[ https://issues.apache.org/jira/browse/NIFI-2186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15368617#comment-15368617 ]
ASF GitHub Bot commented on NIFI-2186: -------------------------------------- GitHub user alopresto opened a pull request: https://github.com/apache/nifi/pull/622 NIFI-2186 Refactored CertificateUtils to separate logic for DN extrac… …tion from server/client sockets. Added logic to detect server/client mode encapsulated in exposed method. Added unit tests for DN extraction. Corrected typo in Javadoc. Switched server/client socket logic for certificate extraction -- when the local socket is in client/server mode, the peer is necessarily the inverse. Fixed unit tests. Moved lazy-loading authentication access out of isDebugEnabled() control branch. You can merge this pull request into a Git repository by running: $ git pull https://github.com/alopresto/nifi NIFI-2186 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/nifi/pull/622.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #622 ---- commit b6fec77ccab01664a11518b6f9652bc2cd855040 Author: Andy LoPresto <alopre...@apache.org> Date: 2016-07-05T04:05:58Z NIFI-2186 Refactored CertificateUtils to separate logic for DN extraction from server/client sockets. Added logic to detect server/client mode encapsulated in exposed method. Added unit tests for DN extraction. Corrected typo in Javadoc. Switched server/client socket logic for certificate extraction -- when the local socket is in client/server mode, the peer is necessarily the inverse. Fixed unit tests. Moved lazy-loading authentication access out of isDebugEnabled() control branch. ---- > Cluster communication treats client and server sockets identically for peer > certificate DN extraction > ----------------------------------------------------------------------------------------------------- > > Key: NIFI-2186 > URL: https://issues.apache.org/jira/browse/NIFI-2186 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework > Affects Versions: 1.0.0 > Reporter: Andy LoPresto > Assignee: Andy LoPresto > Priority: Critical > Labels: certificate, cluster, security, tls > Fix For: 1.0.0 > > > The code to extract the peer certificate DN is identical for client and > server {{SSLSocket}}, which means that servers are subject to the > {{nifi.security.needClientAuth}} setting being set to {{true}}. Server > certificates must be present in a secure connection regardless of this > setting. This was fixed in {{0.x}} in [NIFI-2119] and must be ported to the > {{master}} branch. -- This message was sent by Atlassian JIRA (v6.3.4#6332)