You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by "Rene Weidlinger (Jira)" <ji...@apache.org> on 2021/04/08 06:11:00 UTC
[jira] [Created] (MINIFI-552) Fix new SSL SAN Behaviour from new
Jetty Version in C2 Server
Rene Weidlinger created MINIFI-552:
--------------------------------------
Summary: Fix new SSL SAN Behaviour from new Jetty Version in C2 Server
Key: MINIFI-552
URL: https://issues.apache.org/jira/browse/MINIFI-552
Project: Apache NiFi MiNiFi
Issue Type: Bug
Affects Versions: 0.6.0
Reporter: Rene Weidlinger
Jetty tries to resolve the SAN Name for Clients connecting, but the behaviour of the constructor changed as seen here: [https://github.com/eclipse/jetty.project/pull/3480]
Linked: [https://github.com/eclipse/jetty.project/issues/3466]
Linked: [https://github.com/eclipse/jetty.project/issues/3454]
Linked: [apache/nifi-minifi#169|https://github.com/apache/nifi-minifi/pull/169]
This leads to Minifis can't connect to C2 even with correct Certs and this error:
{code:java}
2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18] org.eclipse.jetty.io.AbstractEndPoint close(javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.172.220.28 found) DecryptedEndPoint@3663382d{l=0.0.0.0/0.0.0.0:10081,r=null,CLOSED,fill=-,flush=-,to=13/30000}
2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18] org.eclipse.jetty.server.HttpConnection
javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.172.220.28 found
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:955)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:902)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:639)
at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:342)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 10.172.220.28 found
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:179)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:100)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:135)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682)
... 26 common frames omitted
{code}
Proposed Fix for Minifi [https://github.com/mattyb149/nifi/pull/17]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)