[jira] [Commented] (NIFI-8057) Remove truststore check from SslContextFactory.createSslContext()

Thu, 03 Dec 2020 08:10:06 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-8057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243308#comment-17243308
 ] 

David Handermann commented on NIFI-8057:
----------------------------------------

Reviewing the release history, it appears that this change was released in 
version 1.12.0, so anyone upgrading from previous versions would already be 
impacted.

Reviewing ListenGRPC more closely, it appears that the createSslContext() call 
is not necessary, since the GRPC server depends on the Netty SslContextBuilder, 
which does not use the javax.net.ssl.SSLContext.  For this particular issue, 
ListenGRPC could be refactored to support the behavior from 1.11 and previous 
versions, which would still involve the implied one-way or two-way TLS handling 
based on whether trust store properties are configured.

Other processors would need to be evaluated separately, but it seems best to 
preserve the checks for empty trust store properties introduced in 1.12.0.

As far as maintaining backward compatibility in other processors, one option 
would be to review where createSslContext() is being called, determine whether 
that behavior exists now, and introduce an additional method that would 
explicitly load the JVM default trust store.  The component could log a warning 
indicating what is happening.  Introducing explicit loading of the default 
trust store at a higher level introduces more code, but it would preserve the 
sanity checking in the NiFi SslContextFactory.

> Remove truststore check from SslContextFactory.createSslContext()
> -----------------------------------------------------------------
>
>                 Key: NIFI-8057
>                 URL: https://issues.apache.org/jira/browse/NIFI-8057
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.12.0, 1.12.1
>            Reporter: Peter Turcsanyi
>            Priority: Major
>
> NIFI-7407 introduced a check in {{SslContextFactory.createSslContext()}}: if 
> KS is configured, then TS must be configured too 
> ([https://github.com/apache/nifi/blob/857eeca3c7d4b275fd698430594e7fae4864feff/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java#L79])
> This constraint is too strict for server-style processors (like ListenGRPC) 
> where only a KS is needed for 1-way SSL (and the presence of TS turns on 
> 2-way SSL).
> The check should be removed/relieved.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to