[ https://issues.apache.org/jira/browse/NIFI-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16359189#comment-16359189 ]
ASF subversion and git services commented on NIFI-3367: ------------------------------------------------------- Commit b7fdb235ee1055e24fdb3ac000cc8039751199ad in nifi's branch refs/heads/master from Lori Buettner [ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=b7fdb23 ] NIFI-3367 Added token length check and unit test. This closes #2463. Signed-off-by: Andy LoPresto <alopre...@apache.org> > TLS Toolkit should enforce minimum length restriction on CA token > ----------------------------------------------------------------- > > Key: NIFI-3367 > URL: https://issues.apache.org/jira/browse/NIFI-3367 > Project: Apache NiFi > Issue Type: Bug > Components: Tools and Build > Affects Versions: 1.1.1 > Reporter: Andy LoPresto > Assignee: Andy LoPresto > Priority: Major > Labels: security, tls-toolkit > > The TLS Toolkit uses a shared secret "token" when running in client/server > mode in order to perform pre-authentication when requesting a signed > certificate from the CA. There is a validation that this token is *required*, > but not that it is of a certain length. Because the HMAC construction is > available in the source code, the process could easily be brute-forced if the > token value is short. We should enforce a minimum length of 16 bytes > (regardless if read from {{config.json}} or provided via command line). > We may also want to add exponential rate-limiting on failed HMAC values for > the same requested public key DN in order to mitigate malicious requests. -- This message was sent by Atlassian JIRA (v7.6.3#76005)