[ https://issues.apache.org/jira/browse/NIFI-8057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243308#comment-17243308 ]
David Handermann commented on NIFI-8057: ---------------------------------------- Reviewing the release history, it appears that this change was released in version 1.12.0, so anyone upgrading from previous versions would already be impacted. Reviewing ListenGRPC more closely, it appears that the createSslContext() call is not necessary, since the GRPC server depends on the Netty SslContextBuilder, which does not use the javax.net.ssl.SSLContext. For this particular issue, ListenGRPC could be refactored to support the behavior from 1.11 and previous versions, which would still involve the implied one-way or two-way TLS handling based on whether trust store properties are configured. Other processors would need to be evaluated separately, but it seems best to preserve the checks for empty trust store properties introduced in 1.12.0. As far as maintaining backward compatibility in other processors, one option would be to review where createSslContext() is being called, determine whether that behavior exists now, and introduce an additional method that would explicitly load the JVM default trust store. The component could log a warning indicating what is happening. Introducing explicit loading of the default trust store at a higher level introduces more code, but it would preserve the sanity checking in the NiFi SslContextFactory. > Remove truststore check from SslContextFactory.createSslContext() > ----------------------------------------------------------------- > > Key: NIFI-8057 > URL: https://issues.apache.org/jira/browse/NIFI-8057 > Project: Apache NiFi > Issue Type: Bug > Affects Versions: 1.12.0, 1.12.1 > Reporter: Peter Turcsanyi > Priority: Major > > NIFI-7407 introduced a check in {{SslContextFactory.createSslContext()}}: if > KS is configured, then TS must be configured too > ([https://github.com/apache/nifi/blob/857eeca3c7d4b275fd698430594e7fae4864feff/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java#L79]) > This constraint is too strict for server-style processors (like ListenGRPC) > where only a KS is needed for 1-way SSL (and the presence of TS turns on > 2-way SSL). > The check should be removed/relieved. -- This message was sent by Atlassian Jira (v8.3.4#803005)