Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-1981

Cluster communication requires client certificates even if needClientAuth set to false

    XMLWordPrintableJSON

Details

    Description

      A user reported having issues with "peer not authenticated" errors appearing in the NCM app log when a node tried to connect. Upon debugging, it was discovered that the certificates issues to the client specifically prohibited being used as a client certificate (Extended Key Usage was set to serverAuth only). Setting nifi.security.needClientAuth to false in nifi.properties did not solve the problem because while the TLS handshake negotiation is successful without the client certificate, cluster communication in SocketProtocolListener still attempts to resolve the DN of the node requestor regardless of the needClientAuth setting.

      The error message should be improved and the requestor DN extraction should respect the needClientAuth setting rather than throwing an unnecessary exception.

      Attachments

        Issue Links

          Activity

            People

              alopresto Andy LoPresto
              alopresto Andy LoPresto
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: