[jira] [Commented] (NIFI-5400) NiFiHostnameVerifier should be replaced

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/NIFI-5400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16559973#comment-16559973
 ] 

ASF GitHub Bot commented on NIFI-5400:
--------------------------------------

Github user alopresto commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2919#discussion_r205831217
  
    --- Diff: 
nifi-toolkit/nifi-toolkit-admin/src/test/groovy/org/apache/nifi/toolkit/admin/client/NiFiClientFactorySpec.groovy
 ---
    @@ -121,21 +122,86 @@ class NiFiClientFactorySpec extends Specification {
     
         }
     
    +    def "should verify wildcard in CN in certificate based on subjectDN"(){
    +
    +        given:
    +        final String EXPECTED_DN = 
"CN=*.nifi.apache.org,OU=Security,O=Apache,ST=CA,C=US"
    +        Certificate[] certificateChain = 
generateCertificateChain(EXPECTED_DN,ISSUER_DN)
    +        def mockSession = Mock(SSLSession)
    +        DefaultHostnameVerifier verifier = new DefaultHostnameVerifier()
    +        mockSession.getPeerCertificates() >> certificateChain
    +
    +        when:
    +        def verified = 
verifier.verify("client.nifi.apache.org",mockSession)
    --- End diff --
    
    Please rename these variables (and in following tests) to be more 
descriptive, i.e. `def validSubdomainIsVerified`, `def 
validSubdomainIsVerified2`, `def invalidSubdomainIsNotVerified`. 


> NiFiHostnameVerifier should be replaced
> ---------------------------------------
>
>                 Key: NIFI-5400
>                 URL: https://issues.apache.org/jira/browse/NIFI-5400
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 1.7.0
>            Reporter: Andy LoPresto
>            Priority: Major
>              Labels: certificate, hostname, security, tls
>
> The {{NiFiHostnameVerifier}} does not handle wildcard certificates or complex 
> {{SubjectAlternativeNames}}. It should be replaced with a more full-featured 
> implementation, like {{OkHostnameVerifier}} from {{okhttp}} or 
> {{DefaultHostnameVerifier}} from {{http-client}}. Either of these options 
> requires introducing a new Maven dependency to {{nifi-commons}} and requires 
> further investigation. 
> *Note: * the {{sun.net.www.protocol.httpsDefaultHostnameVerifier}} simply 
> returns {{false}} on all inputs and is not a valid solution. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)