While running tests in nifi-standard-processors with Jetty 9.4.15.v20190215 (after attempting to update from Jetty 9.4.11.v20180605), several SSL tests failed. After enabling javax.net.debug=ssl,handshake the following error occurs:
It appears that when using a cert for localhost the hostname is resolved to 127.0.0.1, after which the existing SANs in the cert are checked for a matching IP SAN.
The TLS Toolkit currently generates certs with SANs assumed to be domain names (TlsHelper.java:305, uses GeneralName.dNSName explicitly). Adding the IP as a SAN with the TLS Toolkit currently adds it as a DNS SAN, which does not resolve the issue.
Support must be added to allow IPs to be added as SANs.