You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Chakrader Dewaragatla <Ch...@lifelock.com> on 2016/02/02 02:14:44 UTC
Nifi api - SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
Hi,
When I try to connect nifi api end point with curl as "curl -k -XGET https://10.233.0.153:8081/nifi-api/access/config -v
" it fails as follows despite I use "-k" option to ignore validation.
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS error -12173 (SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY)
* SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
* Closing connection 0
curl: (35) SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
curl -V
curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.18 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.5.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink
How do I configure nifi to use certain cifers and protocols? Looks like this ticket is resolved, https://issues.apache.org/jira/browse/NIFI-419 how do I use the settings?
https://issues.apache.org/jira/browse/NIFI-700 is still open.
Using curl is one side of our use, other side we have JSS tomcat service that use stronger cipers and protocols. Eventually we would like tomcat to run nifi REST apis.
Thanks,
-Chakri
________________________________
The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
________________________________
Re: Nifi api - SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
Posted by Andy LoPresto <al...@gmail.com>.
Thanks Chakri.
So we can see that the selected cipher suite during that negotiation is ECDHE-RSA-AES128-SHA256. Not to bore you with TLS cipher suite explanations if you’re already familiar, but we can see this is using Elliptic Curve Diffie Hellman Ephemeral keys for negotiation, signing them with the server’s RSA key, and using AES-128 for actual content encryption during the session, and the PRF is SHA-256.
Mozilla has a great resource on TLS cipher suites here [1] and you can see that Java < 7 limits DHE parameters to 1024 bits. Java 7 is capable of 2048 bit DHE keys, but only when using ECDHE. This may be the cause of the issue.
I need to stand up an instance of NiFi locally that has self-signed certificates and check the cipher suites it will accept. I’m not sure if we are prioritizing ECDHE over DHE at this time, nor what the default DHE key length is. I have been meaning to create a Jira to audit the SSLSocketFactory and SSLContextFactory usage in the application because of some concerns I have. I will update this thread once I have created the ticket and have more information on the internal cipher suite prioritization.
[1] https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_and_Java
Andy LoPresto
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Feb 2, 2016, at 12:28 PM, Chakrader Dewaragatla <Ch...@lifelock.com> wrote:
>
> Andy –
>
> http://pastebin.com/yse0DXU3 <http://pastebin.com/yse0DXU3> has output. We are using nifi 0.4.1 nifi version, it has ldap and self-signed certs for https. Let me follow the steps in [1] in mean time.
>
> Thanks,
> -Chakri
>
> From: Andy LoPresto <alopresto.apache@gmail.com <ma...@gmail.com>>
> Reply-To: "users@nifi.apache.org <ma...@nifi.apache.org>" <users@nifi.apache.org <ma...@nifi.apache.org>>
> Date: Monday, February 1, 2016 at 6:00 PM
> To: "users@nifi.apache.org <ma...@nifi.apache.org>" <users@nifi.apache.org <ma...@nifi.apache.org>>
> Cc: Ville Kivinen <Ville.Kivinen@lifelock.com <ma...@lifelock.com>>
> Subject: Re: Nifi api - SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
>
> Hi Chakri,
>
> Running curl with -k will instruct it to ignore certificate validation, and you can see from the output that is skipping that. However, the issue seems to be a cipher suite mismatch between your version of curl and the underlying Jetty server of NiFi, specifically one using *DHE* or ephemeral Diffie Hellman key parameters (likely < 1024 bits).
>
> Can you please run the following command and paste the output here to help us diagnose? You can redact the key information, but what we are interested in are any error codes and the supported cipher suite your server accepts. Are you using NiFi 0.4.1 and have you done any customization to the nifi.properties file? Did you follow the steps listed here [1] to set up TLS for NiFi?
>
> $ openssl s_client -connect 10.233.0.153:8081 -debug
>
> You can also run with -tls1 or -cipher flags to specify custom cipher lists. See OpenSSL documentation [2] for more details.
>
> There is also a nifty command-line tool called cipherscan [3] which will attempt to connect to a TLS server and report on all server-supported cipher suites.
>
> I hope this helps and if you can provide us with more information, we can help further. Thanks.
>
> [1] https://community.hortonworks.com/articles/886/securing-nifi-step-by-step.html <https://community.hortonworks.com/articles/886/securing-nifi-step-by-step.html>
> [2] https://www.openssl.org/docs/manmaster/apps/s_client.html <https://www.openssl.org/docs/manmaster/apps/s_client.html>
> [3] https://github.com/jvehent/cipherscan <https://github.com/jvehent/cipherscan>
>
> Andy LoPresto
> alopresto.apache@gmail.com <ma...@gmail.com>
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>
>> On Feb 1, 2016, at 5:14 PM, Chakrader Dewaragatla <Chakrader.Dewaragatla@lifelock.com <ma...@lifelock.com>> wrote:
>>
>> Hi,
>> When I try to connect nifi api end point with curl as "curl -k -XGET https://10.233.0.153:8081/nifi-api/access/config <https://10.233.0.153:8081/nifi-api/access/config> -v
>> " it fails as follows despite I use "-k" option to ignore validation.
>> * Proxy replied OK to CONNECT request
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> * skipping SSL peer certificate verification
>> * NSS error -12173 (SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY)
>> * SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
>> * Closing connection 0
>> curl: (35) SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
>>
>> curl -V
>> curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.18 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.5.0
>> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
>> Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink
>>
>> How do I configure nifi to use certain cifers and protocols? Looks like this ticket is resolved, https://issues.apache.org/jira/browse/NIFI-419 <https://issues.apache.org/jira/browse/NIFI-419> how do I use the settings?
