Juan, I believe that the underlying Jetty server for ListenHTTP will not support SSLv3. NiFi 1.1.1 uses Jetty 9.3.9.v20160517, and Jetty versions going back to at least 9.2 disable SSLv3. In addition, I believe Java 8_31 also disables SSLv3 [1]. To make this work (and for the record, I strongly discourage it), you would need to override the JRE security settings and write custom code to initialize Jetty with SSLv3.
[1] https://dev.eclipse.org/mhonarc/lists/jetty-users/msg05703.html <https://dev.eclipse.org/mhonarc/lists/jetty-users/msg05703.html> Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Mar 24, 2017, at 12:53 PM, Juan Sequeiros <[email protected]> wrote: > > Hello all, > > I am trying to force SSLv3 on a ListenHTTP. > > I've changed that on my StandardSSLContextService but when I test it fails > when I specify sslv3 and works when I specify tlsv1 **** curl example. > > Similar thing if NIFI * postHTTP inside same canvas to myself. Works fine if > StandardSSLContextServiceis set to TLS ( both listen and post are using same > SSLContextService ) it fails if I change it to SSLv3 > > I've also looked to make sure the macro JAVA java.security is not blocking me > but that does not have any "SSL" on ~JAVA_INSTALL/security/java.security > > jdk.tls.disabledAlgorithms=RC4, MD5withRSA, DH keySize < 768 > > Any suggestions? > > My test is using curl: > > Command that works: > > curl -H "filename:test.txt" -H "some.attribute:nifiTest" -k --cert > myServerCert --key MyServer.key -d @some/file --location-trusted --location > https://someServer:5555/contentListener > <https://someserver:5555/contentListener> --tlsv1 -vvv > > Command that does not: > > curl -H "filename:test.txt" -H "some.attribute:nifiTest" -k --cert > myServerCert --key MyServer.key -d @some/file --location-trusted --location > https://someServer:5555/contentListener > <https://someserver:5555/contentListener> --sslv3 -vvv
signature.asc
Description: Message signed with OpenPGP using GPGMail
