[
https://issues.apache.org/jira/browse/NIFI-14858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013727#comment-18013727
]
Lars Francke commented on NIFI-14858:
-------------------------------------
[~exceptionfactory] closed the corresponding PR with this comment:
{quote}Although TLS SNI checking can make certain infrastructure configuration
more difficult, it is a fundamental security feature that should not be
disabled.
At this time, NiFi still supports plain HTTP mode, which is not optimal, but is
one possible solution. Introducing the ability to disable TLS SNI checking
masks certificate or infrastructure misconfiguration, which is not something
that should be supported.
Perhaps more details about the particular infrastructure challenges could be
discussed in the corresponding Jira issue. At this time, however, adding
properties that introduce potential security concerns is outside the scope of
supported features.
I'm closing the pull request at this time, but open to discussing the details
on the Jira issue.
{quote}
> Make SNI checking configurable
> ------------------------------
>
> Key: NIFI-14858
> URL: https://issues.apache.org/jira/browse/NIFI-14858
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 2.5.0
> Reporter: Lars Francke
> Assignee: Lars Francke
> Priority: Minor
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> As of NiFi 2.0 SNI certificates are required and the host must match.
> This is a problem for us (and others) when there is for example a load
> balancer in front which does not match the host name of NiFi.
> Instead of disabling the SNI check by default this makes it configurable.
>
> I propose introducing two new configuration properties:
> * nifi.web.https.sni.required (whether a SNI certificate is required)
> * nifi.web.https.sni.host.check (whether to check the Host from the SNI
> certificate against the incoming request)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
