You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2019/04/30 21:57:42 UTC
[GitHub] [nifi] thenatog commented on issue #3426: NIFI-6196 Upgrade version
of Jetty
thenatog commented on issue #3426: NIFI-6196 Upgrade version of Jetty
URL: https://github.com/apache/nifi/pull/3426#issuecomment-488130016
I have verified the endpointIdentificationAlgorithm settings are at least checking for SANs using a clientSocket and serverSocket with certs that did and didn't contain SANs. For the moment, I recommend we set the clientSocket endpointIdenticationAlgorithm to null as well as this could be considered a breaking change that would require users to regenerate server certs for services external to NiFi. However, I think that it's generally accepted practice to expect SANs are set correctly for certificates. So, in future, we should flip this to require SAN validation in a major version change down the line.
Once you set the algorithm to null for the serverSocket, +1.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services