You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/02/03 14:55:00 UTC
[jira] [Commented] (NIFI-1355) Provide dynamic code-generated
certificates for HTTP tests to avoid expiry
[ https://issues.apache.org/jira/browse/NIFI-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17278046#comment-17278046 ]
ASF subversion and git services commented on NIFI-1355:
-------------------------------------------------------
Commit 6e1f737c53523843b7a3222d0c6dbc2d84e4aa09 in nifi's branch refs/heads/main from mtien
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=6e1f737 ]
NIFI-1355 Implemented new methods in KeyStoreUtils to programmatically-generate certificates, Keystores, and Truststores and return it wrapped in a TLS configuration.
Updated TestInvokeHTTP, TestInvokeHttpSSL, TestInvokeHttpTwoWaySSL, and TestListenHTTP to use new Keystore functionality.
NIFI-1355 Refactored and removed unnecessary unit tests in KeyStoreUtilsGroovyTest.
NIFI-1355 Added a password requirement when creating a new truststore.
Handled exception when loading a passwordless truststore type of Bouncy Castle PKCS12.
This closes #4801
Signed-off-by: David Handermann <ex...@apache.org>
> Provide dynamic code-generated certificates for HTTP tests to avoid expiry
> --------------------------------------------------------------------------
>
> Key: NIFI-1355
> URL: https://issues.apache.org/jira/browse/NIFI-1355
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 0.4.0, 0.4.1
> Reporter: Andy LoPresto
> Assignee: M Tien
> Priority: Major
> Labels: certificate, security, test
> Time Spent: 7h 50m
> Remaining Estimate: 0h
>
> As documented, the test certificates/keys used in the TestInvokeHttp and TestInvokeHttpSSL tests expired in 2014. With the constant removal of non-certificate based cipher suites from client libraries, the lack of valid certificates meant that the Jetty server could not offer any compatible cipher suites, and the tests failed. I manually generated and loaded new certificates but they expire after 1 year. Adding code to dynamically generate and load these certificates into the keystore and truststore would remove this inconsistent blocker.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)