[
https://issues.apache.org/jira/browse/NIFI-8019?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann updated NIFI-8019:
-----------------------------------
Description:
The SslContextFactoryTest in nifi-security-utils and other test classes
evaluate the array of enabled protocols during various unit tests after
constructing an SSLContext. This unit test and others contain a static array
of expected protocols that include TLSv1 and TLSv1.1.
Recent versions of Java 8 and 11 continue to allow these protocols, however,
Fedora 33 introduced changes to the default cryptographic policies that disable
TLSv1 and TLSv1.1. The following Fedora Wiki page describes the changes:
[https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2]
The Fedora 33 _crypto-policies_ RPM includes the following policy file:
/usr/share/crypto-policies/DEFAULT/java.txt
The Java policy includes TLSv1 and TLSv1.1 in the property for
jdk.tls.disabledAlgorithms. This policy is included at runtime due to the
java.security policy enabling security.useSystemPropertiesFile.
The SslContextFactoryTest and other tests that evaluate enabled SSL protocols
should be updated to dynamically determine which protocols to expect using the
SSLContext.getDefaultSSLParameters().getProtocols() method.
was:
The SslContextFactoryTest in nifi-security-utils and other test classes
evaluate the array of enabled protocols during various unit tests after
constructing an SSLContext. This unit test and others contain a static array
of expected protocols that include TLSv1 and TLSv1.1.
Recent versions of Java 8 and 11 continue to allow these protocols, however,
Fedora 33 introduced changes to the default cryptographic policies that disable
TLSv1 and TLSv1.1. The following Fedora Wiki page describes the changes:
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
The Fedora 33 _crypto-policies_ RPM includes the following policy file:
/usr/share/crypto-policies/DEFAULT/java.txt
The Java policy includes TLSv1 and TLSv1.1 in the property for
jdk.tls.disabledAlgorithms. This policy is included at runtime due to the
java.security policy enabling security.useSystemPropertiesFile.
The SslContextFactoryTest and other tests that evaluate enabled SSL protocols
should be updated to dynamically determine which protocols to expect using the
SSLEngine.getSupportedProtocols() method.
> SSL Enabled Protocol test failures when TLSv1 and TLSv1.1 disabled in
> java.security
> -----------------------------------------------------------------------------------
>
> Key: NIFI-8019
> URL: https://issues.apache.org/jira/browse/NIFI-8019
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.12.1
> Environment: Fedora 33 OpenJDK 11.0.9
> Reporter: David Handermann
> Priority: Major
>
> The SslContextFactoryTest in nifi-security-utils and other test classes
> evaluate the array of enabled protocols during various unit tests after
> constructing an SSLContext. This unit test and others contain a static array
> of expected protocols that include TLSv1 and TLSv1.1.
> Recent versions of Java 8 and 11 continue to allow these protocols, however,
> Fedora 33 introduced changes to the default cryptographic policies that
> disable TLSv1 and TLSv1.1. The following Fedora Wiki page describes the
> changes:
> [https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2]
> The Fedora 33 _crypto-policies_ RPM includes the following policy file:
> /usr/share/crypto-policies/DEFAULT/java.txt
> The Java policy includes TLSv1 and TLSv1.1 in the property for
> jdk.tls.disabledAlgorithms. This policy is included at runtime due to the
> java.security policy enabling security.useSystemPropertiesFile.
> The SslContextFactoryTest and other tests that evaluate enabled SSL protocols
> should be updated to dynamically determine which protocols to expect using
> the SSLContext.getDefaultSSLParameters().getProtocols() method.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
