You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Chris Sampson (Jira)" <ji...@apache.org> on 2022/12/09 10:58:00 UTC

[jira] [Updated] (NIFI-10929) NiFi generated certificates (e.g. Single User, or nifi-toolkit) are not compatible with OpenSSL 3.x+

     [ https://issues.apache.org/jira/browse/NIFI-10929?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Sampson updated NIFI-10929:
---------------------------------
    Affects Version/s: 1.19.1

> NiFi generated certificates (e.g. Single User, or nifi-toolkit) are not compatible with OpenSSL 3.x+
> ----------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-10929
>                 URL: https://issues.apache.org/jira/browse/NIFI-10929
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.19.0, 1.19.1
>            Reporter: Chris Sampson
>            Priority: Major
>
> The certificates (keystore, truststore) generated by NiFi are not compatible with OpenSSL 3+ because they are created using old/insecure algorithms.
> When starting NiFi 1.19.0 (using the {{apache/nifi}} Docker image) and confguring a single-user auth, which is the default for NiFi, the generated {{truststore.p12}} and {{keystore.p12}} cannot be decrypted (e.g. to extract the public cert/private key into PEM format files so they can be used with {{curl}}) using the OpenSSL version present within the Docker Image.
> {quote}
> OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
> {quote}
> Attempted command:
> {code:bash}
> openssl pkcs12 -in "truststore.p12" -out "nifi-cert.pem" -cacerts -nokeys -password "pass:${TRUSTSTORE_PASSWORD}"
> {code}
> Error:
> {quote}
> 4047C0AF997F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
> {quote}
> This can be worked around by adding the {{-legacy}} flag to the {{openssl}} command (see [this Stack Overflow answer|https://stackoverflow.com/a/72600724]).
> Using the command suggested from teh linked article, we see that the NiFi generated truststure uses:
> {quote}
> PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 51200
> {quote}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)