Re: OCSP validation not happening for cluster servers

Matt, Sorry, the confusion about where it was supported is entirely mine. Thanks again for the help! Joe On Wed, Dec 21, 2016 at 4:58 PM, Matt Gilman wrote: > Joe, > > Just to be completely clear. It was only ever offered for the REST API. I > don't believe that is

Re: OCSP validation not happening for cluster servers

Joe, Just to be completely clear. It was only ever offered for the REST API. I don't believe that is broken. I verified that we can introduce it in other places using the built-in Java capabilities. Because of that, I think we can remove the legacy verification. Yes, all SSL traffic should

Re: OCSP validation not happening for cluster servers

Matt, Thanks for digging into this. Since it's verified to be broken in the current releases, I'll call off the folks trying to test it on our end. After these changes will all SSL traffic for the Web UI, REST API, Site-to-Site, and Clustering support OCSP? Thanks, Joe On Wed, Dec 21, 2016 at

Re: OCSP validation not happening for cluster servers

Joe, I was able to successfully verify revoked certificates for clients and nodes joining the cluster. This did require some code changes. Specifically, the changes you were suggesting (PKIXBuilderParameters.setRevocationEnabled and the ocsp.enabled Security property). I think the best path

Re: OCSP validation not happening for cluster servers

Joe, I believe the JIRA is questioning whether we need to be manually verifying. It probably makes sense to answer that first. Once we know that answer we can establish the best path to appropriately resolve NIFI-1364 and ensure that we are verifying the certificates in all places. I'm going to

Re: OCSP validation not happening for cluster servers

Matt, We found the "ocsp.enable" Java Security setting in $JRE/lib/security/java.security, but setting that did NOT change the behavior and the node with the revoked certificate could still join the cluster. Looking at the posts referenced by NIFI-1364 [1], they all seem to discuss needed code

Re: OCSP validation not happening for cluster servers

Thanks, I'll check on the configuration used for the tests and reply back here once that's clear. On Mon, Dec 19, 2016 at 12:48 PM, Matt Gilman wrote: > The existing OCSP logic is part of the REST API filter chain. The > communications you're referring to are happening

Re: OCSP validation not happening for cluster servers

The existing OCSP logic is part of the REST API filter chain. The communications you're referring to are happening outside of that. Have you tried enabling OCSP as part of the SSL/TLS handshake as was mentioned in the JIRA [1]. Using the built-in features should allow us to use it throughout the

Re: OCSP validation not happening for cluster servers

Matt, It's not clients we are concerned with, but cluster servers. The test process used Java 1.8.0_65 and NiFi 0.7.1 to do the following. 1. Configure a cluster with valid certificates for each node, 2. revoke one node's certificate, 3. restart the cluster, 4. confirm with keytool

Re: OCSP validation not happening for cluster servers

Matt, I think the issue isn't going through the REST api. It's that nodes of a cluster can connect to the cluster, whether or not their certificate has been revoked. In other words, not a rogue random client, but a rouge nifi node... Brandon On Mon, Dec 19, 2016 at 11:22 AM Matt Gilman

Re: OCSP validation not happening for cluster servers

Joe, If a server connects through the REST API it should be subject to the same checks as a regular user. Can you provide more details regarding the requests that aren't being checked correctly? Additionally, there was some discussion whether we need the additional checks in the first place as

Re: OCSP validation not happening for cluster servers

This could very soon be a show stopper for us. Does anyone have any thoughts that might help us get this straight? On Wed, Dec 14, 2016 at 2:23 PM, Joe Skora wrote: > Running Apache NiFi 0.7.1, we see clients rejected due to OCSP revocation > of their certificates but we