[NIFI-6561] HTTPS S2S SAN Verification compatibility for JDK8 build running on JRE11 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Cannot Reproduce
Affects Version/s: 1.10.0
Fix Version/s: None
Component/s: Security
Labels:
- Java11
- certificate
- tls

Description

When testing Java 11 build compatibility, I found an issue with TLS certificates when using a remote process group looped back to an input port on the same cluster. The same certificates were used for JDK8/JRE8, JDK8/JRE11, JDK11/JRE11 ie. they contained relevant SAN entries in each case.

Building on JDK 1.8.0_172 and run on JRE11.0.5+10 caused exceptions when attempting to send to local input port with RPG:

2019-08-13 18:17:07,946 WARN [Http Site-to-Site PeerSelector] o.apache.nifi.remote.client.PeerSelector Could not communicate with natog0.com:9551 to determine which nodes exist in the remote NiFi cluster, due to javax.net.ssl.SSLPeerUnverifiedException: Certificate for <natog0.com> doesn't match any of the subject alternative names: [natog1.com]
2019-08-13 18:17:07,946 WARN [Http Site-to-Site PeerSelector] o.apache.nifi.remote.client.PeerSelector org.apache.nifi.remote.client.PeerSelector@6d5e02f8 Unable to refresh Remote Group's peers due to Unable to communicate with remote NiFi cluster in order to determine which nodes exist in the remote cluster

But did not see this error on the matching builds (JDK8/JRE8, JDK11/JRE11).

Attachments

Issue Links

blocks

NIFI-5174 NiFi Compatibility with Java 11

Resolved

Activity

People

Assignee:: Unassigned

Reporter:: Nathan Gough

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 16/Aug/19 18:05

Updated:: 16/Jul/21 18:40

Resolved:: 16/Jul/21 18:40