No worries Andy, I have another issue - I'm sure it's a much simpler one, but it has me stumped.
I still get the insufficient permissions error, even after adding myself to the authorizers.xml file as per the admin guide. I added the "EMAILADDRESS=" part of the subject after receiving an unkown user error with that as part of the DN (checking the certificate and the subject contains the email address part). Output from nifi-user.log 2018-05-05 14:10:29,034 INFO [NiFi Web Server-21] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response. 2018-05-05 14:10:29,249 INFO [NiFi Web Server-19] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response. 2018-05-05 14:10:29,310 INFO [NiFi Web Server-76] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (EMAILADDRESS=phil@blah, CN=Phil H, OU=Blah) GET https://nifi1.blah/nifi-api/flow/current-user (source ip: 192.168.10.192) 2018-05-05 14:10:29,310 INFO [NiFi Web Server-76] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for EMAILADDRESS=phil@blah, CN=Phil H, OU=Blah 2018-05-05 14:10:29,312 INFO [NiFi Web Server-76] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[EMAILADDRESS=phil@blah, CN=Phil H, OU=Blah], groups[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response. Partial authorizers.xml (the only changes I have made from the install are in red) <userGroupProvider> <identifier>file-user-group-provider</identifier> <class>org.apache.nifi.authorization.FileUserGroupProvider</class> <property name="Users File">./conf/users.xml</property> <property name="Legacy Authorized Users File"></property> <property name="Initial User Identity 1">EMAILADDRESS=phil@blah, CN=Phil H, OU=Blah</property> </userGroupProvider> <accessPolicyProvider> <identifier>file-access-policy-provider</identifier> <class>org.apache.nifi.authorization.FileAccessPolicyProvider</class> <property name="User Group Provider">file-user-group-provider</property> <property name="Authorizations File">./conf/authorizations.xml</property> <property name="Initial Admin Identity">EMAILADDRESS=phil@blah, CN=Phil H, OU=Blah</property> <property name="Legacy Authorized Users File"></property> <property name="Node Identity 1"></property> </accessPolicyProvider> On Sat, May 5, 2018 at 11:35 AM, Andy LoPresto <alopre...@apache.org> wrote: > Phil, > > Thanks for documenting the steps you took to get it working. This will > definitely be helpful to anyone who has a similar problem in the future. I > suspected it was the missing private key and I forgot to explain that yes, > to import a PEM-encoded public key and private key into a JKS keystore, you > do have to go through the PKCS12 intermediary. > > > Andy LoPresto > alopre...@apache.org > *alopresto.apa...@gmail.com <alopresto.apa...@gmail.com>* > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On May 4, 2018, at 4:36 PM, Phil H <gippyp...@gmail.com> wrote: > > Sorry for talking to myself so much. I have solved the problem! > > Once I realised that I had never supplied the private key to keytool when I > imported the certificate, I started googling along those lines. > > I found this link from 2008 which provided the solution > http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html > > Basically you use OpenSSL to create a PKCS12 file from the cert and key, > and then keytool to import that (as an existing keystore, not as a > certificate) > > From there, everything else just worked (including client authentication > through the browser). Now I have the "Insufficient permissions" problem, > which there is loads of documentation as to how to move forwards. > > Thanks! > Phil > > On Sat, May 5, 2018 at 8:27 AM, Phil H <gippyp...@gmail.com> wrote: > > Further info > > In the httpd installation, I need the private key for the certificate and > it's paraphrase. That private key has not played a part of the NiFi install > thus far (seems like an important thing - the "keystore" only has a > certificate, not a key) > > The reason why I used PKCS12 for the keystore was some Jetty debug output > telling me that was preferred to JKS. Interestingly it gave me contrary > advice for the trust store. > > On Sat, 5 May 2018 at 08:22, Phil H <gippyp...@gmail.com> wrote: > > Hi Andy, > > Sorry - poor use of words (it was late when I wrote the email). When I > said "client" certificate I meant the certificate for the NiFi server (no > idea why I wrote "client") > > I'm not trying to use certificate authentication yet - simply to get NiFi > operating over TLS. > > When I test with OpenSSL, I get the same Nifi server log output as seen > with a connection attempt from a browser. > > On the Cipher issue, when I use OpenSSL to connect using said certificate > using httpd, it lists the successful cipher as one of those ignored by > Jetty, albeit with less underscores in the onscreen output: > TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 > > All machines involved are CentOS 7 - the only add-ons being Java 1.8 > (current release) and NiFi 1.6.0 (also current release) > > On Sat, 5 May 2018 at 01:26, Andy LoPresto <alopre...@apache.org> wrote: > > Hi Phil, > > Sorry to hear you are having this problem. I have a couple steps you can > try to resolve this. > > First, to clarify the terminology for NiFi, a “client certificate” > refers to a public certificate and private key which in combination allow a > client to uniquely identify itself and authenticate on a mutual > authentication TLS connection. In NiFi terminology, the client certificate > identifies a user or service which connects to NiFi. The “server > certificate” identifies the NiFi service, and the CA is what signs one (or > both) of those certificates. > > The “no cipher suites in common” error can occur when there are > legitimately no cipher suites that both the client and server support. This > can be verified by using the OpenSSL s_client tool to make a connection > from the client to the server. I’ve pasted a sample invocation below. > > $ openssl s_client -connect <host:port> -debug -state -cert > <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile > <path_to_your_CA_cert.pem> > > However, that error can also appear when the keystore does not contain a > valid private key to be used. I suspect the keystore you generated for NiFi > does not have the private key. You can verify this by examining the > nifi1.crt file you imported. If you run `$ more nifi1.crt`, you should see > a line “-----BEGIN PRIVATE KEY-----“ and then some Base64-encoded output. > If you do not see this, you have only the public certificate in the file. > Importing that into a keystore means that NiFi (or any other service using > that keystore) will not be able to sign or decrypt any information > encrypted with the public key, so it won’t be able to support any cipher > suites that rely on RSA encryption or signatures. > > The nifi1.crt you imported into the keystore may also not have the > complete certificate chain encoded, in which case when the server presents > that certificate on an incoming connection, the client (command-line or > browser) won’t be able to verify and trust it. You’ll get a different > error, but it is something to be aware of. > > Is there a reason you chose to use a PKCS12 keystore in this scenario? > Usually we recommend using JKS for both the keystore and the truststore. > > I hope this helps. If none of this resolves your issues, please let us > know and we can continue to help. > > Andy LoPresto > alopre...