nifi-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andy LoPresto (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (NIFI-1478) Audit SSLContextFactory and SSLSocketFactory usage throughout application
Date Wed, 30 Mar 2016 05:47:27 GMT

    [ https://issues.apache.org/jira/browse/NIFI-1478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15217440#comment-15217440
] 

Andy LoPresto commented on NIFI-1478:
-------------------------------------

I configured a default NiFi 0.6.0 instance with a server certificate and enabled HTTPS in
{{nifi.properties}} and ran a preliminary evaluation of the TLS configuration [1] using cipherscan
[2].

High priority issues:
* Weak DHE parameters
* Server-side enforcement of cipher suite ordering
* Cipher suite ordering

Intermediate priority issues:
* Legacy cipher suites available (necessary for compatibility maximization)
* TLSv1 and TLSv1.1 supported (necessary for compatibility maximization)
* OCSP stapling not enabled

Low priority issues:
* Self-signed certificate (not a NiFi problem and only used in dev environment for this scan)

I am going to work to allow NiFi to be quickly admin-configurable to one of the Mozilla recommended
levels [3] (i.e. {{old}}, {{intermediate}}, and {{modern}}) along with a custom level, in
conjunction with [NIFI-1480] to ensure the SSL settings for processors/controller services
connecting to external endpoints can be configured independently from the NiFi server behavior.


[1] https://gist.github.com/alopresto/ff9bbe693b0e7043a7c468bb2ca5adfa
[2] https://github.com/jvehent/cipherscan
[3] https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

> Audit SSLContextFactory and SSLSocketFactory usage throughout application
> -------------------------------------------------------------------------
>
>                 Key: NIFI-1478
>                 URL: https://issues.apache.org/jira/browse/NIFI-1478
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Core Framework
>    Affects Versions: 0.5.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>            Priority: Critical
>              Labels: certificate, security, tls
>   Original Estimate: 336h
>  Remaining Estimate: 336h
>
> The internal use of {{SSLSocketFactory}} and {{SSLContextFactory}} is inconsistent, as
the application has grown around the concept of secure communications. NiFi can act as both
a server and as a client for communications, and the default configuration should make it
easy for new users to quickly secure the application for incoming and outgoing connections.

> In addition, {{SSLSocketFactory}} has some inconsistencies and idiosyncrasies which may
confuse users [1]. 
> [1] http://stackoverflow.com/a/23365536/70465



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message