[ https://issues.apache.org/jira/browse/NIFI-3788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15996999#comment-15996999 ]
ASF subversion and git services commented on NIFI-3788: ------------------------------------------------------- Commit 4f40eca16ce64b0acfd60fe76d974a4e13a9951b in nifi's branch refs/heads/master from [~alopresto] [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=4f40eca ] NIFI-3788 Switched Amazon HTTP client instantiation from using null HostnameVerifier (which defaulted to Strict, which cannot handle wildcard certificate hostnames) to DefaultHostnameVerifier, which is fine. I still want to add unit tests and integration tests, but I ran a flow which had previously caused the reproducible exception and this worked fine (flow showed objects were put in S3, no exceptions, and I verified through AWS Web Console that new objects were present). This closes #1753. Signed-off-by: Bryan Rosander <brosan...@apache.org> > Support wildcard certificates in SSLStandardContextService > ---------------------------------------------------------- > > Key: NIFI-3788 > URL: https://issues.apache.org/jira/browse/NIFI-3788 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework > Affects Versions: 1.1.1 > Reporter: Andy LoPresto > Assignee: Andy LoPresto > Labels: certificate, pki, security, tls > > Some users have reported issues when attempting to connect to an external > service which is secured for TLS via a wildcard certificate (i.e. hostname is > {{https://example.domain.com}} and the certificate DN contains > {{CN=*.domain.com}}. This requires changes in the > {{SSLStandardContextService}} to correctly parse the CN and evaluate wildcard > entries if present. > In addition, as specified by [RFC 2818|https://tools.ietf.org/html/rfc2818], > certificate evaluation (specifically hostname validation) should prioritize > Subject Alternative Names over DN parsing. Chrome 58+ has begun to implement > this prioritization, which can cause issues with certificate validation even > if the CN matches the hostname but SANs are present but do not include the > hostname. -- This message was sent by Atlassian JIRA (v6.3.15#6346)