[
https://issues.apache.org/jira/browse/NIFI-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16142398#comment-16142398
]
ASF GitHub Bot commented on NIFI-2528:
--------------------------------------
Github user alopresto commented on a diff in the pull request:
https://github.com/apache/nifi/pull/1986#discussion_r135370201
--- Diff:
nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/SSLContextServiceUtils.java
---
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.nifi.ssl;
+
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import javax.net.ssl.SSLContext;
+
+import org.apache.nifi.components.AllowableValue;
+
+public class SSLContextServiceUtils {
+
+ /**
+ * Build a set of allowable SSL protocol algorithms based on JVM
configuration and whether
+ * or not the list should be restricted to include only certain
protocols.
+ *
+ * @param restricted whether the set of allowable protocol values
should be restricted.
+ *
+ * @return the computed set of allowable values
+ */
+ public static AllowableValue[] buildSSLAlgorithmAllowableValues(final
boolean restricted) {
+ final Set<String> supportedProtocols = new HashSet<>();
+
+ // if restricted, only allow the below set of protocols.
+ if(restricted) {
+ supportedProtocols.add("TLSv1.2");
--- End diff --
I know having `{TLS, TLSv1.2}` may look ambiguous or confusing in the
restricted set, but I think including `TLS` is good here because when
[TLSv1.3](https://blog.cloudflare.com/introducing-tls-1-3/) (see also
[2](https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/)
[3](https://kinsta.com/blog/tls-1-3/)) and so on are supported, users won't
have to revisit this and explicitly enable/upgrade to that protocol version. We
should improve the `TLS` tooltip to explain that it chooses the highest
supported TLS protocol version automatically, and perhaps identify the minimum
supported version.
> Update ListenHTTP to honor SSLContextService Protocols
> ------------------------------------------------------
>
> Key: NIFI-2528
> URL: https://issues.apache.org/jira/browse/NIFI-2528
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 1.0.0, 0.8.0, 0.7.1
> Reporter: Joe Skora
> Assignee: Michael Hogue
>
> Update ListenHTTP to honor SSLContextService Protocols as [NIFI-1688] did for
> PostHTTP.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
