[ https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16142398#comment-16142398 ]
ASF GitHub Bot commented on NIFI-2528: -------------------------------------- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/1986#discussion_r135370201 --- Diff: nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/SSLContextServiceUtils.java --- @@ -0,0 +1,77 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.ssl; + +import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +import javax.net.ssl.SSLContext; + +import org.apache.nifi.components.AllowableValue; + +public class SSLContextServiceUtils { + + /** + * Build a set of allowable SSL protocol algorithms based on JVM configuration and whether + * or not the list should be restricted to include only certain protocols. + * + * @param restricted whether the set of allowable protocol values should be restricted. + * + * @return the computed set of allowable values + */ + public static AllowableValue[] buildSSLAlgorithmAllowableValues(final boolean restricted) { + final Set<String> supportedProtocols = new HashSet<>(); + + // if restricted, only allow the below set of protocols. + if(restricted) { + supportedProtocols.add("TLSv1.2"); --- End diff -- I know having `{TLS, TLSv1.2}` may look ambiguous or confusing in the restricted set, but I think including `TLS` is good here because when [TLSv1.3](https://blog.cloudflare.com/introducing-tls-1-3/) (see also [2](https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/) [3](https://kinsta.com/blog/tls-1-3/)) and so on are supported, users won't have to revisit this and explicitly enable/upgrade to that protocol version. We should improve the `TLS` tooltip to explain that it chooses the highest supported TLS protocol version automatically, and perhaps identify the minimum supported version. > Update ListenHTTP to honor SSLContextService Protocols > ------------------------------------------------------ > > Key: NIFI-2528 > URL: https://issues.apache.org/jira/browse/NIFI-2528 > Project: Apache NiFi > Issue Type: Bug > Components: Core Framework > Affects Versions: 1.0.0, 0.8.0, 0.7.1 > Reporter: Joe Skora > Assignee: Michael Hogue > > Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for > PostHTTP. -- This message was sent by Atlassian JIRA (v6.4.14#64029)