Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-3788

Support wildcard certificates in Amazon S3 Processors

    XMLWordPrintableJSON

    Details

      Description

      Some users have reported issues when attempting to connect to an external service which is secured for TLS via a wildcard certificate (i.e. hostname is https://example.domain.com and the certificate DN contains CN=*.domain.com when using the Amazon Web Services (AWS S3) processors. This requires changes in the SSLStandardContextService to correctly parse the CN and evaluate wildcard entries if present This required changes in the DefaultHostnameVerifier instance being passed to the SdkTLSSocketFactory and AmazonHTTPClientConfig in AbstractAWSProcessor.

      In addition, as specified by RFC 2818, certificate evaluation (specifically hostname validation) should prioritize Subject Alternative Names over DN parsing. Chrome 58+ has begun to implement this prioritization, which can cause issues with certificate validation even if the CN matches the hostname but SANs are present but do not include the hostname.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                alopresto Andy LoPresto
                Reporter:
                alopresto Andy LoPresto
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: