Disable SNI for TLS connection using getHTTP processor

[Florimond Salvi <fs...@infovista.com>]

Hello,

We are trying to collect data from Palo Alto firewall using HTTPS call,

get HTTP processor raise the below exceptions:

  1.  javax.net.ssl.SSLPeerUnverifiedException: Certificate for <myhost> doesn't match any of the subject alternative names: [mydomain]

As we cannot easily update the certificate on all devices, we would like to disable SNI check for this processor

The below option was added into bootstrap.conf:

-Djsse.enableSNIExtension=false

the option is set in the log when starting nifi, but the same exception is still raised in the processor

Could you let me know what could be the best way to disable this exception on this processor or globally?

System Details:

nifi 1.3.0 on Windows Server 2012

java 1.8 u144

Flo

Re: Disable SNI for TLS connection using getHTTP processor

[Andy LoPresto <al...@apache.org>]

Hi Flo,

I don’t believe this is an SNI check, but rather the hostname verification that is performed as part of the TLS handshake negotiation. As mentioned in Section 6 of RFC 6125 [1], the certificate hostname should no longer be extracted from the distinguished name (DN), but rather explicitly enumerated as one or more subject alternate names (SAN). Section 6.4.4 notes that as a last resort, if no valid SAN identifiers are present, the client may use the extracted CN to verify the hostname.

In your case, the certificate hostname doesn’t match the provided SAN. I understand you have difficulty updating the deployed certificates. In that case, you will have to make code changes to NiFi, as it does not include an option to disable hostname verification (by design). You would need to implement a custom HostnameVerifier [2] which specifically allows certificates with the incorrect hostname to be accepted. This is a *serious* risk which exposes you to many threats, and you should consult with your security team to ensure that course of action is necessary. I am declining to provide code to implement that behavior here because I do not endorse it as a path forward. If you do this, you would need additional safeguards like certificate pinning and a very small truststore, with explicitly whitelisted CA signatures in order to prevent imposter certificates from being accepted.


[1] https://tools.ietf.org/html/rfc6125#section-6 <https://tools.ietf.org/html/rfc6125#section-6>
[2] https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/InvokeHTTP.java#L1096 <https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/InvokeHTTP.java#L1096>


Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Oct 17, 2017, at 6:42 AM, Florimond Salvi <fs...@infovista.com> wrote:
> 
> Hello,
> We are trying to collect data from Palo Alto firewall using HTTPS call,
> get HTTP processor raise the below exceptions:
> javax.net.ssl.SSLPeerUnverifiedException: Certificate for <myhost> doesn't match any of the subject alternative names: [mydomain]
> As we cannot easily update the certificate on all devices, we would like to disable SNI check for this processor
> The below option was added into bootstrap.conf:
> -Djsse.enableSNIExtension=false
> the option is set in the log when starting nifi, but the same exception is still raised in the processor
> Could you let me know what could be the best way to disable this exception on this processor or globally?
> System Details:
> nifi 1.3.0 on Windows Server 2012
> java 1.8 u144
> Flo