[ https://issues.apache.org/jira/browse/NIFI-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16559973#comment-16559973 ]
ASF GitHub Bot commented on NIFI-5400: -------------------------------------- Github user alopresto commented on a diff in the pull request: https://github.com/apache/nifi/pull/2919#discussion_r205831217 --- Diff: nifi-toolkit/nifi-toolkit-admin/src/test/groovy/org/apache/nifi/toolkit/admin/client/NiFiClientFactorySpec.groovy --- @@ -121,21 +122,86 @@ class NiFiClientFactorySpec extends Specification { } + def "should verify wildcard in CN in certificate based on subjectDN"(){ + + given: + final String EXPECTED_DN = "CN=*.nifi.apache.org,OU=Security,O=Apache,ST=CA,C=US" + Certificate[] certificateChain = generateCertificateChain(EXPECTED_DN,ISSUER_DN) + def mockSession = Mock(SSLSession) + DefaultHostnameVerifier verifier = new DefaultHostnameVerifier() + mockSession.getPeerCertificates() >> certificateChain + + when: + def verified = verifier.verify("client.nifi.apache.org",mockSession) --- End diff -- Please rename these variables (and in following tests) to be more descriptive, i.e. `def validSubdomainIsVerified`, `def validSubdomainIsVerified2`, `def invalidSubdomainIsNotVerified`. > NiFiHostnameVerifier should be replaced > --------------------------------------- > > Key: NIFI-5400 > URL: https://issues.apache.org/jira/browse/NIFI-5400 > Project: Apache NiFi > Issue Type: Improvement > Components: Core Framework > Affects Versions: 1.7.0 > Reporter: Andy LoPresto > Priority: Major > Labels: certificate, hostname, security, tls > > The {{NiFiHostnameVerifier}} does not handle wildcard certificates or complex > {{SubjectAlternativeNames}}. It should be replaced with a more full-featured > implementation, like {{OkHostnameVerifier}} from {{okhttp}} or > {{DefaultHostnameVerifier}} from {{http-client}}. Either of these options > requires introducing a new Maven dependency to {{nifi-commons}} and requires > further investigation. > *Note: * the {{sun.net.www.protocol.httpsDefaultHostnameVerifier}} simply > returns {{false}} on all inputs and is not a valid solution. -- This message was sent by Atlassian JIRA (v7.6.3#76005)