Hi all, I am trying to secure my NiFi installation. I have a client certificate (nifi1.crt) and the CA for the intranet (ca.crt). I created the trust and keystores as below:
keytool -import -trustcacerts -alias nifi1 -file nifi1.crt -keystore server_keystore.p12 -storetype PKCS12 keytool -import -file ca.crt -alias cacert -keystore truststore.jks And the relevant nifi.properties are set as follows nifi.security.keystore=./conf/server_keystore.p12 nifi.security.keystoreType=PKCS12 nifi.security.keystorePasswd=<Password> nifi.security.keyPasswd=<Password> nifi.security.truststore=./conf/truststore.jks nifi.security.truststoreType=JKS nifi.security.truststorePasswd=<Password> When I try and access the site via https, I receive the above error in Firefox, and the following in the nifi-bootstrap.log (I have enabled additional debugging). Using both of these certificates inside Apache httpd works on the client as expected, so the certificates are fine. I have seen some references to bugs/features in Jetty under Java 1.8 related to older TLS versions, but I'm at a loss to explain this! Help!! Thanks, Phil 2018-05-04 20:57:17,406 INFO [NiFi logging handler] org.apache.nifi.StdOut Using SSLEngineImpl. 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Allow unsafe renegotiation: false 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Allow legacy hello messages: true 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Is initial handshake: true 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Is secure renegotiation: false 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for TLSv1 2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for TLSv1.1 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-20, READ: TLSv1 Handshake, length = 171 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut *** ClientHello, TLSv1.2 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut RandomCookie: GMT: 1840697519 bytes = { 105, 139, 207, 1, 25, 185, 102, 192, 232, 71, 128, 61, 66, 104, 220, 248, 126, 53, 133, 115, 216, 129, 238, 15, 202, 164, 110, 9 } 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Session ID: {} 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa8, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA] 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Compression Methods: { 0 } 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Extension server_name, server_name: [type=host_name (0), value=nifi1] 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Extension extended_master_secret 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Extension renegotiation_info, renegotiated_connection: <empty> 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1, secp521r1} 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Extension ec_point_formats, formats: [uncompressed] 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Unsupported extension type_35, data: 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Unsupported extension status_request, data: 01:00:00:00:00 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut Extension signature_algorithms, signature_algorithms: SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withECDSA, SHA1withRSA 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut *** 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut %% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL] 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-20, fatal error: 40: no cipher suites in common 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut javax.net.ssl.SSLHandshakeException: no cipher suites in common 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut %% Invalidated: [Session-4, SSL_NULL_WITH_NULL_NULL] 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-20, SEND TLSv1.2 ALERT: fatal, description = handshake_failure 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-20, WRITE: TLSv1.2 Alert, length = 2 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-20, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-20, called closeOutbound() 2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut NiFi Web Server-20, closeOutboundInternal()