@apache.org > *alopresto.apa...@gmail.com <alopresto.apa...@gmail.com>* > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On May 4, 2018, at 4:03 AM, Phil H <gippyp...@gmail.com> wrote: > > Hi all, > > I am trying to secure my NiFi installation. I have a client certificate > (nifi1.crt) and the CA for the intranet (ca.crt). I created the trust > and > keystores as below: > > keytool -import -trustcacerts -alias nifi1 -file nifi1.crt -keystore > server_keystore.p12 -storetype PKCS12 > > keytool -import -file ca.crt -alias cacert -keystore truststore.jks > > And the relevant nifi.properties are set as follows > > nifi.security.keystore=./conf/server_keystore.p12 > nifi.security.keystoreType=PKCS12 > nifi.security.keystorePasswd=<Password> > nifi.security.keyPasswd=<Password> > nifi.security.truststore=./conf/truststore.jks > nifi.security.truststoreType=JKS > nifi.security.truststorePasswd=<Password> > > When I try and access the site via https, I receive the above error in > Firefox, and the following in the nifi-bootstrap.log (I have enabled > additional debugging). > > Using both of these certificates inside Apache httpd works on the client > as > expected, so the certificates are fine. I have seen some references to > bugs/features in Jetty under Java 1.8 related to older TLS versions, but > I'm at a loss to explain this! Help!! > > Thanks, > Phil > > 2018-05-04 20:57:17,406 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Using SSLEngineImpl. > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Allow unsafe renegotiation: false > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Allow legacy hello messages: true > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Is initial handshake: true > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Is secure renegotiation: false > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_ > CBC_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_ > CBC_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_ > CBC_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_ > CBC_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_ > GCM_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_ > GCM_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_ > GCM_SHA384 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_ > GCM_SHA256 > for TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 > for > TLSv1 > 2018-05-04 20:57:17,407 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_ > CBC_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_ > CBC_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_ > CBC_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_ > CBC_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_ > GCM_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_ > GCM_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_ > GCM_SHA384 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_ > GCM_SHA256 > for TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 > for > TLSv1.1 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > NiFi Web Server-20, READ: TLSv1 Handshake, length = 171 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > *** ClientHello, TLSv1.2 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > RandomCookie: GMT: 1840697519 bytes = { 105, 139, 207, 1, 25, 185, 102, > 192, 232, 71, 128, 61, 66, 104, 220, 248, 126, 53, 133, 115, 216, 129, > 238, > 15, 202, 164, 110, 9 } > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Session ID: {} > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_ > CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa8, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA] > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Compression Methods: { 0 } > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Extension server_name, server_name: [type=host_name (0), value=nifi1] > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Extension extended_master_secret > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Extension renegotiation_info, renegotiated_connection: <empty> > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, > secp384r1, secp521r1} > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Extension ec_point_formats, formats: [uncompressed] > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Unsupported extension type_35, data: > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Unsupported extension type_16, data: > 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Unsupported extension status_request, data: 01:00:00:00:00 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > Extension signature_algorithms, signature_algorithms: SHA256withECDSA, > SHA384withECDSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, > SHA512withRSA, SHA1withECDSA, SHA1withRSA > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > *** > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > %% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL] > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > NiFi Web Server-20, fatal error: 40: no cipher suites in common > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > javax.net.ssl.SSLHandshakeException: no cipher suites in common > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > %% Invalidated: [Session-4, SSL_NULL_WITH_NULL_NULL] > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > NiFi Web Server-20, SEND TLSv1.2 ALERT: fatal, description = > handshake_failure > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > NiFi Web Server-20, WRITE: TLSv1.2 Alert, length = 2 > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > NiFi Web Server-20, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLHandshakeException: no cipher suites in common > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > NiFi Web Server-20, called closeOutbound() > 2018-05-04 20:57:17,408 INFO [NiFi logging handler] > org.apache.nifi.StdOut > NiFi Web Server-20, closeOutboundInternal() > > > > >
