Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-5174 NiFi Compatibility with Java 11
  3. NIFI-6561

Certificate compatibility broken for JDK8 build running on JRE11

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.10.0
    • Fix Version/s: None
    • Component/s: Security

      Description

      When testing Java 11 build compatibility, I found an issue with TLS certificates when using a remote process group looped back to an input port on the same cluster. The same certificates were used for JDK8/JRE8, JDK8/JRE11, JDK11/JRE11 ie. they contained relevant SAN entries in each case.

      Building on JDK 1.8.0_172 and run on JRE11.0.5+10 caused exceptions when attempting to send to local input port with RPG:

      2019-08-13 18:17:07,946 WARN [Http Site-to-Site PeerSelector] o.apache.nifi.remote.client.PeerSelector Could not communicate with natog0.com:9551 to determine which nodes exist in the remote NiFi cluster, due to javax.net.ssl.SSLPeerUnverifiedException: Certificate for <natog0.com> doesn't match any of the subject alternative names: [natog1.com]
      2019-08-13 18:17:07,946 WARN [Http Site-to-Site PeerSelector] o.apache.nifi.remote.client.PeerSelector org.apache.nifi.remote.client.PeerSelector@6d5e02f8 Unable to refresh Remote Group's peers due to Unable to communicate with remote NiFi cluster in order to determine which nodes exist in the remote cluster

      But did not see this error on the matching builds (JDK8/JRE8, JDK11/JRE11).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                thenatog Nathan Gough
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: