You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by "Adam Taft (JIRA)" <ji...@apache.org> on 2016/07/01 17:24:11 UTC

[jira] [Comment Edited] (NIFI-1930) ListenHTTP does not use SSLContextService protocol

    [ https://issues.apache.org/jira/browse/NIFI-1930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15359320#comment-15359320 ] 

Adam Taft edited comment on NIFI-1930 at 7/1/16 5:23 PM:
---------------------------------------------------------

With regards to the TLS protocol(s) which ListenHTTP supports, the solution to this issue will need to be a configuration change made against Jetty.  Specifically, the org.eclipse.jetty.util.ssl.SslContextFactory will need to have "excluded protocols" added.

For example, let's says that ListenHTTP should be configured to only allow TLS1.1+.  In order to achieve this, in Jetty you would need to exclude other protocols like so:

{{sslContextFactory.addExcludeProtocols("SSL","SSLv2","SSLv2Hello","SSLv3","TLS","TLS1"}}

A problem exists that the SSLContextService only allows a *single* protocol to be specified.  This might work for client configurations, but generally for servers you want to negotiate the protocol.  In this example, you'd want any TLS >= 1.1 to be supported.

Therefore this issue might be difficult to resolve against the current behavior of the SSLContextService.  Instead, it's possible that a "quick" change be made to allow weaker TLS protocols to be excluded.  Possibly a temporary property called "minimumTLSVersion" or something like that could be added to ListentHTTP that would support the above use case.


was (Author: taftster):
With regards to the TLS protocol(s) which ListenHTTP supports, the solution to this issue will need to be a configuration change made against Jetty.  Specifically, the org.eclipse.jetty.util.ssl.SslContextFactory will need to have "excluded protocols" added.

For example, let's says that ListenHTTP should be configured to only allow TLS1.1+.  In order to achieve this, in Jetty you would need to exclude other protocols like so:

{{sslContextFactory.addExcludedProtocol("SSL","SSLv2","SSLv2Hello","SSLv3","TLS","TLS1"}}

A problem exists that the SSLContextService only allows a *single* protocol to be specified.  This might work for client configurations, but generally for servers you want to negotiate the protocol.  In this example, you'd want any TLS >= 1.1 to be supported.

Therefore this issue might be difficult to resolve against the current behavior of the SSLContextService.  Instead, it's possible that a "quick" change be made to allow weaker TLS protocols to be excluded.  Possibly a temporary property called "minimumTLSVersion" or something like that could be added to ListentHTTP that would support the above use case.

> ListenHTTP does not use SSLContextService protocol
> --------------------------------------------------
>
>                 Key: NIFI-1930
>                 URL: https://issues.apache.org/jira/browse/NIFI-1930
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 0.6.1
>            Reporter: Mark Bean
>
> The ListenHTTP processor ignores the protocol property of the SSLContextService. Even when the service specifies a specific protocol, ListenHTTP will negotiate and honor alternate protocols.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)