalid protocol was selected and log that the protocol selected wasn't 
supported with a recommendation to choose another -- this is evident from the 
screenshot i posted above. As pointed out, this will cause processors to break 
if they were configured with SSLv3, for example, prior to this change. 
Additionally, I didn't want to change the global list of selectable protocols 
in SSLContextService if only one (or a few) processor(s) impacted that list. 
That's why i attempted to localize the restriction to the one processor.

So instead of breaking the processor if the SSLContextService is configured 
with a protocol that isn't supported by ListenHTTP, i see 2 options:

1. If the SSLContextService is configured with something that ListenHTTP 
doesn't support, override the protocol to (possibly configured) TLSv1.2 since 
that's what it was doing previously and log a warning indicating that this 
happened. 
2. Build another SSLContextService in which a processor can inform which 
protocols should be selectable.

The second is a bit of work and perhaps outside the scope of this issue, 
but i'm happy to do whatever is recommended.


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099908#comment-16099908
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user jskora commented on the issue:

https://github.com/apache/nifi/pull/1986
  
I don't want to complicate this, but I feel like I must be missing 
something.  

As much as possible, the validation at configuration time should provide 
the user feedback, not failure upon execution.  So,
- SSLContextService should only allow selection of supported protocols, if 
SSLv3 will not work it should be removed from the list, and 
- if we need SSLv3 in some places we either need 2 variations of 
SSLContextService like @alopresto mentioned earlier or the ability to configure 
and query the security level so processors requiring only the higher security 
protocols can invalidate in the GUI (before execution) if provided a less 
secure service.

Does that make sense?


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099363#comment-16099363
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/1986
  
I am trying to walk the line between "make everything configurable" and 
"sometimes people who don't understand this configure it". If you have a client 
that only supports `SSLv3`, it won't work with `ListenHTTP` period. 

* Current situation: the connection will fail, and the error presented to 
the client will be some form of `INVALID PROTOCOL VERSION`. No error in NiFi. 
* Proposed error on config: New flows can't start, as the processor is 
invalid. Existing flows which use `SSLv3` will stop working, and the error 
simply says "SSLv3 isn't valid". No open port for client to connect to, so 
that's the error on that end.
* Proposed restricted list implementation: *Can't get to invalid state on 
new processor config.* Existing flows which use `SSLv3` will stop working, and 
the error says "SSLv3 isn't valid -- pick TLSv1.2". No open port for client to 
connect to, so that's the error on that end, but the NiFi DFM at least knows a 
"valid" option to report back to the external client admin/operator. 



> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099359#comment-16099359
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user trkurc commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@m-hogue - do you have ideas on how to improve the user experience given 
the above feedback?



> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099358#comment-16099358
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user trkurc commented on the issue:

https://github.com/apache/nifi/pull/1986
  
From a "just works" perspective, if I happened to have a client that only 
worked with SSLv3 for whatever reason and attempted to configure it as such, I 
think no user feedback and an unexpected configuration is far less compelling


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099354#comment-16099354
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/1986
  
What was the previous behavior if an unavailable protocol version was 
selected? My understanding is that it will silently use a more secure available 
protocol. This is debatable about which is better -- from an "informed user" 
perspective, being notified that `SSLv3` is not valid is good. From a "just 
works" perspective, stopping the flow (especially with an error that doesn't 
tell them *why* `SSLv3`, an option they selected from a dropdown as opposed to 
typing in manually, doesn't work or *how* to fix it) is worse. 

I reproduced this on 1.4.0 master and even manually selecting `SSLv3` for 
the controller service, it exposed a port that only accepted `TLSv1.2`:

![`SSLv3-only SSLContextService 
configuration`](https://user-images.githubusercontent.com/798465/28551173-17715ad2-709b-11e7-8093-d6ca61eabbbd.png)

![`ListenHTTP` processor referencing `SSLv3-only 
SSLContextService`](https://user-images.githubusercontent.com/798465/28551172-176e9f04-709b-11e7-87df-46bacb94aeb8.png)


```

hw12203:...space/nifi/nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT
 (master) alopresto
 9s @ 17:58:59 $ openssl s_client -connect localhost: -debug -state 
-CAfile conf/nifi-cert.pem
...
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 ## This is a legacy 
output of s_client, it's not actually using SSLv3 as shown below
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES256-SHA384
Session-ID: 597698...709D69
Session-ID-ctx:
Master-Key: 4CA2AD...6926BA
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1500944417
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---

hw12203:...space/nifi/nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT
 (master) alopresto
 87s @ 18:00:18 $ openssl s_client -connect localhost: -debug -state 
-CAfile conf/nifi-cert.pem -ssl3
...
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : SSLv3
Cipher: 
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1500944681
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
---
```

