[jira] [Commented] (NIFI-3788) Support wildcard certificates in SSLStandardContextService

Thu, 04 May 2017 09:12:27 -0700 

    [ 
https://issues.apache.org/jira/browse/NIFI-3788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15996999#comment-15996999
 ] 

ASF subversion and git services commented on NIFI-3788:
-------------------------------------------------------

Commit 4f40eca16ce64b0acfd60fe76d974a4e13a9951b in nifi's branch 
refs/heads/master from [~alopresto]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=4f40eca ]

NIFI-3788 Switched Amazon HTTP client instantiation from using null 
HostnameVerifier (which defaulted to Strict, which cannot handle wildcard 
certificate hostnames) to DefaultHostnameVerifier, which is fine.

I still want to add unit tests and integration tests, but I ran a flow which 
had previously caused the reproducible exception and this worked fine (flow 
showed objects were put in S3, no exceptions, and I verified through AWS Web 
Console that new objects were present).

This closes #1753.

Signed-off-by: Bryan Rosander <brosan...@apache.org>


> Support wildcard certificates in SSLStandardContextService
> ----------------------------------------------------------
>
>                 Key: NIFI-3788
>                 URL: https://issues.apache.org/jira/browse/NIFI-3788
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.1.1
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>              Labels: certificate, pki, security, tls
>
> Some users have reported issues when attempting to connect to an external 
> service which is secured for TLS via a wildcard certificate (i.e. hostname is 
> {{https://example.domain.com}} and the certificate DN contains 
> {{CN=*.domain.com}}. This requires changes in the 
> {{SSLStandardContextService}} to correctly parse the CN and evaluate wildcard 
> entries if present. 
> In addition, as specified by [RFC 2818|https://tools.ietf.org/html/rfc2818], 
> certificate evaluation (specifically hostname validation) should prioritize 
> Subject Alternative Names over DN parsing. Chrome 58+ has begun to implement 
> this prioritization, which can cause issues with certificate validation even 
> if the CN matches the hostname but SANs are present but do not include the 
> hostname. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to