Re: TLSv1.3 SSLContext not available on Java 11 and RHEL8
I had similar thoughts and told them to start working with different flavors of Java 11. Thanks, Mike On Tue, Aug 15, 2023 at 10:03 AM David Handermann < exceptionfact...@apache.org> wrote: > Mike, > > It sounds like the problem could be related to the specific Java vendor > and version, or related to Java Security settings. > > Java 8 Update 261 [1] and following include TLSv1.3, and Java 11 also > includes TLSv1.3 as you noted. However, the java.security configuration can > disable specific TLS versions using the jdk.tls.disabledAlgorithms property. > > It is possible that a custom java.security configuration disabled TLSv1.3, > perhaps for compatibility reasons. Checking the java.security configuration > for the JDK installation would be a good next step for troubleshooting. > > Regards, > David Handermann > > [1] https://www.oracle.com/java/technologies/javase/8u261-relnotes.html > > [2] > https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-0A438179-32A7-4900-A81C-29E3073E1E90 > > On Tue, Aug 15, 2023 at 8:43 AM Mike Thomsen > wrote: > >> Roughly copy-pasta: "ERROR o.anifi.security.util.SslContextFactory >> Encountered an error creating SSLContext from TLSConfiguration >> [TlsConfiguration]keystorePath.protocol=TLSv1.3): TLSv1.3 SSLContext >> not available" >> >> Can't copy and paste because it's on a client's network. >> >> On Tue, Aug 15, 2023 at 9:41 AM Phillip Lord >> wrote: >> >>> Can you add the error here for more context? >>> On Aug 15, 2023 at 9:38 AM -0400, Mike Thomsen , >>> wrote: >>> >>> As the subject line says, we're getting a weird error when trying to >>> migrate to RHEL8. We're already on Java 11 on RHEL7, but for some reason >>> NiFi is running into problems instantiating a TLSv1.3 SSLContext. >>> >>> Does anyone have any suggestions on what could be happening here? >>> >>>
Re: NiFi-Registry GitFlowMetaData Error
Hello,
I believe this issue [1] was just resolved yesterday and will be part of
the upcoming 1.23.1 release that is being discussed.
It was an incompatibility with the git library used by registry and the
underlying ssh library used.
Thanks,
Bryan
[1] https://issues.apache.org/jira/browse/NIFI-11927
On Tue, Aug 15, 2023 at 10:59 AM Fries, Matthias
wrote:
> Hi guys,
>
>
>
> I upgraded from 1.19.1 to 1.22.0 recently and am now facing issues
> regarding the NiFi-Registry.
>
>
>
> Local changes committed from NiFi are available in NiFi-Registry Flow
> Storage Directory afterwards but not in the underlying git repo.
>
> The connection between NiFi-Registry and GitLab is established via ssh
> key. This is the pre and post upgrade configuration of the Git Flow
> Persistence Provider:
>
>
>
>
>
>
> org.apache.nifi.registry.provider.flow.git.GitFlowPersistenceProvider
>
> {{
> pathToFlowStorageDirectory }}
>
> origin
>
>
>
>
>
> Running a git push command manually pushes the latest changes to the git
> repo without any issues.
>
>
>
> The nifi-registry-app.log is showing the following:
>
>
>
> 2023-08-15 14:37:30,959 ERROR [GitFlowMetaData Push thread]
> o.a.n.r.p.flow.git.GitFlowMetaData Failed to push commits to origin du
>
> e to org.eclipse.jgit.api.errors.TransportException:
> ssh://git@git-server:port/pathToRepo/repo.git:
> remote hung up unexpectedly
>
>
>
> Any idea on how to solve this?
>
>
>
> Thanks in advance
>
> Matthias
>
>
>
> Das SVA Mail-System ist mit einem Mailverschluesselungs-Gateway
> ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails
> verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder
> Ihren PGP Public Key an matthias.fr...@sva.de.
>
> The SVA mail system is equipped with an email encryption gateway. If you
> want email sent to you to be encrypted please send a S/MIME signed email or
> your PGP public key to matthias.fr...@sva.de.
>
NiFi-Registry GitFlowMetaData Error
Hi guys,
I upgraded from 1.19.1 to 1.22.0 recently and am now facing issues regarding
the NiFi-Registry.
Local changes committed from NiFi are available in NiFi-Registry Flow Storage
Directory afterwards but not in the underlying git repo.
The connection between NiFi-Registry and GitLab is established via ssh key.
This is the pre and post upgrade configuration of the Git Flow Persistence
Provider:
org.apache.nifi.registry.provider.flow.git.GitFlowPersistenceProvider
{{ pathToFlowStorageDirectory
}}
origin
Running a git push command manually pushes the latest changes to the git repo
without any issues.
The nifi-registry-app.log is showing the following:
2023-08-15 14:37:30,959 ERROR [GitFlowMetaData Push thread]
o.a.n.r.p.flow.git.GitFlowMetaData Failed to push commits to origin du
e to org.eclipse.jgit.api.errors.TransportException:
ssh://git@git-server:port/pathToRepo/repo.git: remote hung up unexpectedly
Any idea on how to solve this?
