[NIFI-5400] NiFiHostnameVerifier should be replaced - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.7.0
Fix Version/s: 1.8.0
Component/s: Core Framework
Labels:
- certificate
- hostname
- security
- tls

Description

The NiFiHostnameVerifier does not handle wildcard certificates or complex SubjectAlternativeNames. It should be replaced with a more full-featured implementation, like OkHostnameVerifier from okhttp or DefaultHostnameVerifier from http-client. Either of these options requires introducing a new Maven dependency to nifi-commons and requires further investigation.

*Note: * the sun.net.www.protocol.httpsDefaultHostnameVerifier simply returns false on all inputs and is not a valid solution.

Attachments

Issue Links

Is contained by

NIFI-5458 Improve NiFi TLS and certificate management

Resolved

links to

GitHub Pull Request #2919

Activity

People

Assignee:: Nathan Gough

Reporter:: Andy LoPresto

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 10/Jul/18 00:41

Updated:: 07/Aug/18 03:15

Resolved:: 07/Aug/18 03:15