Problem for sending message to Secure Syslog from NiFi 1.11.3

Fri, 10 Apr 2020 03:48:27 -0700 

Dear All

I am trying to send events from NiFi 1.11.3 to syslog (with TLS secure
configuration).  There is mutual authentication (two way).

1. I configured PutSyslog processor with
StandardRestrictedSSLContextService. 
1.1. I created a keystore (keystore type JKS) and truststore (truststore
type JKS)
1.2. I selected TLS protocol TLS1.2.
1.3. I added certificates (my certificate and its chain) in stores
1.4. I also added Chain Certificates (Intermediate and Root) in Java cacert
1.5. I checked StandardRestrictedSSLContextService, Its state is enabled and
there was no problem

2. When I tried to send events to Syslog without secure (TLS) configuration
there is no problem.

3. I tried to send events to Syslog with secure (TLS) configuration for two
different Java version (8 and 11). It didn't transfer, I got errors in the
log: 

*Java JRE 1.8.0_241 (64 Bit):*

2020-04-09 20:48:05,803 ERROR [Timer-Driven Process Thread-8]
o.a.nifi.processors.standard.PutSyslog
PutSyslog[id=c5edd235-8149-3973-ef37-7a0a2257f1ab] No available connections,
and unable to create a new one, transferring
StandardFlowFileRecord[uuid=3dc7fc46-cceb-47e3-853b-ebef7da2af1e,claim=StandardContentClaim
[resourceClaim=StandardResourceClaim[id=1586438497349-2, container=default,
section=2], offset=280511,
length=99859],offset=34294,name=a45af0.log,size=214] to failure:
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
*javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?*
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
        at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
        at sun.security.ssl.SSLEngineImpl.closeInbound(Unknown Source)
        at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:178)
        at
org.apache.nifi.processor.util.put.sender.SSLSocketChannelSender.open(SSLSocketChannelSender.java:55)
        at
org.apache.nifi.processors.standard.PutSyslog.createSender(PutSyslog.java:259)
        at
org.apache.nifi.processors.standard.PutSyslog.createSender(PutSyslog.java:238)
        at
org.apache.nifi.processors.standard.PutSyslog.onTrigger(PutSyslog.java:326)
        at
org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27)
        at
org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1176)
        at
org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:213)
        at
org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:117)
        at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110)
        at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
        at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
        at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown
Source)
        at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown
Source)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)

*JDK 11.0.6 (64 Bit):*

2020-04-10 09:17:28,869 ERROR [Timer-Driven Process Thread-3]
o.a.nifi.processors.standard.PutSyslog
PutSyslog[id=c5edd235-8149-3973-ef37-7a0a2257f1ab] No available connections,
and unable to create a new one, transferring
StandardFlowFileRecord[uuid=b9693349-d4ea-4e22-a206-e713e785951f,claim=StandardContentClaim
[resourceClaim=StandardResourceClaim[id=1586438497349-2, container=default,
section=2], offset=280511,
length=99859],offset=74530,name=a45af0.log,size=241] to failure:
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
*javax.net.ssl.SSLHandshakeException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target*
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
        at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
        at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
        at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:646)
        at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:465)
        at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361)
        at 
java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:450)
        at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1078)
        at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1012)
        at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performTasks(SSLSocketChannel.java:274)
        at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.performHandshake(SSLSocketChannel.java:260)
        at
org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.connect(SSLSocketChannel.java:164)
        at
org.apache.nifi.processor.util.put.sender.SSLSocketChannelSender.open(SSLSocketChannelSender.java:55)
        at
org.apache.nifi.processors.standard.PutSyslog.createSender(PutSyslog.java:259)
        at
org.apache.nifi.processors.standard.PutSyslog.createSender(PutSyslog.java:238)
        at
org.apache.nifi.processors.standard.PutSyslog.onTrigger(PutSyslog.java:326)
        at
org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27)
        at
org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1176)
        at
org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:213)
        at
org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:117)
        at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110)
        at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
        at
java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
        at
java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
        at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
        at
java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at
java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
        at 
java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at
java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
        at
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276)
        at
java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
        at
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:624)
        ... 26 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
        at
java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at
java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at
java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at
java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
        ... 32 common frames omitted

4. I suspected a problem at the syslog side, I tried same process through
Logstash 7.3.1 with secure (TLS) configuration (with Java JRE 1.8.0_241 (64
Bit)) and it run.

5. My environment details are below:
Apache NiFi 1.11.3
Windows Server 2016
Java JRE 1.8.0_241 (64 Bit) -- preferred
or
Java JDK 11.0.6 (64 Bit)

Do you have any comment?



--
Sent from: http://apache-nifi-users-list.2361937.n4.nabble.com/

Reply via email to