Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-5398

Identify cluster communication endpoints via combination of hostname and certificate rather than just certificate DN

    XMLWordPrintableJSON

Details

    Description

      Currently, NiFi cluster communications have a number of instances where the remote endpoint is identified by extracting the distinguished name (DN) from the presented peer certificate (see SocketProtocolListener).

      Users who try to provide the same wildcard certificate to all cluster nodes will encounter issues with this approach. These instances should be investigated and changed to use a combination of the socket connections' remote hostname and the certificate to validate the unique hostname making the request.

      Attachments

        Issue Links

          Is contained by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. NIFI-5458 Improve NiFi TLS and certificate management

          • Major - Major loss of function.
          • Resolved
          is depended upon by

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-5443 Improve cluster configuration for dynamic scaling

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Activity

            People

              alopresto Andy LoPresto
              alopresto Andy LoPresto
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated: