[jira] [Commented] (NIFI-8057) Remove truststore check from SslContextFactory.createSslContext()
[ https://issues.apache.org/jira/browse/NIFI-8057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243400#comment-17243400 ] Peter Turcsanyi commented on NIFI-8057: --- [~exceptionfactory] It is absolutely fine with me and tanks for the proposed fix for the GRPC processors. Created a ticket for it: NIFI-8067 I believe this jira can be closed now and the generic solution for the other processors will be implemented in separate one. > Remove truststore check from SslContextFactory.createSslContext() > - > > Key: NIFI-8057 > URL: https://issues.apache.org/jira/browse/NIFI-8057 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.12.0, 1.12.1 >Reporter: Peter Turcsanyi >Priority: Major > > NIFI-7407 introduced a check in {{SslContextFactory.createSslContext()}}: if > KS is configured, then TS must be configured too > ([https://github.com/apache/nifi/blob/857eeca3c7d4b275fd698430594e7fae4864feff/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java#L79]) > This constraint is too strict for server-style processors (like ListenGRPC) > where only a KS is needed for 1-way SSL (and the presence of TS turns on > 2-way SSL). > The check should be removed/relieved. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (NIFI-8057) Remove truststore check from SslContextFactory.createSslContext()
[ https://issues.apache.org/jira/browse/NIFI-8057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243349#comment-17243349 ] David Handermann commented on NIFI-8057: [~turcsanyip] What do you think about making the proposed changes to ListenGRPC and addressing other processors separately as described? > Remove truststore check from SslContextFactory.createSslContext() > - > > Key: NIFI-8057 > URL: https://issues.apache.org/jira/browse/NIFI-8057 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.12.0, 1.12.1 >Reporter: Peter Turcsanyi >Priority: Major > > NIFI-7407 introduced a check in {{SslContextFactory.createSslContext()}}: if > KS is configured, then TS must be configured too > ([https://github.com/apache/nifi/blob/857eeca3c7d4b275fd698430594e7fae4864feff/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java#L79]) > This constraint is too strict for server-style processors (like ListenGRPC) > where only a KS is needed for 1-way SSL (and the presence of TS turns on > 2-way SSL). > The check should be removed/relieved. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (NIFI-8057) Remove truststore check from SslContextFactory.createSslContext()
[ https://issues.apache.org/jira/browse/NIFI-8057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243318#comment-17243318 ] Joe Witt commented on NIFI-8057: I think that is totally up to you if you're doing the work. > Remove truststore check from SslContextFactory.createSslContext() > - > > Key: NIFI-8057 > URL: https://issues.apache.org/jira/browse/NIFI-8057 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.12.0, 1.12.1 >Reporter: Peter Turcsanyi >Priority: Major > > NIFI-7407 introduced a check in {{SslContextFactory.createSslContext()}}: if > KS is configured, then TS must be configured too > ([https://github.com/apache/nifi/blob/857eeca3c7d4b275fd698430594e7fae4864feff/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java#L79]) > This constraint is too strict for server-style processors (like ListenGRPC) > where only a KS is needed for 1-way SSL (and the presence of TS turns on > 2-way SSL). > The check should be removed/relieved. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (NIFI-8057) Remove truststore check from SslContextFactory.createSslContext()
[ https://issues.apache.org/jira/browse/NIFI-8057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243317#comment-17243317 ] David Handermann commented on NIFI-8057: That makes sense. For the particular issue with the ListenGRPC Processor, the previous behavior can be restored by refactoring to remove the call to createSslContext() and removing the unnecessary references to SSLContext.getProvider(), without changing the behavior of SslContextFactory.createSslContext(). [~joewitt] Do you recommend addressing issues with other Processors under this issue, or creating a new issue for each Processor impacted? > Remove truststore check from SslContextFactory.createSslContext() > - > > Key: NIFI-8057 > URL: https://issues.apache.org/jira/browse/NIFI-8057 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.12.0, 1.12.1 >Reporter: Peter Turcsanyi >Priority: Major > > NIFI-7407 introduced a check in {{SslContextFactory.createSslContext()}}: if > KS is configured, then TS must be configured too > ([https://github.com/apache/nifi/blob/857eeca3c7d4b275fd698430594e7fae4864feff/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java#L79]) > This constraint is too strict for server-style processors (like ListenGRPC) > where only a KS is needed for 1-way SSL (and the presence of TS turns on > 2-way SSL). > The check should be removed/relieved. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (NIFI-8057) Remove truststore check from SslContextFactory.createSslContext()
[ https://issues.apache.org/jira/browse/NIFI-8057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243311#comment-17243311 ] Joe Witt commented on NIFI-8057: Fair point we already created disruption. But lets still try to minimize it as best we can. Thanks > Remove truststore check from SslContextFactory.createSslContext() > - > > Key: NIFI-8057 > URL: https://issues.apache.org/jira/browse/NIFI-8057 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.12.0, 1.12.1 >Reporter: Peter Turcsanyi >Priority: Major > > NIFI-7407 introduced a check in {{SslContextFactory.createSslContext()}}: if > KS is configured, then TS must be configured too > ([https://github.com/apache/nifi/blob/857eeca3c7d4b275fd698430594e7fae4864feff/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java#L79]) > This constraint is too strict for server-style processors (like ListenGRPC) > where only a KS is needed for 1-way SSL (and the presence of TS turns on > 2-way SSL). > The check should be removed/relieved. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (NIFI-8057) Remove truststore check from SslContextFactory.createSslContext()
[ https://issues.apache.org/jira/browse/NIFI-8057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243308#comment-17243308 ] David Handermann commented on NIFI-8057: Reviewing the release history, it appears that this change was released in version 1.12.0, so anyone upgrading from previous versions would already be impacted. Reviewing ListenGRPC more closely, it appears that the createSslContext() call is not necessary, since the GRPC server depends on the Netty SslContextBuilder, which does not use the javax.net.ssl.SSLContext. For this particular issue, ListenGRPC could be refactored to support the behavior from 1.11 and previous versions, which would still involve the implied one-way or two-way TLS handling based on whether trust store properties are configured. Other processors would need to be evaluated separately, but it seems best to preserve the checks for empty trust store properties introduced in 1.12.0. As far as maintaining backward compatibility in other processors, one option would be to review where createSslContext() is being called, determine whether that behavior exists now, and introduce an additional method that would explicitly load the JVM default trust store. The component could log a warning indicating what is happening. Introducing explicit loading of the default trust store at a higher level introduces more code, but it would preserve the sanity checking in the NiFi SslContextFactory. > Remove truststore check from SslContextFactory.createSslContext() > - > > Key: NIFI-8057 > URL: https://issues.apache.org/jira/browse/NIFI-8057 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.12.0, 1.12.1 >Reporter: Peter Turcsanyi >Priority: Major > > NIFI-7407 introduced a check in {{SslContextFactory.createSslContext()}}: if > KS is configured, then TS must be configured too > ([https://github.com/apache/nifi/blob/857eeca3c7d4b275fd698430594e7fae4864feff/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java#L79]) > This constraint is too strict for server-style processors (like ListenGRPC) > where only a KS is needed for 1-way SSL (and the presence of TS turns on > 2-way SSL). > The check should be removed/relieved. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (NIFI-8057) Remove truststore check from SslContextFactory.createSslContext()
[ https://issues.apache.org/jira/browse/NIFI-8057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243274#comment-17243274 ] Joe Witt commented on NIFI-8057: Any thoughts on how to do that in a backward compatible way? Such that old flows would keep working as they did? > Remove truststore check from SslContextFactory.createSslContext() > - > > Key: NIFI-8057 > URL: https://issues.apache.org/jira/browse/NIFI-8057 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.12.1 >Reporter: Peter Turcsanyi >Priority: Major > > NIFI-7407 introduced a check in {{SslContextFactory.createSslContext()}}: if > KS is configured, then TS must be configured too > ([https://github.com/apache/nifi/blob/857eeca3c7d4b275fd698430594e7fae4864feff/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java#L79]) > This constraint is too strict for server-style processors (like ListenGRPC) > where only a KS is needed for 1-way SSL (and the presence of TS turns on > 2-way SSL). > The check should be removed/relieved. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (NIFI-8057) Remove truststore check from SslContextFactory.createSslContext()
[ https://issues.apache.org/jira/browse/NIFI-8057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243228#comment-17243228 ] David Handermann commented on NIFI-8057: Removing the null check for trust store properties seems like it would obscure the behavior of SSLContext references. Although some processors, such as ListenHTTP, use the lack of trust store properties to infer one-way TLS communication, it would be much better to make this behavior explicit through the addition of Client Authentication properties on relevant processors. The fundamental issue is that when trust store properties are not provided, null is passed to SSLContext.init() as the argument for Trust Managers. Under the hood, the JVM attempts to load the system default trust store, which includes standard public certificate authorities. These public certificate authorities are not referenced for one-way TLS, since the client is not presenting a certificate, but they would be referenced in two-way TLS. In that scenario, if someone did not pass trust store properties as part of the TLS configuration, but attempted to enable two-way TLS, client certificate validation would fail unless the client certificate was signed by a public certificate authority. There is at least one other open issue for supporting SSLContextService configuration using the JVM default trust store when communicating with public HTTPS services, but using empty values to imply the system default trust store does not seem like the best approach. With that background, it seems better to address this issue by adding Client Authentication properties to ListenGRPC and any other applicable listening processors. > Remove truststore check from SslContextFactory.createSslContext() > - > > Key: NIFI-8057 > URL: https://issues.apache.org/jira/browse/NIFI-8057 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.12.1 >Reporter: Peter Turcsanyi >Priority: Major > > NIFI-7407 introduced a check in {{SslContextFactory.createSslContext()}}: if > KS is configured, then TS must be configured too > ([https://github.com/apache/nifi/blob/857eeca3c7d4b275fd698430594e7fae4864feff/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java#L79]) > This constraint is too strict for server-style processors (like ListenGRPC) > where only a KS is needed for 1-way SSL (and the presence of TS turns on > 2-way SSL). > The check should be removed/relieved. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (NIFI-8057) Remove truststore check from SslContextFactory.createSslContext()
[ https://issues.apache.org/jira/browse/NIFI-8057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17241877#comment-17241877 ] Peter Turcsanyi commented on NIFI-8057: --- [~alopresto] do you have any concerns about it? > Remove truststore check from SslContextFactory.createSslContext() > - > > Key: NIFI-8057 > URL: https://issues.apache.org/jira/browse/NIFI-8057 > Project: Apache NiFi > Issue Type: Bug >Affects Versions: 1.12.1 >Reporter: Peter Turcsanyi >Priority: Major > > NIFI-7407 introduced a check in {{SslContextFactory.createSslContext()}}: if > KS is configured, then TS must be configured too > ([https://github.com/apache/nifi/blob/857eeca3c7d4b275fd698430594e7fae4864feff/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java#L79]) > This constraint is too strict for server-style processors (like ListenGRPC) > where only a KS is needed for 1-way SSL (and the presence of TS turns on > 2-way SSL). > The check should be removed/relieved. -- This message was sent by Atlassian Jira (v8.3.4#803005)