Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-6178

Certificates generated for "localhost" need to have IP as a SAN in Java 11

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 1.9.1
    • None
    • Security, Tools and Build

    Description

      While running tests in nifi-standard-processors with Jetty 9.4.15.v20190215 (after attempting to update from Jetty 9.4.11.v20180605), several SSL tests failed.  After enabling javax.net.debug=ssl,handshake the following error occurs:

      javax.net.ssl|ERROR|1B|ListenHTTP (07d9bfd1-56c3-46f1-b4a7-570eaf13c7cc) Web Server-27|2019-04-02 17:44:57.177 EDT|TransportContext.java:313|Fatal (CERTIFICATE_UNKNOWN): No subject alternative names matching IP address 127.0.0.1 found (
      "throwable" : {
        java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
      

      It appears that when using a cert for localhost the hostname is resolved to 127.0.0.1, after which the existing SANs in the cert are checked for a matching IP SAN.

      The TLS Toolkit currently generates certs with SANs assumed to be domain names (TlsHelper.java:305, uses GeneralName.dNSName explicitly). Adding the IP as a SAN with the TLS Toolkit currently adds it as a DNS SAN, which does not resolve the issue.

      Support must be added to allow IPs to be added as SANs.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            jtstorck Jeff Storck
            jtstorck Jeff Storck
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 40m
                40m

                Slack

                  Issue deployment