Chris Sampson created NIFI-10929:
------------------------------------
Summary: NiFi generated certificates (e.g. Single User, or
nifi-toolkit) are not compatible with OpenSSL 3.x+
Key: NIFI-10929
URL: https://issues.apache.org/jira/browse/NIFI-10929
Project: Apache NiFi
Issue Type: Bug
Affects Versions: 1.19.0
Reporter: Chris Sampson
The certificates (keystore, truststore) generated by NiFi are not compatible
with OpenSSL 3+ because they are created using old/insecure algorithms.
When starting NiFi 1.19.0 (using the {{apache/nifi}} Docker image) and
confguring a single-user auth, which is the default for NiFi, the generated
{{truststore.p12}} and {{keystore.p12}} cannot be decrypted (e.g. to extract
the public cert/private key into PEM format files so they can be used with
{{curl}}) using the OpenSSL version present within the Docker Image.
{quote}
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
{quote}
Attempted command:
{code:bash}
openssl pkcs12 -in "truststore.p12" -out "nifi-cert.pem" -cacerts -nokeys
-password "pass:${TRUSTSTORE_PASSWORD}"
{code}
Error:
{quote}
4047C0AF997F0000:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global
default library context, Algorithm (RC2-40-CBC : 0), Properties ()
{quote}
This can be worked around by adding the {{-legacy}} flag to the {{openssl}}
command (see [this Stack Overflow answer|https://stackoverflow.com/a/72600724]).
Using the command suggested from teh linked article, we see that the NiFi
generated truststure uses:
{quote}
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 51200
{quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
