Andy LoPresto created NIFI-5398:
-----------------------------------
Summary: Identify cluster communication endpoints via combination
of hostname and certificate rather than just certificate DN
Key: NIFI-5398
URL: https://issues.apache.org/jira/browse/NIFI-5398
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Affects Versions: 1.7.0
Reporter: Andy LoPresto
Currently, NiFi cluster communications have a number of instances where the
remote endpoint is identified by extracting the distinguished name (DN) from
the presented peer certificate (see
[SocketProtocolListener|https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/src/main/java/org/apache/nifi/cluster/protocol/impl/SocketProtocolListener.java#L131]).
Users who try to provide the same wildcard certificate to all cluster nodes
will encounter issues with this approach. These instances should be
investigated and changed to use a combination of the socket connections' remote
hostname and the certificate to validate the unique hostname making the
request.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
