You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/03/09 20:17:00 UTC

[jira] [Commented] (NIFI-9761) Correct Load-Balanced Connection Handling for TLS 1.3

    [ https://issues.apache.org/jira/browse/NIFI-9761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17503818#comment-17503818 ] 

ASF subversion and git services commented on NIFI-9761:
-------------------------------------------------------

Commit c73573b325a6e370bb3031e6906c786bcbf72ebc in nifi's branch refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=c73573b ]

NIFI-9761 Correct PeerChannel processing for TLS 1.3 (#5836)

* NIFI-9761 Corrected PeerChannel processing for TLS 1.3
- Added TestPeerChannel with methods for TLS 1.2 and TLS 1.3
- Updated PeerChannel.close() to process SSLEngine close notification
- Improved logging and corrected handling after decryption

> Correct Load-Balanced Connection Handling for TLS 1.3
> -----------------------------------------------------
>
>                 Key: NIFI-9761
>                 URL: https://issues.apache.org/jira/browse/NIFI-9761
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.8.0, 1.15.3
>            Reporter: David Handermann
>            Assignee: David Handermann
>            Priority: Major
>             Fix For: 1.16.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> Load-Balanced Connections leverage Java NIO to implement a custom protocol for distributing FlowFiles across NiFi cluster nodes. The {{PeerChannel}} class in {{nifi-framework-core}} handles communication using a {{SocketChannel}} and also interacts with {{SSLEngine}} to support encrypted connections using TLS.
> TLS 1.3 introduced the concept of a post-handshake message in [RFC 8446 Section 4.6|https://datatracker.ietf.org/doc/html/rfc8446#section-4.6] which can cause problems with {{SSLEngine}} handling when not processed. Following the completion of a TLS 1.3 handshake, {{SSLEngine.unwrap()}} returns a result that has a status of {{OK}} and a handshake status of {{{}FINISHED{}}}. The result indicates that {{SSLEngine.unwrap()}} should be called again so that the handshake status of {{SSLEngine}} moves to {{{}NOT_HANDSHAKING{}}}.
> The {{PeerChannel.decrypt()}} does not check the handshake status, resulting in unprocessed socket stream bytes remaining in the buffer. On a subsequent {{PeerChannel.read()}} invocation, the method attempts to read more bytes from the socket channel when buffered bytes are already available for processing. This can cause numerous unnecessary calls to {{PeerChannel.read()}} leading to timeouts or other unexpected behavior.
> The {{PeerChannel}} class should be corrected to handle the TLS 1.3 post-handshake message so that the initial call to {{read()}} returns the same application data as it would when using TLS 1.2.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)