>> https://issues.apache.org/jira/browse/NIFI-700 <https://issues.apache.org/jira/browse/NIFI-700> is still open.
>>
>> Using curl is one side of our use, other side we have JSS tomcat service that use stronger cipers and protocols. Eventually we would like tomcat to run nifi REST apis.
>>
>> Thanks,
>> -Chakri
>> The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
>
> The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Re: Nifi api - SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
Posted by Chakrader Dewaragatla <Ch...@lifelock.com>.
Andy –
http://pastebin.com/yse0DXU3 has output. We are using nifi 0.4.1 nifi version, it has ldap and self-signed certs for https. Let me follow the steps in [1] in mean time.
Thanks,
-Chakri
From: Andy LoPresto <al...@gmail.com>>
Reply-To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Date: Monday, February 1, 2016 at 6:00 PM
To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>
Cc: Ville Kivinen <Vi...@lifelock.com>>
Subject: Re: Nifi api - SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
Hi Chakri,
Running curl with -k will instruct it to ignore certificate validation, and you can see from the output that is skipping that. However, the issue seems to be a cipher suite mismatch between your version of curl and the underlying Jetty server of NiFi, specifically one using *DHE* or ephemeral Diffie Hellman key parameters (likely < 1024 bits).
Can you please run the following command and paste the output here to help us diagnose? You can redact the key information, but what we are interested in are any error codes and the supported cipher suite your server accepts. Are you using NiFi 0.4.1 and have you done any customization to the nifi.properties file? Did you follow the steps listed here [1] to set up TLS for NiFi?
$ openssl s_client -connect 10.233.0.153:8081 -debug
You can also run with -tls1 or -cipher flags to specify custom cipher lists. See OpenSSL documentation [2] for more details.
There is also a nifty command-line tool called cipherscan [3] which will attempt to connect to a TLS server and report on all server-supported cipher suites.
I hope this helps and if you can provide us with more information, we can help further. Thanks.
[1] https://community.hortonworks.com/articles/886/securing-nifi-step-by-step.html
[2] https://www.openssl.org/docs/manmaster/apps/s_client.html
[3] https://github.com/jvehent/cipherscan
Andy LoPresto
alopresto.apache@gmail.com<ma...@gmail.com>
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
On Feb 1, 2016, at 5:14 PM, Chakrader Dewaragatla <Ch...@lifelock.com>> wrote:
Hi,
When I try to connect nifi api end point with curl as "curl -k -XGET https://10.233.0.153:8081/nifi-api/access/config -v
" it fails as follows despite I use "-k" option to ignore validation.
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS error -12173 (SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY)
* SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
* Closing connection 0
curl: (35) SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
curl -V
curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.18 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.5.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink
How do I configure nifi to use certain cifers and protocols? Looks like this ticket is resolved, https://issues.apache.org/jira/browse/NIFI-419 how do I use the settings?
https://issues.apache.org/jira/browse/NIFI-700 is still open.
Using curl is one side of our use, other side we have JSS tomcat service that use stronger cipers and protocols. Eventually we would like tomcat to run nifi REST apis.
Thanks,
-Chakri
________________________________
The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
________________________________
________________________________
The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
________________________________
Re: Nifi api - SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
Posted by Andy LoPresto <al...@gmail.com>.
Hi Chakri,
Running curl with -k will instruct it to ignore certificate validation, and you can see from the output that is skipping that. However, the issue seems to be a cipher suite mismatch between your version of curl and the underlying Jetty server of NiFi, specifically one using *DHE* or ephemeral Diffie Hellman key parameters (likely < 1024 bits).
Can you please run the following command and paste the output here to help us diagnose? You can redact the key information, but what we are interested in are any error codes and the supported cipher suite your server accepts. Are you using NiFi 0.4.1 and have you done any customization to the nifi.properties file? Did you follow the steps listed here [1] to set up TLS for NiFi?
$ openssl s_client -connect 10.233.0.153:8081 -debug
You can also run with -tls1 or -cipher flags to specify custom cipher lists. See OpenSSL documentation [2] for more details.
There is also a nifty command-line tool called cipherscan [3] which will attempt to connect to a TLS server and report on all server-supported cipher suites.
I hope this helps and if you can provide us with more information, we can help further. Thanks.
[1] https://community.hortonworks.com/articles/886/securing-nifi-step-by-step.html
[2] https://www.openssl.org/docs/manmaster/apps/s_client.html
[3] https://github.com/jvehent/cipherscan
Andy LoPresto
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Feb 1, 2016, at 5:14 PM, Chakrader Dewaragatla <Ch...@lifelock.com> wrote:
>
> Hi,
> When I try to connect nifi api end point with curl as "curl -k -XGET https://10.233.0.153:8081/nifi-api/access/config -v
> " it fails as follows despite I use "-k" option to ignore validation.
> * Proxy replied OK to CONNECT request
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * skipping SSL peer certificate verification
> * NSS error -12173 (SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY)
> * SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
> * Closing connection 0
> curl: (35) SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
>
> curl -V
> curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.18 Basic ECC zlib/1.2.8 libidn/1.32 libssh2/1.5.0
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
> Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink
>
> How do I configure nifi to use certain cifers and protocols? Looks like this ticket is resolved, https://issues.apache.org/jira/browse/NIFI-419 how do I use the settings?
> https://issues.apache.org/jira/browse/NIFI-700 is still open.
>
> Using curl is one side of our use, other side we have JSS tomcat service that use stronger cipers and protocols. Eventually we would like tomcat to run nifi REST apis.
>
> Thanks,
> -Chakri
> The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.