[
https://issues.apache.org/jira/browse/NIFI-4222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16120937#comment-16120937
]
ASF GitHub Bot commented on NIFI-4222:
--------------------------------------
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2042
Verified that all tests and contrib-check pass. When run with no SAN
arguments, the CN is present as a SAN. When run with additional SAN arguments,
all are present. +1, merging.
No SAN:
```
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
(pr2042) alopresto
π 186058s @ 18:43:33 $ ./bin/tls-toolkit.sh standalone -n
'nifi.nifi.apache.org' -P password -S password -f
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
2017/08/09 18:58:45 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: Using
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
as template.
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone
certificate generation with output directory ../nifi-toolkit-1.4.0-SNAPSHOT
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Generated new CA
certificate ../nifi-toolkit-1.4.0-SNAPSHOT/nifi-cert.pem and key
../nifi-toolkit-1.4.0-SNAPSHOT/nifi-key.key
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Writing new ssl
configuration to ../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully
generated TLS configuration for nifi.nifi.apache.org 1 in
../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn
specified, not generating any client certificates.
2017/08/09 18:58:46 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit
standalone completed successfully
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
(pr2042) alopresto
π 186980s @ 18:58:55 $ cd nifi.nifi.apache.org/
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
(pr2042) alopresto
π 186988s @ 18:59:03 $ keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Aug 9, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=nifi.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9dd8f3900000000
Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
Certificate fingerprints:
MD5: E4:E8:C4:19:C1:06:86:17:C8:E5:13:F6:6F:54:0F:AE
SHA1: 92:6B:FD:9D:89:55:A5:48:AD:31:A3:FD:A3:A6:6C:A5:C4:A8:31:0E
SHA256:
54:8D:30:D2:ED:9A:B0:AE:8C:37:40:9F:2F:80:2D:4A:DC:5D:14:2E:15:57:4C:71:CF:77:D6:F0:3F:92:6D:04
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifi.nifi.apache.org
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D9 18 43 B3 38 24 18 89 E6 1B 62 D7 AB 35 C5 14 ..C.8$....b..5..
0010: 88 E9 19 E3 ....
]
]
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9dd8d4c00000000
Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
Certificate fingerprints:
MD5: A1:9E:4A:7C:65:F1:B7:E9:8F:4D:D0:18:74:E8:AA:2E
SHA1: CD:31:8B:74:85:C7:21:4A:DB:F6:58:34:69:B7:19:6C:3B:9E:CE:00
SHA256:
A9:AB:C5:73:9D:B3:ED:C3:D5:79:BD:4B:E0:14:1D:0F:DC:68:41:BC:09:70:5B:2D:BD:E0:AB:49:55:14:79:3B
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
*******************************************
*******************************************
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
(pr2042) alopresto
π 186999s @ 18:59:14 $
```
Additional SAN:
```
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
(pr2042) alopresto
π 187123s @ 19:01:18 $ ./bin/tls-toolkit.sh standalone -n
'nifi.nifi.apache.org' -P password -S password -f
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
-O --subjectAlternativeNames '127.0.0.1,localhost'
2017/08/09 19:01:43 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine: Using
../../../../../nifi-assembly/target/nifi-1.4.0-SNAPSHOT-bin/nifi-1.4.0-SNAPSHOT/conf/nifi.properties
as template.
2017/08/09 19:01:43 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Running standalone
certificate generation with output directory ../nifi-toolkit-1.4.0-SNAPSHOT
2017/08/09 19:01:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Using existing CA
certificate ../nifi-toolkit-1.4.0-SNAPSHOT/nifi-cert.pem and key
../nifi-toolkit-1.4.0-SNAPSHOT/nifi-key.key
2017/08/09 19:01:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Overwriting any
existing ssl configuration in
../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 19:01:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: Successfully
generated TLS configuration for nifi.nifi.apache.org 1 in
../nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
2017/08/09 19:01:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: No clientCertDn
specified, not generating any client certificates.