Thanks in advance
Matthias
Das SVA Mail-System ist mit einem Mailverschlusselungs-Gateway ausgestattet.
Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden
Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an
matthias.fr...@sva.de.
The SVA mail system is equipped with an email encryption gateway. If you want
email sent to you to be encrypted please send a S/MIME signed email or your PGP
public key to matthias.fr...@sva.de.
smime.p7s
Description: S/MIME cryptographic signature
Re: TLSv1.3 SSLContext not available on Java 11 and RHEL8
Well there you go. This does not sound like a NiFi issue. If you were using the default locations for the trust/keystore, those may have changed going from RHEL7 to RHEL8. Change your configuration to match the location of the trust/keystore on your RHEL8 system. On 8/15/2023 8:43 AM, Mike Thomsen wrote: Roughly copy-pasta: "ERROR o.anifi.security.util.SslContextFactory Encountered an error creating SSLContext from TLSConfiguration [TlsConfiguration]keystorePath.protocol=TLSv1.3): TLSv1.3 SSLContext not available" Can't copy and paste because it's on a client's network. On Tue, Aug 15, 2023 at 9:41 AM Phillip Lord wrote: Can you add the error here for more context? On Aug 15, 2023 at 9:38 AM -0400, Mike Thomsen , wrote: As the subject line says, we're getting a weird error when trying to migrate to RHEL8. We're already on Java 11 on RHEL7, but for some reason NiFi is running into problems instantiating a TLSv1.3 SSLContext. Does anyone have any suggestions on what could be happening here?
Re: TLSv1.3 SSLContext not available on Java 11 and RHEL8
Mike, It sounds like the problem could be related to the specific Java vendor and version, or related to Java Security settings. Java 8 Update 261 [1] and following include TLSv1.3, and Java 11 also includes TLSv1.3 as you noted. However, the java.security configuration can disable specific TLS versions using the jdk.tls.disabledAlgorithms property. It is possible that a custom java.security configuration disabled TLSv1.3, perhaps for compatibility reasons. Checking the java.security configuration for the JDK installation would be a good next step for troubleshooting. Regards, David Handermann [1] https://www.oracle.com/java/technologies/javase/8u261-relnotes.html [2] https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-0A438179-32A7-4900-A81C-29E3073E1E90 On Tue, Aug 15, 2023 at 8:43 AM Mike Thomsen wrote: > Roughly copy-pasta: "ERROR o.anifi.security.util.SslContextFactory > Encountered an error creating SSLContext from TLSConfiguration > [TlsConfiguration]keystorePath.protocol=TLSv1.3): TLSv1.3 SSLContext > not available" > > Can't copy and paste because it's on a client's network. > > On Tue, Aug 15, 2023 at 9:41 AM Phillip Lord > wrote: > >> Can you add the error here for more context? >> On Aug 15, 2023 at 9:38 AM -0400, Mike Thomsen , >> wrote: >> >> As the subject line says, we're getting a weird error when trying to >> migrate to RHEL8. We're already on Java 11 on RHEL7, but for some reason >> NiFi is running into problems instantiating a TLSv1.3 SSLContext. >> >> Does anyone have any suggestions on what could be happening here? >> >>
Re: TLSv1.3 SSLContext not available on Java 11 and RHEL8
Roughly copy-pasta: "ERROR o.anifi.security.util.SslContextFactory Encountered an error creating SSLContext from TLSConfiguration [TlsConfiguration]keystorePath.protocol=TLSv1.3): TLSv1.3 SSLContext not available" Can't copy and paste because it's on a client's network. On Tue, Aug 15, 2023 at 9:41 AM Phillip Lord wrote: > Can you add the error here for more context? > On Aug 15, 2023 at 9:38 AM -0400, Mike Thomsen , > wrote: > > As the subject line says, we're getting a weird error when trying to > migrate to RHEL8. We're already on Java 11 on RHEL7, but for some reason > NiFi is running into problems instantiating a TLSv1.3 SSLContext. > > Does anyone have any suggestions on what could be happening here? > >
Re: TLSv1.3 SSLContext not available on Java 11 and RHEL8
Can you add the error here for more context? On Aug 15, 2023 at 9:38 AM -0400, Mike Thomsen , wrote: > As the subject line says, we're getting a weird error when trying to migrate > to RHEL8. We're already on Java 11 on RHEL7, but for some reason NiFi is > running into problems instantiating a TLSv1.3 SSLContext. > > Does anyone have any suggestions on what could be happening here?
TLSv1.3 SSLContext not available on Java 11 and RHEL8
As the subject line says, we're getting a weird error when trying to migrate to RHEL8. We're already on Java 11 on RHEL7, but for some reason NiFi is running into problems instantiating a TLSv1.3 SSLContext. Does anyone have any suggestions on what could be happening here?
