[NIFI-8019] SSL Enabled Protocol test failures when TLSv1 and TLSv1.1 disabled in java.security - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.12.1
Fix Version/s: 1.13.0
Component/s: Security
Labels:
None
Environment:
Fedora 33 OpenJDK 11.0.9

Description

The SslContextFactoryTest in nifi-security-utils and other test classes evaluate the array of enabled protocols during various unit tests after constructing an SSLContext. This unit test and others contain a static array of expected protocols that include TLSv1 and TLSv1.1.

Recent versions of Java 8 and 11 continue to allow these protocols, however, Fedora 33 introduced changes to the default cryptographic policies that disable TLSv1 and TLSv1.1. The following Fedora Wiki page describes the changes:

https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

The Fedora 33 crypto-policies RPM includes the following policy file:

/usr/share/crypto-policies/DEFAULT/java.txt

The Java policy includes TLSv1 and TLSv1.1 in the property for jdk.tls.disabledAlgorithms. This policy is included at runtime due to the java.security policy enabling security.useSystemPropertiesFile.

The SslContextFactoryTest and other tests that evaluate enabled SSL protocols should be updated to dynamically determine which protocols to expect using the SSLContext.getDefaultSSLParameters().getProtocols() method.

Attachments

Issue Links

relates to

NIFI-7662 Add unit tests for Java 8 update 262 TLS v1.3 handling for different vendors

Resolved

NIFI-8037 Support TLS 1.3 in SSLContextService on Java 8

Resolved

links to

GitHub Pull Request #4673

Activity

People

Assignee:: David Handermann

Reporter:: David Handermann

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 17/Nov/20 17:01

Updated:: 15/Dec/20 05:08

Resolved:: 15/Dec/20 05:08

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 20m