You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2020/11/17 17:02:00 UTC
[jira] [Created] (NIFI-8019) SSL Enabled Protocol test failures
when TLSv1 and TLSv1.1 disabled in java.security
David Handermann created NIFI-8019:
--------------------------------------
Summary: SSL Enabled Protocol test failures when TLSv1 and TLSv1.1 disabled in java.security
Key: NIFI-8019
URL: https://issues.apache.org/jira/browse/NIFI-8019
Project: Apache NiFi
Issue Type: Bug
Components: Security
Affects Versions: 1.12.1
Environment: Fedora 33 OpenJDK 11.0.9
Reporter: David Handermann
The SslContextFactoryTest in nifi-security-utils and other test classes evaluate the array of enabled protocols during various unit tests after constructing an SSLContext. This unit test and others contain a static array of expected protocols that include TLSv1 and TLSv1.1.
Recent versions of Java 8 and 11 continue to allow these protocols, however, Fedora 33 introduced changes to the default cryptographic policies that disable TLSv1 and TLSv1.1. The following Fedora Wiki page describes the changes:
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
The Fedora 33 _crypto-policies_ RPM includes the following policy file:
/usr/share/crypto-policies/DEFAULT/java.txt
The Java policy includes TLSv1 and TLSv1.1 in the property for jdk.tls.disabledAlgorithms. This policy is included at runtime due to the java.security policy enabling security.useSystemPropertiesFile.
The SslContextFactoryTest and other tests that evaluate enabled SSL protocols should be updated to dynamically determine which protocols to expect using the SSLEngine.getSupportedProtocols() method.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)