[jira] [Commented] (NIFI-14858) Make SNI checking configurable

Wed, 13 Aug 2025 11:01:08 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-14858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18013747#comment-18013747
 ] 

Jim Halfpenny commented on NIFI-14858:
--------------------------------------

I see SNI more as an extension to the HTTP protocol to allow for multiple TLS 
enabled sites to be served from one IP address. There are some marginal 
security benefits to be gained from having strict hostname checking enabled — 
that said, mandating that it must be enabled does present challenges for many 
used. The prescriptive approach to certificate validation favours server-based 
installation and not cloud native deployments with dynamic scaling and 
multiple, often fluid endpoints.

The proposed change maintains the status quo, with strict SNI checking being 
enabled by default. Being able to disable these checks put the choice in the 
hands of the user and by itself does not greatly diminish the security of the 
platform while at the same time enables use in cases where certificate 
management is a challenge. That is often the way we find things in the field.

I'd say it's so common an issue that providing an informed choice would seem to 
be reasonable — much more so than suggesting running without TLS enabled. I 
dislike the lesser of two evils approach, but this seems like a reasonable 
compromise between security and usability.

> Make SNI checking configurable
> ------------------------------
>
>                 Key: NIFI-14858
>                 URL: https://issues.apache.org/jira/browse/NIFI-14858
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 2.5.0
>            Reporter: Lars Francke
>            Assignee: Lars Francke
>            Priority: Minor
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> As of NiFi 2.0 SNI certificates are required and the host must match.
> This is a problem for us (and others) when there is for example a load 
> balancer in front which does not match the host name of NiFi.
> Instead of disabling the SNI check by default this makes it configurable.
>  
> I propose introducing two new configuration properties:
>  * nifi.web.https.sni.required (whether a SNI certificate is required)
>  * nifi.web.https.sni.host.check (whether to check the Host from the SNI 
> certificate against the incoming request)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to