You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/04/13 01:47:25 UTC

[jira] [Commented] (NIFI-1478) Audit SSLContextFactory and SSLSocketFactory usage throughout application

    [ https://issues.apache.org/jira/browse/NIFI-1478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15238270#comment-15238270 ] 

ASF GitHub Bot commented on NIFI-1478:
--------------------------------------

GitHub user alopresto opened a pull request:

    https://github.com/apache/nifi/pull/346

    Nifi 1753 Removed legacy X.509 certificate implementation references

    Various logic throughout the application referenced `javax.security.cert.X509Certificate` which is a deprecated class and exists only for legacy compatibility with older JSSE implementations. As of Java SE 6, new development should use `java.security.cert.X509Certificate`. Most references to the legacy classes were in similar logic blocks to retrieve the distinguished name (DN) from the client certificate chain presented during TLS mutual authentication. 
    
    I refactored this logic into a common utility method to deduplicate and provided utility methods for converting legacy `X509Certificate`s and the abstract `java.security.cert.Certificate` returned by the replacement method (`javax.net.ssl.SSLSession#getPeerCertificateChain()` is succeeded by `javax.net.ssl.SSLSession#getPeerCertificates()`) to the correct version of `X509Certificate`. 
    
    The module `nifi-security-utils` was added as a dependency to `nifi-utils` but contains only two utility classes with static helper methods and four enums. This change may be reverted/expanded as part of the larger-scale work on NIFI-1478, NIFI-1480, etc., but that is 1.0.0 refactor work, while this was a surgical fix for both 0.7.0 and 1.0.0. 
    
    This will be rebased & squashed before merging. 

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/alopresto/nifi NIFI-1753

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/nifi/pull/346.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #346
    
----
commit e2d1c359bb94148679a057b5521b3fb17f6a936a
Author: Andy LoPresto <al...@apache.org>
Date:   2016-04-12T03:11:45Z

    NIFI-1753 Added convenience methods for converting legacy X.509 certificates and abstract certificates to correct X.509 format.
    Added unit tests for certificate manipulation.
    Replaced logic retrieving legacy X.509 certificates with new logic in NodeProtocolSenderImpl.
    Added bcpkix (Bouncy Castle PKI implementation) dependency to nifi-standard-processors pom.

commit b9868ef297228ef7398a30fbddb915abef98eda6
Author: Andy LoPresto <al...@apache.org>
Date:   2016-04-12T03:36:38Z

    NIFI-1753 Added convenience method for extracting DN from peer certificate chain in SSL socket (canonical implementation to reduce code duplication and references to legacy certificate implementations).
    Refactored logic retrieving legacy X.509 certificates with reference to convenience method in NodeProtocolSenderImpl.
    Replaced logic retrieving legacy X.509 certificates with reference to convenience method in SocketProtocolListener.
    Cleaned up exception handling in SocketProtocolListener.
    Replaced legacy X.509 certificate declarations with new declarations in HandleHttpRequest (needs manual test).

commit 64208973bf9046d447230c8f096dde09d47d01bd
Author: Andy LoPresto <al...@apache.org>
Date:   2016-04-12T03:46:33Z

    NIFI-1753 Replaced legacy X.509 certificate declarations with new declarations in PostHTTP.

commit cd35f9b36d1e373b99490a6f6df735cd16175383
Author: Andy LoPresto <al...@apache.org>
Date:   2016-04-12T04:16:57Z

    NIFI-1753 Replaced legacy X.509 certificate declarations with new declarations in SSLSocketChannel and EndpointConnectionPool.
    Temporary work-around of duplicate certificate conversion util method because nifi-utils cannot depend on nifi-security-utils.

commit 965b766f2a0be9f703d10e231ca595464bc57f07
Author: Andy LoPresto <al...@apache.org>
Date:   2016-04-12T22:19:14Z

    NIFI-1753 Removed temporary work-around of duplicate certificate conversion util method and added nifi-security-utils as dependency of nifi-utils.

commit 613fe0b62e56898ebe99fed50a25f3aa515d727a
Author: Andy LoPresto <al...@apache.org>
Date:   2016-04-12T22:20:22Z

    NIFI-1753 Fixed nifi-utils pom.xml comment about additional dependencies.

----


> Audit SSLContextFactory and SSLSocketFactory usage throughout application
> -------------------------------------------------------------------------
>
>                 Key: NIFI-1478
>                 URL: https://issues.apache.org/jira/browse/NIFI-1478
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 0.5.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Critical
>              Labels: certificate, security, tls
>   Original Estimate: 336h
>  Remaining Estimate: 336h
>
> The internal use of {{SSLSocketFactory}} and {{SSLContextFactory}} is inconsistent, as the application has grown around the concept of secure communications. NiFi can act as both a server and as a client for communications, and the default configuration should make it easy for new users to quickly secure the application for incoming and outgoing connections. 
> In addition, {{SSLSocketFactory}} has some inconsistencies and idiosyncrasies which may confuse users [1]. 
> [1] http://stackoverflow.com/a/23365536/70465



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)