Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
0.6.1
Description
A user reported having issues with "peer not authenticated" errors appearing in the NCM app log when a node tried to connect. Upon debugging, it was discovered that the certificates issues to the client specifically prohibited being used as a client certificate (Extended Key Usage was set to serverAuth only). Setting nifi.security.needClientAuth to false in nifi.properties did not solve the problem because while the TLS handshake negotiation is successful without the client certificate, cluster communication in SocketProtocolListener still attempts to resolve the DN of the node requestor regardless of the needClientAuth setting.
The error message should be improved and the requestor DN extraction should respect the needClientAuth setting rather than throwing an unnecessary exception.
Attachments
Issue Links
- is related to
-
NIFI-1753 Legacy X.509 certificate handling code should be upgraded
- Resolved
- relates to
-
NIFI-1990 Implement consistent security controls for cluster, site-to-site, and API communications
- Open
-
NIFI-1995 Support keystores with multiple certificates by exposing alias selection in configuration
- Open
- links to