You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Andy LoPresto (JIRA)" <ji...@apache.org> on 2019/02/15 00:17:00 UTC
[jira] [Assigned] (NIFI-5398) Identify cluster communication
endpoints via combination of hostname and certificate rather than just
certificate DN
[ https://issues.apache.org/jira/browse/NIFI-5398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andy LoPresto reassigned NIFI-5398:
-----------------------------------
Assignee: Andy LoPresto
> Identify cluster communication endpoints via combination of hostname and certificate rather than just certificate DN
> --------------------------------------------------------------------------------------------------------------------
>
> Key: NIFI-5398
> URL: https://issues.apache.org/jira/browse/NIFI-5398
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.7.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Major
> Labels: TLS, certificate, client-auth, cluster, security
>
> Currently, NiFi cluster communications have a number of instances where the remote endpoint is identified by extracting the distinguished name (DN) from the presented peer certificate (see [SocketProtocolListener|https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/impl/SocketProtocolListener.java#L131]).
> Users who try to provide the same wildcard certificate to all cluster nodes will encounter issues with this approach. These instances should be investigated and changed to use a combination of the socket connections' remote hostname and the certificate to validate the unique hostname making the request.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)