Hi Eric,

Can you verify a couple things?

1. The specific curl instance you’re using in the terminal and in NiFi are the 
same? (i.e. run this command on the terminal and in an ExecuteProcess 
processor: $ which curl)
2. Run curl -V to see which version of openssl curl is using in both scenarios. 
3. Run curl -vvv to see increased verbosity output. 


Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On May 22, 2020, at 8:08 AM, Eric Chaves <e...@uolet.com> wrote:
> 
> Hi folks,
> 
>  I have a flow that downloads files from an FTP server over SSL using TLS1.2. 
> To achieve this I use curl command line in an ExecuteProcess processor. This 
> routine has been working ok until recently when we tried it on an upgraded  
> NiFi server.
> 
> After tracking down the error we noticed that it was due to the updated 
> version of open-ssl recommendation of not allowing the use of old ciphers. 
> The FTP server in question is using TLS1.2 with a weak certificate but since 
> it is not managed by me updating the server is not an option.
> 
> After some troubleshooting I managed to adjust my curl command and it is 
> working when I execute it manually in a bash session on my nifi server (to be 
> precise I ran it inside the docker container that is running the nifi) but 
> when I execute the same command line with the ExecuteProcess processor I got 
> the following error: "failed setting cipher list"
> 
> The curl command and argument line I'm executing is:
> 
> curl -v -slk --tlsv1.2 --ciphers 'DEFAULT:!DH' --user ${FTP_USER}:${FTP_PASS} 
> --ftp-ssl ftp://${FTP_HOST}:${FTP_PORT}/${FTP_DIR}/
> 
> The actual verbose error from inside the ExecuteProcess processor is: 
> 
> *   Trying 200.230.161.229...
> * TCP_NODELAY set
> * Expire in 200 ms for 4 (transfer 0x55f98e691f50)
> * Connected to <server-name-redacted> (<ip-address-redacted>) port 
> <port-redacted> (#0)
> < 220 ProFTPD 1.3.4d Server (...) [<ip-address-redacted>]
> > AUTH SSL
> < 234 AUTH SSL successful
> * failed setting cipher list: 'DEFAULT:!DH'
> * Closing connection 0
> 
> So it seems that some configuration either on the nifi or the ExecuteProcess 
> is not allowing me to force my curl command to use insecure ciphers with 
> openssl.
> 
> How can I circumvent this?
> 
> Best regards,
> 
> Eric

Reply via email to