Hi all,
I am trying to secure my NiFi installation. I have a client certificate
(nifi1.crt) and the CA for the intranet (ca.crt). I created the trust and
keystores as below:
keytool -import -trustcacerts -alias nifi1 -file nifi1.crt -keystore
server_keystore.p12 -storetype PKCS12
keytool -import -file ca.crt -alias cacert -keystore truststore.jks
And the relevant nifi.properties are set as follows
nifi.security.keystore=./conf/server_keystore.p12
nifi.security.keystoreType=PKCS12
nifi.security.keystorePasswd=<Password>
nifi.security.keyPasswd=<Password>
nifi.security.truststore=./conf/truststore.jks
nifi.security.truststoreType=JKS
nifi.security.truststorePasswd=<Password>
When I try and access the site via https, I receive the above error in
Firefox, and the following in the nifi-bootstrap.log (I have enabled
additional debugging).
Using both of these certificates inside Apache httpd works on the client as
expected, so the certificates are fine. I have seen some references to
bugs/features in Jetty under Java 1.8 related to older TLS versions, but
I'm at a loss to explain this! Help!!
Thanks,
Phil
2018-05-04 20:57:17,406 INFO [NiFi logging handler] org.apache.nifi.StdOut
Using SSLEngineImpl.
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Allow unsafe renegotiation: false
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Allow legacy hello messages: true
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Is initial handshake: true
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Is secure renegotiation: false
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
for TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for
TLSv1
2018-05-04 20:57:17,407 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
for TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 for
TLSv1.1
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
NiFi Web Server-20, READ: TLSv1 Handshake, length = 171
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
*** ClientHello, TLSv1.2
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
RandomCookie: GMT: 1840697519 bytes = { 105, 139, 207, 1, 25, 185, 102,
192, 232, 71, 128, 61, 66, 104, 220, 248, 126, 53, 133, 115, 216, 129, 238,
15, 202, 164, 110, 9 }
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Session ID: {}
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa8,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Compression Methods: { 0 }
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Extension server_name, server_name: [type=host_name (0), value=nifi1]
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Extension extended_master_secret
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Extension renegotiation_info, renegotiated_connection: <empty>
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1,
secp384r1, secp521r1}
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Extension ec_point_formats, formats: [uncompressed]
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Unsupported extension type_35, data:
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Unsupported extension type_16, data:
00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Unsupported extension status_request, data: 01:00:00:00:00
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
Extension signature_algorithms, signature_algorithms: SHA256withECDSA,
SHA384withECDSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA,
SHA512withRSA, SHA1withECDSA, SHA1withRSA
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
***
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
%% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL]
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
NiFi Web Server-20, fatal error: 40: no cipher suites in common
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
javax.net.ssl.SSLHandshakeException: no cipher suites in common
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
%% Invalidated: [Session-4, SSL_NULL_WITH_NULL_NULL]
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
NiFi Web Server-20, SEND TLSv1.2 ALERT: fatal, description =
handshake_failure
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
NiFi Web Server-20, WRITE: TLSv1.2 Alert, length = 2
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
NiFi Web Server-20, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: no cipher suites in common
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
NiFi Web Server-20, called closeOutbound()
2018-05-04 20:57:17,408 INFO [NiFi logging handler] org.apache.nifi.StdOut
NiFi Web Server-20, closeOutboundInternal()
