[ https://issues.apache.org/jira/browse/NIFI-3788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15996928#comment-15996928 ]
ASF GitHub Bot commented on NIFI-3788: -------------------------------------- Github user brosander commented on the issue: https://github.com/apache/nifi/pull/1753 Reviewing > Support wildcard certificates in SSLStandardContextService > ---------------------------------------------------------- > > Key: NIFI-3788 > URL: https://issues.apache.org/jira/browse/NIFI-3788 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework > Affects Versions: 1.1.1 > Reporter: Andy LoPresto > Assignee: Andy LoPresto > Labels: certificate, pki, security, tls > > Some users have reported issues when attempting to connect to an external > service which is secured for TLS via a wildcard certificate (i.e. hostname is > {{https://example.domain.com}} and the certificate DN contains > {{CN=*.domain.com}}. This requires changes in the > {{SSLStandardContextService}} to correctly parse the CN and evaluate wildcard > entries if present. > In addition, as specified by [RFC 2818|https://tools.ietf.org/html/rfc2818], > certificate evaluation (specifically hostname validation) should prioritize > Subject Alternative Names over DN parsing. Chrome 58+ has begun to implement > this prioritization, which can cause issues with certificate validation even > if the CN matches the hostname but SANs are present but do not include the > hostname. -- This message was sent by Atlassian JIRA (v6.3.15#6346)