2017/08/09 19:01:44 INFO [main]
org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone: tls-toolkit
standalone completed successfully
hw12203:...assembly/target/nifi-toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT
(pr2042) alopresto
π 187150s @ 19:01:45 $ cd nifi.nifi.apache.org/
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
(pr2042) alopresto
π 187156s @ 19:01:51 $ keytool -list -v -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: nifi-key
Creation date: Aug 9, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=nifi.nifi.apache.org, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9e0465100000000
Valid from: Wed Aug 09 19:01:44 PDT 2017 until: Sat Aug 08 19:01:44 PDT 2020
Certificate fingerprints:
MD5: AA:D1:5F:CC:BA:BE:ED:4D:5E:08:DB:2E:6D:E6:95:57
SHA1: F3:8B:A5:41:28:69:8F:0C:91:08:70:EB:F6:BE:B1:58:EE:F4:7B:8D
SHA256:
B1:78:8C:05:11:F1:A8:BD:A7:33:EA:8D:9C:B2:FC:A2:C2:94:7D:30:48:77:0A:05:0F:CB:C1:FD:5D:A2:94:66
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
]
#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nifi.nifi.apache.org
DNSName: 127.0.0.1
DNSName: localhost
]
#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 8F 4B 1A 98 92 C5 17 70 B7 C8 F6 9D 5D D3 66 4C .K.....p....].fL
0010: 8F F9 3C 19 ..<.
]
]
Certificate[2]:
Owner: CN=localhost, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 15dc9dd8d4c00000000
Valid from: Wed Aug 09 18:58:46 PDT 2017 until: Sat Aug 08 18:58:46 PDT 2020
Certificate fingerprints:
MD5: A1:9E:4A:7C:65:F1:B7:E9:8F:4D:D0:18:74:E8:AA:2E
SHA1: CD:31:8B:74:85:C7:21:4A:DB:F6:58:34:69:B7:19:6C:3B:9E:CE:00
SHA256:
A9:AB:C5:73:9D:B3:ED:C3:D5:79:BD:4B:E0:14:1D:0F:DC:68:41:BC:09:70:5B:2D:BD:E0:AB:49:55:14:79:3B
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
Data_Encipherment
Key_Agreement
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 65 AB 68 5A 0A CB 59 A2 B9 0B 9E 36 2D 60 47 ke.hZ..Y....6-`G
0010: 21 08 08 25 !..%
]
]
*******************************************
*******************************************
hw12203:...toolkit-1.4.0-SNAPSHOT-bin/nifi-toolkit-1.4.0-SNAPSHOT/nifi.nifi.apache.org
(pr2042) alopresto
π 187163s @ 19:01:57 $
```
> TLS Toolkit should provide SAN by default
> -----------------------------------------
>
> Key: NIFI-4222
> URL: https://issues.apache.org/jira/browse/NIFI-4222
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Affects Versions: 1.3.0
> Reporter: Andy LoPresto
> Assignee: Pierre Villard
> Labels: security, tls, tls-toolkit
>
> As of Chrome 58, the browser will only use the *SubjectAlternativeName*
> entries to determine hostname verification, rather than the *CN*. This is
> specified in RFC 6215 [1], TLS hostname verification must attempt to use the
> SAN entries first and may only use the CN entry if no SAN entries are
> available.
> Chrome takes this a step further [2]:
> {quote}
> During Transport Layer Security (TLS) connections, Chrome browser checks to
> make sure the connection to the site is using a valid, trusted server
> certificate.
> For Chrome 58 and later, only the subjectAlternativeName extension, not
> commonName, is used to match the domain name and site certificate. The
> certificate subject alternative name can be a domain name or IP address. If
> the certificate doesnβt have the correct subjectAlternativeName extension,
> users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that
> the connection isnβt private. If the certificate is missing a
> subjectAlternativeName extension, users see a warning in the Security panel
> in Chrome DevTools that lets them know the subject alternative name is
> missing.
> {quote}
> As this will cause issues for users who do not manually provide a SAN when
> generating their certificates using the TLS Toolkit, the toolkit should be
> modified to automatically include the provided CN as a SAN entry, in addition
> to any manually-provided SAN entries.
> [1] https://tools.ietf.org/html/rfc6125#section-6.4.4
> [2] https://support.google.com/chrome/a/answer/7391219?hl=en
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
