Shawn, Thanks for reporting this issue with TLS 1.3. Are you running on Java 8, or Java 11? Can you provide the specific version of Java?
NIFI-7468 included several improvements to the NiFi SSLSocketChannel class ( https://issues.apache.org/jira/browse/NIFI-7468), but there appears to be some additional problems specific to TLS 1.3. Work is in progress on NIFI-8919 (https://github.com/apache/nifi/pull/5311) to refactor the Distributed Cache Clients using Netty, which provides a more robust TLS implementation. The best way to address this issue will be to refactor the Distributed Cache Server as well, but there may be some improvements that could be made to SSLSocketChannel as well. If you could provide these details along with the Java version in a NiFi Jira issue, that would be very helpful. Regards, David Handermann On Thu, Sep 23, 2021 at 7:33 AM Shawn Weeks <[email protected]> wrote: > I’m getting an error when I try and use the > DistributedMapCacheClientService with a restricted ssl context in TLS 1.3 > mode or just TLS(which I think defaults to 1.3). I was wondering if anyone > else had seen it. This is on 1.14.0. The certificate being used by NiFi > has multiple host entries in the SAN(subject alternative name) field in > case it’s a bug related to that. If I switch the SSL Context to TLS 1.2 > everything works fine. > > > > See here for an example flow > https://gist.github.com/shawnweeks/36e32f1074cd4583543b91f552bc3413 > > > > Thanks > > Shawn > > > > 2021-09-23 12:05:33,289 ERROR [Timer-Driven Process Thread-7] > o.a.n.p.standard.PutDistributedMapCache > PutDistributedMapCache[id=cbe274f4-a948-1c59-0000-00003b1dcc5a] Unable to > communicate with cache when processing > StandardFlowFileRecord[uuid=e37a067f-d7de-43cd-98ae-6a60fa431b9a,claim=StandardContentClaim > [resourceClaim=StandardResourceClaim[id=1632395462870-733, > container=default, section=733], offset=815883, > length=11],offset=0,name=e37a067f-d7de-43cd-98ae-6a60fa431b9a,size=11] due > to javax.net.ssl.SSLException: Tag mismatch!: > javax.crypto.AEADBadTagException: Tag mismatch! > > > > javax.net.ssl.SSLException: Tag mismatch! > > at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133) > > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349) > > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292) > > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287) > > at > java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:123) > > at > java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681) > > at > java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636) > > at > java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454) > > at > java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433) > > at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) > > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.unwrap(SSLSocketChannel.java:668) > > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannel.read(SSLSocketChannel.java:377) > > at > org.apache.nifi.remote.io.socket.ssl.SSLSocketChannelInputStream.read(SSLSocketChannelInputStream.java:46) > > at > java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252) > > at > java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:271) > > at java.base/java.io.FilterInputStream.read(FilterInputStream.java:83) > > at > org.apache.nifi.distributed.cache.protocol.ProtocolHandshake.initiateVersionNegotiation(ProtocolHandshake.java:83) > > at > org.apache.nifi.distributed.cache.protocol.ProtocolHandshake.initiateHandshake(ProtocolHandshake.java:57) > > at > org.apache.nifi.distributed.cache.client.DistributedMapCacheClientService.leaseCommsSession(DistributedMapCacheClientService.java:426) > > at > org.apache.nifi.distributed.cache.client.DistributedMapCacheClientService.withCommsSession(DistributedMapCacheClientService.java:489) > > at > org.apache.nifi.distributed.cache.client.DistributedMapCacheClientService.put(DistributedMapCacheClientService.java:132) > > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > > at > org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:254) > > at > org.apache.nifi.controller.service.StandardControllerServiceInvocationHandler.invoke(StandardControllerServiceInvocationHandler.java:105) > > at com.sun.proxy.$Proxy569.put(Unknown Source) > > at > org.apache.nifi.processors.standard.PutDistributedMapCache.onTrigger(PutDistributedMapCache.java:202) > > at > org.apache.nifi.processor.AbstractProcessor.onTrigger(AbstractProcessor.java:27) > > at > org.apache.nifi.controller.StandardProcessorNode.onTrigger(StandardProcessorNode.java:1202) > > at > org.apache.nifi.controller.tasks.ConnectableTask.invoke(ConnectableTask.java:214) > > at > org.apache.nifi.controller.scheduling.TimerDrivenSchedulingAgent$1.run(TimerDrivenSchedulingAgent.java:103) > > at org.apache.nifi.engine.FlowEngine$2.run(FlowEngine.java:110) > > at > java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) > > at > java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) > > at > java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) > > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > > at java.base/java.lang.Thread.run(Thread.java:829) > > Caused by: javax.crypto.AEADBadTagException: Tag mismatch! > > at > java.base/com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:623) > > at > java.base/com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1116) > > at > java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1053) > > at > java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:941) > > at > java.base/com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:491) > > at java.base/javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:779) > > at java.base/javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730) > > at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2497) > > at > java.base/sun.security.ssl.SSLCipher$T13GcmReadCipherGenerator$GcmReadCipher.decrypt(SSLCipher.java:1903) > > at > java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:240) > > at > java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197) > > at > java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160) > > at > java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) > > ... 35 common frames omitted > > > > > >