I am not opposed to throwing an error if an invalid protocol is somehow 
provided to the context factory, I just think we should be doing more to 
prevent that scenario from happening in the first place, and this behavior 
isn't compelling enough to me that I think it needs to be merged immediately 
and the UX improvement added later. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099343#comment-16099343
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user trkurc commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@alopresto - fair points, however, I do think this is a step in the right 
direction in terms of user experience - previously, when selecting an 
StandardSSLContextService and protocol, the choice was ignored (i.e. , if the 
user did select SSLv3 in the StandardSSLContextService, expecting the 
ListenHTTP to support SSLv3, that didn't happen). 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099334#comment-16099334
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@trkurc My initial reaction was to earlier comments that I interpreted to 
open the idea of manually overriding the current state, which does not allow 
`SSLv3` to be used. I should have cleaned that up after understanding the 
entire thread. However, I feel that my second point, regarding restricting the 
dropdown list of available protocol versions to provide a better user 
experience rather than throwing an exception on 71% of the available options 
still stands. I understand it's more work for the developers at this time, but 
in general I favor more work for us to vastly improve the user experience, as 
once this is used by thousands of people, those little problems add up quickly. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099330#comment-16099330
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user trkurc commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@alopresto - I'm not sure I understand your concerns. The current 
implementation won't support SSLv3, and will throw an error if someone selects 
that protocol in their StandardSSLContextService and allows selection of 
supported protocols StandardSSLContextService (that jetty also supports).


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099307#comment-16099307
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/1986
  
I realize that performing this logic (controller service used for listening 
vs. outgoing connections) dynamically may be challenging or not possible (CS 
can be used by multiple referencing components). This is now leading me to 
think we may need to create a new implementation of the 
[`SSLContextService`](https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java#L33-L33)
 interface called `ModernSSLContextService` or `IncomingSSLContextService` 
which only supports the `TLSv1.2` protocol version. Existing processors would 
not change because they can still accept `StandardSSLContextService`, but the 
`ListenHTTP` component would only accept this new implementation. It could even 
extend `StandardSSLContextService` to delegate most of the code there and 
simply override the protocol versions by implementing its own 
[`#buildAlgorithmAllowableValues()`](https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java#L473)
 method.


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099301#comment-16099301
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on the issue:

https://github.com/apache/nifi/pull/1986
  
I'm sorry I'm late on this, but why are we trying to allow `SSLv3` for 
anything? I understand the original reason for this work was to be in line with 
the `PostHTTP` processor, but this makes outgoing connections to remote 
services, which may be legacy systems that do not support new TLS protocol 
versions. While I would discourage integrating with those systems as well, as 
`SSLv3` provides little effective security at this point, we are not exposing a 
vulnerability in NiFi by supporting that protocol version. 

Jetty intentionally disables any protocol version below `TLSv1.2`, and thus 
we require any incoming connections to support this protocol version. I believe 
the proper solution here is to remove `SSLv2` and `SSLv3` (along with `TLSv1` 
and `TLSv1.1`) from the dropdown list of the `SSLContextService` when used for 
*listening* (i.e. accepting incoming connections) as they will not be 
supported, rather than throwing an exception if an invalid one is selected (by 
my count, 5 of the 7 available are invalid for incoming connections -- `SSL`, 
`SSLv2Hello`, `SSLv3`, `TLSv1`, and `TLSv1.1`; `TLS` and `TLSv1.2` are valid). 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16099298#comment-16099298
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user alopresto commented on a diff in the pull request:

https://github.com/apache/nifi/pull/1986#discussion_r129185483
  
--- Diff: 
nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java
 ---
@@ -227,7 +227,19 @@ private void createHttpServerFromService(final 
ProcessContext context) throws Ex
 contextFactory.setKeyStoreType(keyStoreType);
 }
 
-if(sslContextService != null) {
+if (sslContextService != null) {
+// if the configured protocol isn't supported by Jetty, throw 
an exception
+final String[] excludeProtocols = 
contextFactory.getExcludeProtocols();
+if (excludeProtocols != null) {
+for (final String protocol : excludeProtocols) {
+if 
(protocol.equals(sslContextService.getSslAlgorithm())) {
+final IllegalArgumentException e = new 
IllegalArgumentException("The configured SSL Protocol '" + 
sslContextService.getSslAlgorithm()
++ "' is not supported by this processor. 
Please choose another.");
--- End diff --

It may be helpful here to provide a list of supported protocols (I believe 
[`#getSelectedProtocols()`](http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/util/ssl/SslContextFactory.html#getSelectedProtocols--)
 will do this; `#getIncludeProtocols()` also exists, but be aware that 
*excluded* protocols will always override *included* [see 
`SSLContextFactory#selectProtocols()`](https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L1186)).
 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16098546#comment-16098546
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@trkurc : Pushed changes. Please let me know if you'd like any additional 
changes.


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16098486#comment-16098486
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user trkurc commented on the issue:

https://github.com/apache/nifi/pull/1986
  
the approach looks good.


