You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Pierre Villard (JIRA)" <ji...@apache.org> on 2017/07/29 10:37:00 UTC
[jira] [Assigned] (NIFI-4222) TLS Toolkit should provide SAN by
default
[ https://issues.apache.org/jira/browse/NIFI-4222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pierre Villard reassigned NIFI-4222:
------------------------------------
Assignee: Pierre Villard
> TLS Toolkit should provide SAN by default
> -----------------------------------------
>
> Key: NIFI-4222
> URL: https://issues.apache.org/jira/browse/NIFI-4222
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Affects Versions: 1.3.0
> Reporter: Andy LoPresto
> Assignee: Pierre Villard
> Labels: security, tls, tls-toolkit
>
> As of Chrome 58, the browser will only use the *SubjectAlternativeName* entries to determine hostname verification, rather than the *CN*. This is specified in RFC 6215 [1], TLS hostname verification must attempt to use the SAN entries first and may only use the CN entry if no SAN entries are available.
> Chrome takes this a step further [2]:
> {quote}
> During Transport Layer Security (TLS) connections, Chrome browser checks to make sure the connection to the site is using a valid, trusted server certificate.
> For Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate. The certificate subject alternative name can be a domain name or IP address. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private. If the certificate is missing a subjectAlternativeName extension, users see a warning in the Security panel in Chrome DevTools that lets them know the subject alternative name is missing.
> {quote}
> As this will cause issues for users who do not manually provide a SAN when generating their certificates using the TLS Toolkit, the toolkit should be modified to automatically include the provided CN as a SAN entry, in addition to any manually-provided SAN entries.
> [1] https://tools.ietf.org/html/rfc6125#section-6.4.4
> [2] https://support.google.com/chrome/a/answer/7391219?hl=en
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)