[
https://issues.apache.org/jira/browse/NIFI-14353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17934219#comment-17934219
]
David Handermann commented on NIFI-14353:
-----------------------------------------
The Java HTTP Client and TLS SNI check implements the requirements defined in
[RFC 6066 Section 3|https://www.rfc-editor.org/rfc/rfc6066#section-3] which
specifies that the hostname must not include a trailing dot.
> The hostname is represented as a byte string using ASCII encoding without a
> trailing dot.
NiFi 2 moved away from OkHttp to the Java HttpClient for cluster communication
as described.
Although different Kubernetes distributions have different configurations, it
should be possible to configure NiFi using hostnames without the trailing dot.
> NiFi 2.0+ failure due to JDK HttpClient rejecting FQDNs with trailing dots
> --------------------------------------------------------------------------
>
> Key: NIFI-14353
> URL: https://issues.apache.org/jira/browse/NIFI-14353
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core Framework
> Affects Versions: 2.0.0, 2.1.0, 2.2.0
> Reporter: super dachuan
> Priority: Major
>
> After upgrading to NiFi 2.0 or later, the internal HTTP client has been
> switched to JDK’s built-in HttpClient. This change introduces a strict
> validation check on server names via the SNIHostName class, which now rejects
> FQDNs that end with a trailing dot. In our environment, NiFi nodes are
> deployed as containers in a Kubernetes cluster where it is common to use
> FQDNs (with a trailing dot) as the host. Consequently, this leads to
> immediate login failures with the following error:
> {code:java}
> java.lang.IllegalArgumentException: Server name value of host_name cannot
> have the trailing dot
> at
> java.net.http/jdk.internal.net.http.HttpClientImpl.send(HttpClientImpl.java:941)
> at
> java.net.http/jdk.internal.net.http.HttpClientFacade.send(HttpClientFacade.java:133)
> at
> org.apache.nifi.web.client.StandardWebClientService$StandardHttpRequestBodySpec.getResponse(StandardWebClientService.java:354)
> at
> org.apache.nifi.web.client.StandardWebClientService$StandardHttpRequestBodySpec.retrieve(StandardWebClientService.java:339)
> at
> org.apache.nifi.cluster.coordination.http.replication.client.StandardHttpReplicationClient.replicate(StandardHttpReplicationClient.java:204)
> at
> org.apache.nifi.cluster.coordination.http.replication.client.StandardHttpReplicationClient.replicate(StandardHttpReplicationClient.java:198)
> at
> org.apache.nifi.cluster.coordination.http.replication.client.StandardHttpReplicationClient.replicate(StandardHttpReplicationClient.java:148)
> at
> org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:641)
> at
> org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:860)
> at
> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
> at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
> at java.base/java.lang.Thread.run(Thread.java:1583)
> Caused by: java.lang.IllegalArgumentException: Server name value of host_name
> cannot have the trailing dot
> at
> java.base/javax.net.ssl.SNIHostName.checkHostName(SNIHostName.java:319)
> at java.base/javax.net.ssl.SNIHostName.<init>(SNIHostName.java:109)
> at
> java.net.http/jdk.internal.net.http.AbstractAsyncSSLConnection.createSSLParameters(AbstractAsyncSSLConnection.java:127)
> at
> java.net.http/jdk.internal.net.http.AbstractAsyncSSLConnection.<init>(AbstractAsyncSSLConnection.java:78)
> at
> java.net.http/jdk.internal.net.http.AsyncSSLConnection.<init>(AsyncSSLConnection.java:48)
> at
> java.net.http/jdk.internal.net.http.HttpConnection.getSSLConnection(HttpConnection.java:306)
> at
> java.net.http/jdk.internal.net.http.HttpConnection.getConnection(HttpConnection.java:292)
> at
> java.net.http/jdk.internal.net.http.Http2Connection.createAsync(Http2Connection.java:518)
> at
> java.net.http/jdk.internal.net.http.Http2ClientImpl.getConnectionFor(Http2ClientImpl.java:138)
> at
> java.net.http/jdk.internal.net.http.ExchangeImpl.get(ExchangeImpl.java:94)
> at
> java.net.http/jdk.internal.net.http.Exchange.establishExchange(Exchange.java:391)
> at
> java.net.http/jdk.internal.net.http.Exchange.responseAsyncImpl0(Exchange.java:584)
> at
> java.net.http/jdk.internal.net.http.Exchange.responseAsyncImpl(Exchange.java:428)
> at
> java.net.http/jdk.internal.net.http.Exchange.responseAsync(Exchange.java:420)
> at
> java.net.http/jdk.internal.net.http.MultiExchange.responseAsyncImpl(MultiExchange.java:413)
> at
> java.net.http/jdk.internal.net.http.MultiExchange.lambda$responseAsync0$2(MultiExchange.java:346)
> at
> java.base/java.util.concurrent.CompletableFuture$UniCompose.tryFire(CompletableFuture.java:1150)
> at
> java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510)
> at
> java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1773)
> at
> java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(HttpClientImpl.java:177)
> at
> java.base/java.util.concurrent.CompletableFuture.completeAsync(CompletableFuture.java:2719)
> at
> java.net.http/jdk.internal.net.http.MultiExchange.responseAsync(MultiExchange.java:299)
> at
> java.net.http/jdk.internal.net.http.HttpClientImpl.sendAsync(HttpClientImpl.java:1049)
> at
> java.net.http/jdk.internal.net.http.HttpClientImpl.send(HttpClientImpl.java:930)
> ... 13 common frames omitted{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
