nifi-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andy LoPresto (JIRA)" <>
Subject [jira] [Commented] (NIFI-1478) Audit SSLContextFactory and SSLSocketFactory usage throughout application
Date Wed, 30 Mar 2016 05:47:27 GMT


Andy LoPresto commented on NIFI-1478:

I configured a default NiFi 0.6.0 instance with a server certificate and enabled HTTPS in
{{}} and ran a preliminary evaluation of the TLS configuration [1] using cipherscan

High priority issues:
* Weak DHE parameters
* Server-side enforcement of cipher suite ordering
* Cipher suite ordering

Intermediate priority issues:
* Legacy cipher suites available (necessary for compatibility maximization)
* TLSv1 and TLSv1.1 supported (necessary for compatibility maximization)
* OCSP stapling not enabled

Low priority issues:
* Self-signed certificate (not a NiFi problem and only used in dev environment for this scan)

I am going to work to allow NiFi to be quickly admin-configurable to one of the Mozilla recommended
levels [3] (i.e. {{old}}, {{intermediate}}, and {{modern}}) along with a custom level, in
conjunction with [NIFI-1480] to ensure the SSL settings for processors/controller services
connecting to external endpoints can be configured independently from the NiFi server behavior.


> Audit SSLContextFactory and SSLSocketFactory usage throughout application
> -------------------------------------------------------------------------
>                 Key: NIFI-1478
>                 URL:
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 0.5.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Critical
>              Labels: certificate, security, tls
>   Original Estimate: 336h
>  Remaining Estimate: 336h
> The internal use of {{SSLSocketFactory}} and {{SSLContextFactory}} is inconsistent, as
the application has grown around the concept of secure communications. NiFi can act as both
a server and as a client for communications, and the default configuration should make it
easy for new users to quickly secure the application for incoming and outgoing connections.

> In addition, {{SSLSocketFactory}} has some inconsistencies and idiosyncrasies which may
confuse users [1]. 
> [1]

This message was sent by Atlassian JIRA

View raw message