NIFI-1930 Updated ListenHTTP to set TLS included protocols #4687
Conversation
exceptionfactory
force-pushed
the
NIFI-1930
branch
from
4adbced
to
6b54b2b
Compare
|
Will review this one as well. |
|
Tested out ListenHTTP processor in combination with the RestrictedSslContextService. I set the protocols explicitly to TLSv1.2 and TLSv1.3 and only those were enabled (I checked this with openssl s_client and Wireshark), and ListenHTTP offered those protocols respectively. 'TLS' setting allowed both TLSv1.2 and TLSv1.3 as expected. I used PostHTTP and ListenHTTP to talk to each other and set TLSv1.2 on PostHTTP and TSLv1.3 on ListenHTTP and there was a protocol version mismatch error as expected. |
exceptionfactory
force-pushed
the
NIFI-1930
branch
from
6b54b2b
to
f366bde
Compare
|
@thenatog Thanks for the review and testing. The introduction of the Client Authentication property and streamlining the initialization process to call SSLContextService.createSSLContext() apparently broke implicit support for one-way TLS communication, which ListenHTTP supported when the SSLContextService did not have any Trust Store properties configured. I pushed an update to this PR that includes an update to SSLContextService and SslContextFactory that restores support for this configuration, but logs a warning message indicating that the default platform Certificate Authorities will be used. This adjustment reduced the impact to existing unit tests and preserves backwards compatibility. |
|
+1 LGTM, will merge. |
|
Merged |
Description of PR
NIFI-1930 Updated ListenHTTP to configure the Jetty SslContextFactory with included protocols based on the configuration of the SSLContextService TLS Protocol property. The Jetty SslContextFactory will be configured to support multiple current TLS protocol versions when the TLS Protocol is configured without a specific version. When the SSLContextService TLS Protocol property specifies a particular TLS Protocol version, only that version will be allowed.
This update simplifies the configuration of the Jetty SslContextFactory by using the SSLContext created from SSLContextService, as opposed to passing the individual key store and trust store properties. This update also introduces a new Client Auth property for ListenHTTP to explicitly define the TLS client authentication policy. Previous versions of ListenHTTP inferred the client authentication policy based on the presence or absence of trust store properties in the SSLContextService. The Client Auth property is defaulted to REQUIRED to support mutual TLS authentication, but all standard values are supported.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
For all changes:
Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
Does your PR title start with NIFI-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
Has your PR been rebased against the latest commit within the target branch (typically
main)?Is your initial contribution a single, squashed commit? Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not
squashor use--forcewhen pushing to allow for clean monitoring of changes.For code changes:
mvn -Pcontrib-check clean installat the rootnififolder?LICENSEfile, including the mainLICENSEfile undernifi-assembly?NOTICEfile, including the mainNOTICEfile found undernifi-assembly?.displayNamein addition to .name (programmatic access) for each of the new properties?For documentation related changes:
Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.