[NIFI-7468] Improve internal handling of SSL channels - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.11.4, 1.13.2
Fix Version/s: 1.14.0
Component/s: Core Framework, Extensions
Labels:
- security
- ssl
- tcp
- tls
- tlsv1.3

Description

While refactoring the TLS protocol version issue in ~~NIFI-7407~~, I discovered that some processors make use of NiFi custom implementations of SSLSocketChannel, SSLCommsSession, and SSLSocketChannelInputStream. These implementations break on TLSv1.3.

Further investigation is needed to determine why these custom implementations were provided originally, whether they are still required, and why they do not handle TLSv1.3 successfully.

Diagnostic error:

Error reading from channel due to Tag mismatch!: javax.net.ssl.SSLException: Tag mismatch!

Attachments

Issue Links

depends upon

NIFI-7407 Change cluster communication protocol listener

Resolved

is depended upon by

NIFI-6563 Add support for TLSv1.3 when running on Java 11

Resolved

is related to

NIFI-5458 Improve NiFi TLS and certificate management

Resolved

NIFI-8298 Refactor nifi-security-utils to reduce dependence on Bouncy Castle

Resolved

relates to

NIFI-8462 Refactor PutSyslog and ListenSyslog using Netty

Resolved

NIFI-8616 Migrate SSL socket code to use Netty

Resolved

links to

GitHub Pull Request #4979

GitHub Pull Request #5152

(1 relates to, 2 links to)

Activity

People

Assignee:: David Handermann

Reporter:: Andy LoPresto

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 19/May/20 01:13

Updated:: 23/Jun/21 02:35

Resolved:: 23/Jun/21 02:35

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 20m