You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Bryan Rosander (JIRA)" <ji...@apache.org> on 2016/12/28 20:50:58 UTC
[jira] [Commented] (NIFI-3265) tls-toolkit client fails when
tls-toolkit server has multiple cn attributes
[ https://issues.apache.org/jira/browse/NIFI-3265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15783679#comment-15783679 ]
Bryan Rosander commented on NIFI-3265:
--------------------------------------
Server:
{code}
bin/tls-toolkit.sh server -D 'CN=localhost,CN=host,CN=account' -t test
tls-toolkit.sh: JAVA_HOME not set; results may vary
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.util.log: Logging initialized @1284ms
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.server.Server: jetty-9.3.9.v20160517
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.server.AbstractConnector: Started ServerConnector@be34f20{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
2016/12/28 15:45:52 INFO [main] org.eclipse.jetty.server.Server: Started @1460ms
Server Started
{code}
Client:
{code}
bin/tls-toolkit.sh client -t test
tls-toolkit.sh: JAVA_HOME not set; results may vary
2016/12/28 15:46:05 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateAuthorityClient: Requesting new certificate from localhost:8443
2016/12/28 15:46:06 INFO [main] org.apache.nifi.toolkit.tls.service.client.TlsCertificateSigningRequestPerformer: Requesting certificate with dn CN=HW13384.lan,OU=NIFI from localhost:8443
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec: I/O exception (java.io.IOException) caught when processing request to {s}->https://localhost:8443: Expected cn of localhost but got account
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec: Retrying request to {s}->https://localhost:8443
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec: I/O exception (java.io.IOException) caught when processing request to {s}->https://localhost:8443: Expected cn of localhost but got account
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec: Retrying request to {s}->https://localhost:8443
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec: I/O exception (java.io.IOException) caught when processing request to {s}->https://localhost:8443: Expected cn of localhost but got account
2016/12/28 15:46:06 INFO [main] org.apache.http.impl.execchain.RetryExec: Retrying request to {s}->https://localhost:8443
Service client error: Expected cn of localhost but got account
Usage: tls-toolkit service [-h] [args]
Services:
standalone: Creates certificates and config files for nifi cluster.
server: Acts as a Certificate Authority that can be used by clients to get Certificates
client: Generates a private key and gets it signed by the certificate authority.
{code}
> tls-toolkit client fails when tls-toolkit server has multiple cn attributes
> ---------------------------------------------------------------------------
>
> Key: NIFI-3265
> URL: https://issues.apache.org/jira/browse/NIFI-3265
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 1.1.1, 1.0.1
> Reporter: Bryan Rosander
> Priority: Minor
> Labels: tls-toolkit
>
> Ldap hierarchies can have multiple cn attributes.
> tls-toolkit in client mode validates the first CN attribute parsed from the distinguished name against the hostname name of the tls-toolkit server to help avoid man-in-the-middle attacks.
> This check fails when multiple CN attributes are present.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)