Hi Shawn, The InvokeHTTP processor relies on OkHttp to perform HTTP request and response handling, so cipher suite negotiation is a combination of JVM support and OkHttp configuration. The InvokeHTTP does not implement any direct configuration of the enabled cipher suites, and currently relies on the default OkHttp behavior. According to the following OkHttp documentation on HTTPS, the default behavior is for OkHttp to use the MODERN_TLS configuration option:
https://square.github.io/okhttp/https/ According to the list of APPROVED_CIPHER_SUITES associated with the MODERN_TLS configuration, ECDHE-RSA-AES256-SHA384 is not one of supported options: https://github.com/square/okhttp/blob/parent-4.9.3/okhttp/src/main/kotlin/okhttp3/ConnectionSpec.kt#L290 Other NiFi components have different approaches to cipher suite support, so OkHttp is a bit different in this scenario. The OkHttp configuration explains why you might see other TLS handshakes indicating support, but not handshakes initiated through InvokeHTTP. Regards, David Handermann On Tue, Jan 25, 2022 at 12:19 PM Shawn Weeks <swe...@weeksconsulting.us> wrote: > I need some help understanding how the InvokeHTTP processor negotiates SSL > Ciphers with the remote host. I’ve got a remote system that only supports a > weak cipher in this case ECDHE-RSA-AES256-SHA384. I’ve enabled Java SSL > debugging with -Djavax.net.debug=ssl:handshake:verbose and I’ve noticed > that the ClientHello logged does not list that cipher in the “cipher > suites” value for that processor call however if I look at other > ClientHello messages logged I see a much larger list of “cipher suites” > listed including the one above. I’m trying to figure out what exactly is > restricting the list of ciphers that are negotiated. I’ve tried using > InvokeHTTP with a Restricted and Non Restricted SSL Controller. I’m not > running Java in export mode so I have all the ciphers. I’ve also been doing > some testing with the openssl s_client command and I’ve confirmed that only > the cipher above is supported and any other cipher gives an error. > > > > Thanks > > Shawn >
