Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-1981

Cluster communication requires client certificates even if needClientAuth set to false

    XMLWordPrintableJSON

    Details

      Description

      A user reported having issues with "peer not authenticated" errors appearing in the NCM app log when a node tried to connect. Upon debugging, it was discovered that the certificates issues to the client specifically prohibited being used as a client certificate (Extended Key Usage was set to serverAuth only). Setting nifi.security.needClientAuth to false in nifi.properties did not solve the problem because while the TLS handshake negotiation is successful without the client certificate, cluster communication in SocketProtocolListener still attempts to resolve the DN of the node requestor regardless of the needClientAuth setting.

      The error message should be improved and the requestor DN extraction should respect the needClientAuth setting rather than throwing an unnecessary exception.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                alopresto Andy LoPresto
                Reporter:
                alopresto Andy LoPresto
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: