Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.19.0, 1.19.1
-
None
-
None
Description
The certificates (keystore, truststore) generated by NiFi are not compatible with OpenSSL 3+ because they are created using old/insecure algorithms.
When starting NiFi 1.19.0 (using the apache/nifi Docker image) and confguring a single-user auth, which is the default for NiFi, the generated truststore.p12 and keystore.p12 cannot be decrypted (e.g. to extract the public cert/private key into PEM format files so they can be used with curl) using the OpenSSL version present within the Docker Image.
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Attempted command:
openssl pkcs12 -in "truststore.p12" -out "nifi-cert.pem" -cacerts -nokeys -password "pass:${TRUSTSTORE_PASSWORD}"
Error:
4047C0AF997F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
This can be worked around by adding the -legacy flag to the openssl command (see this Stack Overflow answer).
Using the command suggested from the linked article, we see that the NiFi generated truststure uses:
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 51200
Attachments
Issue Links
- is fixed by
-
-
- Resolved
-
- relates to
-
-
- Resolved
-