Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
0.4.0, 0.4.1
Description
JDP10101 was working to upgrade a library dependency (com.squareup.okhttp.okhttp:2.5.0 to 2.6.0). During this attempt, the TestInvokeHttpSSL tests began failing. With the help of a Square engineer[1], it was determined that the TLS cipher suite in use during tests against Jetty server was restricted to only `TLS_DHE_DSS_WITH_AES_128_CBC_SHA`. This is an obsolete cipher suite and it was deprecated in OkHttp:2.6.0.
While there is a workaround (code below) to override the OkHttp connector to use this obsolete cipher suite, the real issue was that Jetty should not be restricted to allowing that single cipher suite for incoming connections.
Further investigation revealed that the test keystore[2] and truststore[3] in use did not have any valid RSA or DSA keys. Because of this, Jetty could not rely on any RSA/DSA-dependent cipher suites, and the removal of `TLS_DHE_DSS_WITH_AES_128_CBC_SHA` in the client library meant that no compatible cipher suites were available.
The DSA key issued under alias `mykey` in the keystore expired in 2014. I will temporarily add a new key (valid for 1 year) into the keystore and truststore and commit. I will raise another Jira to allow for dynamic code-generated keys to avoid this problem in the future.
[1] http://stackoverflow.com/questions/34498023/okhttp-upgrading-from-2-5-to-2-6-breaks-https-tests?noredirect=1#comment56840249_34498023
[2] https://github.com/alopresto/nifi/blob/aa99884782e54c54ee138f5609b3be84628e96f9/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/localhost-ks.jks
[3] https://github.com/alopresto/nifi/blob/aa99884782e54c54ee138f5609b3be84628e96f9/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/localhost-ts.jks