You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by "Rene Weidlinger (Jira)" <ji...@apache.org> on 2021/04/08 06:11:00 UTC

[jira] [Created] (MINIFI-552) Fix new SSL SAN Behaviour from new Jetty Version in C2 Server

Rene Weidlinger created MINIFI-552:
--------------------------------------

             Summary: Fix new SSL SAN Behaviour from new Jetty Version in C2 Server
                 Key: MINIFI-552
                 URL: https://issues.apache.org/jira/browse/MINIFI-552
             Project: Apache NiFi MiNiFi
          Issue Type: Bug
    Affects Versions: 0.6.0
            Reporter: Rene Weidlinger


Jetty tries to resolve the SAN Name for Clients connecting, but the behaviour of the constructor changed as seen here: [https://github.com/eclipse/jetty.project/pull/3480]

 

Linked: [https://github.com/eclipse/jetty.project/issues/3466]

Linked: [https://github.com/eclipse/jetty.project/issues/3454]

Linked: [apache/nifi-minifi#169|https://github.com/apache/nifi-minifi/pull/169]

 

This leads to Minifis can't connect to C2 even with correct Certs and this error:
{code:java}
2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18] org.eclipse.jetty.io.AbstractEndPoint close(javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.172.220.28 found) DecryptedEndPoint@3663382d{l=0.0.0.0/0.0.0.0:10081,r=null,CLOSED,fill=-,flush=-,to=13/30000}
2021-04-07 08:26:31,038 DEBUG [qtp1095293768-18] org.eclipse.jetty.server.HttpConnection
javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.172.220.28 found
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:955)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:902)
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:639)
        at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:342)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
        at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 10.172.220.28 found
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:179)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:100)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
        at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:135)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682)
        ... 26 common frames omitted
{code}
Proposed Fix for Minifi [https://github.com/mattyb149/nifi/pull/17]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)