You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Pierre Villard (JIRA)" <ji...@apache.org> on 2017/07/29 10:37:00 UTC

[jira] [Assigned] (NIFI-4222) TLS Toolkit should provide SAN by default

     [ https://issues.apache.org/jira/browse/NIFI-4222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Pierre Villard reassigned NIFI-4222:
------------------------------------

    Assignee: Pierre Villard

> TLS Toolkit should provide SAN by default
> -----------------------------------------
>
>                 Key: NIFI-4222
>                 URL: https://issues.apache.org/jira/browse/NIFI-4222
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Tools and Build
>    Affects Versions: 1.3.0
>            Reporter: Andy LoPresto
>            Assignee: Pierre Villard
>              Labels: security, tls, tls-toolkit
>
> As of Chrome 58, the browser will only use the *SubjectAlternativeName* entries to determine hostname verification, rather than the *CN*. This is specified in RFC 6215 [1], TLS hostname verification must attempt to use the SAN entries first and may only use the CN entry if no SAN entries are available. 
> Chrome takes this a step further [2]: 
> {quote}
> During Transport Layer Security (TLS) connections, Chrome browser checks to make sure the connection to the site is using a valid, trusted server certificate.
> For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate. The certificate subject alternative name can be a domain name or IP address. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private. If the certificate is missing a subjectAlternativeName extension, users see a warning in the Security panel in Chrome DevTools that lets them know the subject alternative name is missing.
> {quote}
> As this will cause issues for users who do not manually provide a SAN when generating their certificates using the TLS Toolkit, the toolkit should be modified to automatically include the provided CN as a SAN entry, in addition to any manually-provided SAN entries. 
> [1] https://tools.ietf.org/html/rfc6125#section-6.4.4
> [2] https://support.google.com/chrome/a/answer/7391219?hl=en



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)