nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopre...@apache.org>
Subject Re: nifi 1.1.1 force SSL
Date Fri, 24 Mar 2017 20:00:11 GMT
Juan,

I believe that the underlying Jetty server for ListenHTTP will not support SSLv3. NiFi 1.1.1
uses Jetty 9.3.9.v20160517, and Jetty versions going back to at least 9.2 disable SSLv3. In
addition, I believe Java 8_31 also disables SSLv3 [1]. To make this work (and for the record,
I strongly discourage it), you would need to override the JRE security settings and write
custom code to initialize Jetty with SSLv3.

[1] https://dev.eclipse.org/mhonarc/lists/jetty-users/msg05703.html <https://dev.eclipse.org/mhonarc/lists/jetty-users/msg05703.html>


Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Mar 24, 2017, at 12:53 PM, Juan Sequeiros <hellojuan@gmail.com> wrote:
> 
> Hello all,
> 
> I am trying to force SSLv3 on a ListenHTTP.
> 
> I've changed that on my StandardSSLContextService but when I test it fails when I specify
sslv3 and works when I specify tlsv1 **** curl example.
> 
> Similar thing if NIFI * postHTTP inside same canvas to myself.  Works fine if StandardSSLContextServiceis
set to TLS ( both listen and post are using same SSLContextService ) it fails if I change
it to SSLv3
> 
> I've also looked to make sure the macro JAVA java.security is not blocking me but that
does not have any "SSL"  on ~JAVA_INSTALL/security/java.security
> 
> jdk.tls.disabledAlgorithms=RC4, MD5withRSA, DH keySize < 768
> 
> Any suggestions?
> 
> My test is using curl:
> 
> Command that works:
> 
> curl -H "filename:test.txt" -H "some.attribute:nifiTest" -k --cert myServerCert --key
MyServer.key -d @some/file --location-trusted --location  https://someServer:5555/contentListener
<https://someserver:5555/contentListener> --tlsv1 -vvv
> 
> Command that does not:
> 
> curl -H "filename:test.txt" -H "some.attribute:nifiTest" -k --cert myServerCert --key
MyServer.key -d @some/file --location-trusted --location https://someServer:5555/contentListener
<https://someserver:5555/contentListener> --sslv3 -vvv


Mime
View raw message