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16087359#comment-16087359
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@trkurc : It'd occur when the processor {{@OnScheduled}} method is called, 
which would prevent the processor from starting. This would be evident in the 
UI as a red flag on the processor when you start it:


![image](https://user-images.githubusercontent.com/7054178/28215374-cdd5ef54-687b-11e7-8698-6f45f54e33d5.png)



> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16086375#comment-16086375
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user trkurc commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@m-hogue - where would the exception occur? would it prevent the processor 
from starting, or just when it fires up the jetty server? would the problem be 
evident on the UI?


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16080962#comment-16080962
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@trkurc and @jskora : After working through a few test cases, I have a 
proposal i'd like your thoughts on. 

What if we allow the user to select any SSL protocol available through the 
UI, but throw an exception with a message explaining why if the processor 
doesn't support that protocol. In the ListenHTTP case, Jetty has some SSL 
protocols and ciphers disabled by default that may be available to the JVM. 
There are two reasons i wouldn't want to tweak ListenHTTP to allow any 
configured protocol. 1) It changes the processor behavior since those 
Jetty-disabled protocols wouldn't have worked previously anyway and 2) it 
possibly opens another can of worms with cipher suite configuration since Jetty 
has a set of ciphers disabled by default as well. 

Thoughts? 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16080684#comment-16080684
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user trkurc commented on the issue:

https://github.com/apache/nifi/pull/1986
  
Joe and Mike, sort of to my point, and both of your comments reinforced it, 
it was counter intuitive that I could select a protocol,  and have it not work 
or give an error message that was substantive. 


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16080696#comment-16080696
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on the issue:

https://github.com/apache/nifi/pull/1986
  
I'll track down error reporting.


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16080411#comment-16080411
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user m-hogue commented on the issue:

https://github.com/apache/nifi/pull/1986
  
Jetty explicitly disables it as well. The default set of protocols 
disallowed by Jetty are {"SSL", "SSLv2", "SSLv2Hello", "SSLv3"}

I'm happy to alter Jetty's default config, but should we encourage use of 
SSLv3?


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16080229#comment-16080229
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user jskora commented on the issue:

https://github.com/apache/nifi/pull/1986
  
@trkurc Have you [enabled 
SSLv3](https://stackoverflow.com/questions/28236091/how-to-enable-ssl-3-in-java)
 in the JVM?

It is disabled by default starting with [Java 8 Update 
31](http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html) 
and [Java 7 Update 
75](http://www.oracle.com/technetwork/java/javase/7u75-relnotes-2389086.html)?


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16080030#comment-16080030
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user trkurc commented on the issue:

https://github.com/apache/nifi/pull/1986
  
It seems as though if I change to SSLv3, for example, that I am unable to 
POST.


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16079759#comment-16079759
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

Github user trkurc commented on the issue:

https://github.com/apache/nifi/pull/1986
  
reviewing now


> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076772#comment-16076772
 ] 

ASF GitHub Bot commented on NIFI-2528:
--

GitHub user m-hogue opened a pull request:

https://github.com/apache/nifi/pull/1986

NIFI-2528: added support for SSLContextService protocols in ListenHTTP

Thank you for submitting a contribution to Apache NiFi.

In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:

### For all changes:
- [ ] Is there a JIRA ticket associated with this PR? Is it referenced 
 in the commit message?

- [ ] Does your PR title start with NIFI- where  is the JIRA number 
you are trying to resolve? Pay particular attention to the hyphen "-" character.

- [ ] Has your PR been rebased against the latest commit within the target 
branch (typically master)?

- [ ] Is your initial contribution a single, squashed commit?

### For code changes:
- [ ] Have you ensured that the full suite of tests is executed via mvn 
-Pcontrib-check clean install at the root nifi folder?
- [ ] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)? 
- [ ] If applicable, have you updated the LICENSE file, including the main 
LICENSE file under nifi-assembly?
- [ ] If applicable, have you updated the NOTICE file, including the main 
NOTICE file found under nifi-assembly?
- [ ] If adding new Properties, have you added .displayName in addition to 
.name (programmatic access) for each of the new properties?

### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in 
which it is rendered?

### Note:
Please ensure that once the PR is submitted, you check travis-ci for build 
issues and submit an update to your PR as soon as possible.


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/m-hogue/nifi NIFI-2528

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/nifi/pull/1986.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1986


commit 399d34af8725330d5d8b947ca69e643623fe908c
Author: m-hogue 
Date:   2017-07-06T15:42:46Z

NIFI-2528: added support for SSLContextService protocols in ListenHTTP




> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (NIFI-2528) Update ListenHTTP to honor SSLContextService Protocols

[Michael Hogue (JIRA)]

[ 
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076771#comment-16076771
 ] 

Michael Hogue commented on NIFI-2528:
-

Work here: https://github.com/m-hogue/nifi/tree/NIFI-2528

> Update ListenHTTP to honor SSLContextService Protocols
> --
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
>  Issue Type: Bug
>  Components: Core Framework
>Affects Versions: 1.0.0, 0.8.0, 0.7.1
>Reporter: Joe Skora
>Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for 
> PostHTTP.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)