Hi folks,
I have a flow that downloads files from an FTP server over SSL using
TLS1.2. To achieve this I use curl command line in an ExecuteProcess
processor. This routine has been working ok until recently when we tried it
on an upgraded NiFi server.
After tracking down the error we noticed that it was due to the updated
version of open-ssl recommendation of not allowing the use of old ciphers.
The FTP server in question is using TLS1.2 with a weak certificate but
since it is not managed by me updating the server is not an option.
After some troubleshooting I managed to adjust my curl command and it is
working when I execute it manually in a bash session on my nifi server (to
be precise I ran it inside the docker container that is running the nifi)
but when I execute the same command line with the ExecuteProcess processor
I got the following error: "failed setting cipher list"
The curl command and argument line I'm executing is:
*curl -v -slk --tlsv1.2 --ciphers 'DEFAULT:!DH' --user
${FTP_USER}:${FTP_PASS} --ftp-ssl ftp://${FTP_HOST}:${FTP_PORT}/${FTP_DIR}/*
The actual verbose error from inside the ExecuteProcess processor is:
** Trying 200.230.161.229...* TCP_NODELAY set* Expire in 200 ms for 4
(transfer 0x55f98e691f50)* Connected
to <server-name-redacted> (<ip-address-redacted>) port <port-redacted>
(#0)< 220 ProFTPD 1.3.4d Server (...) [<ip-address-redacted>]> AUTH SSL<
234 AUTH SSL successful* failed setting cipher list: 'DEFAULT:!DH'* Closing
connection 0*
So it seems that some configuration either on the nifi or the
ExecuteProcess is not allowing me to force my curl command to use insecure
ciphers with openssl.
How can I circumvent this?
Best regards,
Eric
