Matt,
Sorry, the confusion about where it was supported is entirely mine.
Thanks again for the help!
Joe
On Wed, Dec 21, 2016 at 4:58 PM, Matt Gilman
wrote:
> Joe,
>
> Just to be completely clear. It was only ever offered for the REST API. I
> don't believe that is
Joe,
Just to be completely clear. It was only ever offered for the REST API. I
don't believe that is broken. I verified that we can introduce it in other
places using the built-in Java capabilities. Because of that, I think we
can remove the legacy verification.
Yes, all SSL traffic should
Matt,
Thanks for digging into this. Since it's verified to be broken in the
current releases, I'll call off the folks trying to test it on our end.
After these changes will all SSL traffic for the Web UI, REST API,
Site-to-Site, and Clustering support OCSP?
Thanks,
Joe
On Wed, Dec 21, 2016 at
Joe,
I was able to successfully verify revoked certificates for clients and
nodes joining the cluster. This did require some code changes.
Specifically, the changes you were suggesting
(PKIXBuilderParameters.setRevocationEnabled and the ocsp.enabled Security
property).
I think the best path
Joe,
I believe the JIRA is questioning whether we need to be manually verifying.
It probably makes sense to answer that first. Once we know that answer we
can establish the best path to appropriately resolve NIFI-1364 and ensure
that we are verifying the certificates in all places. I'm going to
Matt,
We found the "ocsp.enable" Java Security setting in
$JRE/lib/security/java.security, but setting that did NOT change the
behavior and the node with the revoked certificate could still join the
cluster.
Looking at the posts referenced by NIFI-1364 [1], they all seem to discuss
needed code
Thanks, I'll check on the configuration used for the tests and reply back
here once that's clear.
On Mon, Dec 19, 2016 at 12:48 PM, Matt Gilman
wrote:
> The existing OCSP logic is part of the REST API filter chain. The
> communications you're referring to are happening
The existing OCSP logic is part of the REST API filter chain. The
communications you're referring to are happening outside of that. Have you
tried enabling OCSP as part of the SSL/TLS handshake as was mentioned in
the JIRA [1]. Using the built-in features should allow us to use it
throughout the
Matt,
It's not clients we are concerned with, but cluster servers.
The test process used Java 1.8.0_65 and NiFi 0.7.1 to do the following.
1. Configure a cluster with valid certificates for each node,
2. revoke one node's certificate,
3. restart the cluster,
4. confirm with keytool
Matt,
I think the issue isn't going through the REST api. It's that nodes of a
cluster can connect to the cluster, whether or not their certificate has
been revoked. In other words, not a rogue random client, but a rouge nifi
node...
Brandon
On Mon, Dec 19, 2016 at 11:22 AM Matt Gilman
Joe,
If a server connects through the REST API it should be subject to the same
checks as a regular user. Can you provide more details regarding the
requests that aren't being checked correctly?
Additionally, there was some discussion whether we need the additional
checks in the first place as
This could very soon be a show stopper for us.
Does anyone have any thoughts that might help us get this straight?
On Wed, Dec 14, 2016 at 2:23 PM, Joe Skora wrote:
> Running Apache NiFi 0.7.1, we see clients rejected due to OCSP revocation
> of their certificates but we
12 matches
Mail list logo