[GitHub] [nifi] ijokarumawak commented on a change in pull request #3404: [WIP] NIFI-5176 Java 11 Build Compatibilty

2019-07-12 Thread GitBox 
ijokarumawak commented on a change in pull request #3404: [WIP] NIFI-5176 Java 
11 Build Compatibilty
URL: https://github.com/apache/nifi/pull/3404#discussion_r302862953
 
 

 ##
 File path: 
nifi-commons/nifi-site-to-site-client/src/main/java/org/apache/nifi/remote/client/SiteToSiteClient.java
 ##
 @@ -888,7 +888,7 @@ public SSLContext getSslContext() {
 if (keyManagerFactory != null && trustManagerFactory != null) {
 try {
 // initialize the ssl context
-final SSLContext sslContext = 
SSLContext.getInstance("TLS");
+final SSLContext sslContext = 
SSLContext.getInstance("TLSv1.2"); // FIXME TLSv1.3 not working under Java 11, 
setting explicitly to TLSv1.2 works.
 
 Review comment:
   Got a response, here is the ML thread.
   
http://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201907.mbox/browser
   
   The test fails due to this JDK issue. After I upgraded JDK from 11.0.1 to 
11.0.3, the test passed.
   https://bugs.openjdk.java.net/browse/JDK-8212885
   
   With JDK 11.0.1, 
`org.apache.nifi.remote.client.http.TestHttpClient.testSendSuccessHTTPS()` and 
`testSendLargeFileHTTPS()` tests failed with following exception:
   ```
   Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at 
java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
at 
org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:464)
at 
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
at 
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at 
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at 
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at 
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at 
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at 
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at 
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at 
org.apache.nifi.remote.util.SiteToSiteRestApiClient.commitTransferFlowFiles(SiteToSiteRestApiClient.java:1498)
at 
org.apache.nifi.remote.protocol.http.HttpClientTransaction.readTransactionResponse(HttpClientTransaction.java:96)
at 
org.apache.nifi.remote.AbstractTransaction.complete(AbstractTransaction.java:296)
... 29 more
   ```
   
   @jtstorck The JDK issue happens always with these tests if I changed the 
code to use TLS 1.3. But secure HTTPS S2S works fine if I actually run NiFi 
with JDK 11.0.1. Is that the same behavior on your environment?
   
   If the error doesn't (normally) happen with a running NiFi, just marking 
these failing tests with `@Ignore` with a TODO note, reverting the changes to 
use `TLS` without specific version and document about a possibility of getting 
`javax.net.ssl.SSLPeerUnverifiedException` due to JDK-8212885 to guide users to 
upgrade their JDK to 11.0.3 would suffice. OR we could say Java 11.0.3 is the 
minimum requirement. How do you think?


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [nifi] ijokarumawak commented on a change in pull request #3404: [WIP] NIFI-5176 Java 11 Build Compatibilty

2019-07-11 Thread GitBox 
ijokarumawak commented on a change in pull request #3404: [WIP] NIFI-5176 Java 
11 Build Compatibilty
URL: https://github.com/apache/nifi/pull/3404#discussion_r302396442
 
 

 ##
 File path: 
nifi-commons/nifi-site-to-site-client/src/main/java/org/apache/nifi/remote/client/SiteToSiteClient.java
 ##
 @@ -888,7 +888,7 @@ public SSLContext getSslContext() {
 if (keyManagerFactory != null && trustManagerFactory != null) {
 try {
 // initialize the ssl context
-final SSLContext sslContext = 
SSLContext.getInstance("TLS");
+final SSLContext sslContext = 
SSLContext.getInstance("TLSv1.2"); // FIXME TLSv1.3 not working under Java 11, 
setting explicitly to TLSv1.2 works.
 
 Review comment:
   Asking a question on httpcomponent user ML..


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [nifi] ijokarumawak commented on a change in pull request #3404: [WIP] NIFI-5176 Java 11 Build Compatibilty

2019-07-09 Thread GitBox 
ijokarumawak commented on a change in pull request #3404: [WIP] NIFI-5176 Java 
11 Build Compatibilty
URL: https://github.com/apache/nifi/pull/3404#discussion_r301426388
 
 

 ##
 File path: nifi-assembly/LICENSE
 ##
 @@ -208,6 +208,77 @@ notices and license terms. Your use of the source code 
for the these
 subcomponents is subject to the terms and conditions of the following
 licenses. 
 
+This product bundles 'Apache Ant 1.9.13' which is available under an ALSv2 
license and includes 'W3C'.
+
+W3C� SOFTWARE NOTICE AND LICENSE
 
 Review comment:
   There's a weird character after 'W3C'.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[GitHub] [nifi] ijokarumawak commented on a change in pull request #3404: [WIP] NIFI-5176 Java 11 Build Compatibilty

2019-07-09 Thread GitBox 
ijokarumawak commented on a change in pull request #3404: [WIP] NIFI-5176 Java 
11 Build Compatibilty
URL: https://github.com/apache/nifi/pull/3404#discussion_r301470472
 
 

 ##
 File path: 
nifi-commons/nifi-site-to-site-client/src/main/java/org/apache/nifi/remote/client/SiteToSiteClient.java
 ##
 @@ -888,7 +888,7 @@ public SSLContext getSslContext() {
 if (keyManagerFactory != null && trustManagerFactory != null) {
 try {
 // initialize the ssl context
-final SSLContext sslContext = 
SSLContext.getInstance("TLS");
+final SSLContext sslContext = 
SSLContext.getInstance("TLSv1.2"); // FIXME TLSv1.3 not working under Java 11, 
setting explicitly to TLSv1.2 works.
 
 Review comment:
   While TLSv1.3 doesn't work with TestHTTPClient, other tests such as 
TestHttpNotificationServiceSSL works with TLSv1.3. I suspect the difference 
comes from the library S2S HTTPClient uses, Apache HttpAsyncClient. 
   
   Apache HTTP Client 5.0's release note has a note 'Resolved compatibility 
issues with TLS 1.3 engine shipped with Java 11'. Even if Apache HTTP Client 
5.0 gets released, it may take more time for Apache HttpAsyncClient to have the 
same fix.
   
https://archive.apache.org/dist/httpcomponents/httpcore/RELEASE_NOTES-5.0.x.txt
   
   I will look at the Apache HttpComponents change around TLS 1.3 support 
closer tomorrow.


This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services