[NIFI-1981] Cluster communication requires client certificates even if needClientAuth set to false - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 0.6.1
Fix Version/s: 0.7.0
Component/s: Core Framework
Labels:
- certificate
- client-auth
- cluster
- ssl
- tls

Description

A user reported having issues with "peer not authenticated" errors appearing in the NCM app log when a node tried to connect. Upon debugging, it was discovered that the certificates issues to the client specifically prohibited being used as a client certificate (Extended Key Usage was set to serverAuth only). Setting nifi.security.needClientAuth to false in nifi.properties did not solve the problem because while the TLS handshake negotiation is successful without the client certificate, cluster communication in SocketProtocolListener still attempts to resolve the DN of the node requestor regardless of the needClientAuth setting.

The error message should be improved and the requestor DN extraction should respect the needClientAuth setting rather than throwing an unnecessary exception.

Attachments

Issue Links

is related to

NIFI-1753 Legacy X.509 certificate handling code should be upgraded

Resolved

relates to

NIFI-1990 Implement consistent security controls for cluster, site-to-site, and API communications

Open

NIFI-1995 Support keystores with multiple certificates by exposing alias selection in configuration

Open

links to

GitHub Pull Request #508

Activity

People

Assignee:: Andy LoPresto

Reporter:: Andy LoPresto

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 07/Jun/16 23:16

Updated:: 14/Jun/16 15:22

Resolved:: 14/Jun/16 15:22