You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by "Adam Taft (JIRA)" <ji...@apache.org> on 2016/07/01 17:22:10 UTC
[jira] [Commented] (NIFI-1930) ListenHTTP does not use
SSLContextService protocol
[ https://issues.apache.org/jira/browse/NIFI-1930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15359320#comment-15359320 ]
Adam Taft commented on NIFI-1930:
---------------------------------
With regards to the TLS protocol(s) which ListenHTTP supports, the solution to this issue will need to be a configuration change made against Jetty. Specifically, the org.eclipse.jetty.util.ssl.SslContextFactory will need to have "excluded protocols" added.
For example, let's says that ListenHTTP should be configured to only allow TLS1.1+. In order to achieve this, in Jetty you would need to exclude other protocols like so:
{{sslContextFactory.addExcludedProtocol("SSL","SSLv2","SSLv2Hello","SSLv3","TLS","TLS1"}}
A problem exists that the SSLContextService only allows a *single* protocol to be specified. This might work for client configurations, but generally for servers you want to negotiate the protocol. In this example, you'd want any TLS >= 1.1 to be supported.
Therefore this issue might be difficult to resolve against the current behavior of the SSLContextService. Instead, it's possible that a "quick" change be made to allow weaker TLS protocols to be excluded. Possibly a temporary property called "minimumTLSVersion" or something like that could be added to ListentHTTP that would support the above use case.
> ListenHTTP does not use SSLContextService protocol
> --------------------------------------------------
>
> Key: NIFI-1930
> URL: https://issues.apache.org/jira/browse/NIFI-1930
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 0.6.1
> Reporter: Mark Bean
>
> The ListenHTTP processor ignores the protocol property of the SSLContextService. Even when the service specifies a specific protocol, ListenHTTP will negotiate and honor alternate protocols.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)