Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-8019

SSL Enabled Protocol test failures when TLSv1 and TLSv1.1 disabled in java.security

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.12.1
    • 1.13.0
    • Security
    • None
    • Fedora 33 OpenJDK 11.0.9

    Description

      The SslContextFactoryTest in nifi-security-utils and other test classes evaluate the array of enabled protocols during various unit tests after constructing an SSLContext.  This unit test and others contain a static array of expected protocols that include TLSv1 and TLSv1.1.

      Recent versions of Java 8 and 11 continue to allow these protocols, however, Fedora 33 introduced changes to the default cryptographic policies that disable TLSv1 and TLSv1.1.  The following Fedora Wiki page describes the changes:

      https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

      The Fedora 33 crypto-policies RPM includes the following policy file:

      /usr/share/crypto-policies/DEFAULT/java.txt

      The Java policy includes TLSv1 and TLSv1.1 in the property for jdk.tls.disabledAlgorithms.  This policy is included at runtime due to the java.security policy enabling security.useSystemPropertiesFile.

      The SslContextFactoryTest and other tests that evaluate enabled SSL protocols should be updated to dynamically determine which protocols to expect using the SSLContext.getDefaultSSLParameters().getProtocols() method.

      Attachments

        Issue Links

        relates to

        Improvement - An improvement or enhancement to an existing feature or task. NIFI-7662 Add unit tests for Java 8 update 262 TLS v1.3 handling for different vendors

        • Major - Major loss of function.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. NIFI-8037 Support TLS 1.3 in SSLContextService on Java 8

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Resolved
        links to

        Web Link GitHub Pull Request #4673

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            exceptionfactory David Handermann
            exceptionfactory David Handermann
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 2h 20m
                2h 20m

                Slack

                  Issue deployment