Nifi安全連接無密碼

Question

我使用的是nifi，我開始爲https配置它以啓用用戶。 Nifi不工作，碼頭Web服務器失敗，說沒有密碼。不知道如何調試這個，任何提示？ 已在我的計算機上測試過相同的證書，並且它們正常工作。 任何幫助表示讚賞

更新

嗯...我啓用了SSL記錄。 最大的區別是關於Java環境，在生產服務器上是java-1.8.0-openjdk，在我的本地機器上是java-8-oracle。 日誌之間仍然存在一些重要差異。

由於ssl協商參考請參閱此POST有關協議如何工作和涉及的會話。

最顯着的區別是

生產主機上沒有*** ECDH ServerKeyExchange會議。

日誌從客戶問候開始就是兩臺機器之間沒有太大的不同：

地方（我截斷太長線和報道只有很少的日誌會話）

*** ClientHello, TLSv1.2 
RandomCookie: GMT: 2028150611 bytes = { 31, 20, 137, 167, 52, 224, 12, 129, 113, 59, 113, 45, 161, 54, 164, 147, 115, 148 

Session ID: {} 
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_2 
cc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, T 
TH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RS 

Compression Methods: { 0 } 
Extension renegotiation_info, renegotiated_connection: <empty> 
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA2 

Unsupported extension status_request, data: 01:00:00:00:00 
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31 
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed] 
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1} 
*** 
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL] 
%% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL] 
matching alias: 1 
matching alias: 1 
matching alias: 1 
matching alias: 1 
%% Negotiating: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 
%% Negotiating: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 
*** ServerHello, TLSv1.2 
*** ServerHello, TLSv1.2 
RandomCookie: RandomCookie: GMT: 1459404759 bytes = { GMT: 1459404759 bytes = { 196, 84, 148, 21, 202, 175, 156, 35, 50, 
2 } 
Session ID: {87, 253, 192, 215, 210, 220, 163, 93, 88, 20, 237, 50, 37, 61, 50, 192, 225, 180, 252, 8, 19, 154, 0, 18, 13 

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
Compression Method: 0 
Extension renegotiation_info, renegotiated_connection: <empty> 
*** 
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
*** Certificate chain 
47, 15, 107, 214, 199, 60, 245, 207, 215, 148, 102, 224, 0, 41, 172, 70, 101, 85, 85, 173, 79, 238, 15, 167, 136, 20, 14, 
Session ID: {87, 253, 192, 215, 117, 67, 238, 169, 141, 93, 171, 129, 181, 146, 239, 178, 242, 31, 104, 115, 209, 119, 20 

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
Compression Method: 0 
Extension renegotiation_info, renegotiated_connection: <empty> 
*** 
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
*** Certificate chain 
chain [0] = [ 
[ 
    Version: V3 
    Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT 

*** 
*** ECDH ServerKeyExchange 
Signature Algorithm SHA512withRSA 
Server key: Sun EC public key, 256 bits 
    public x coord: 75079925706380992652797512247021193282035431148032843217618352685456618206389 
    public y coord: 43896241059818662260698096293954076915685388487376127769285950062051599700758 
    parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) 
*** CertificateRequest 
Cert Types: RSA, DSS, ECDSA 
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, 

Cert Authorities: 
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US> 
*** ServerHelloDone 
NiFi Web Server-21, WRITE: TLSv1.2 Handshake, length = 1753 
NiFi Web Server-21, called closeInbound() 
NiFi Web Server-21, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack? 
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? 
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] 
NiFi Web Server-21, SEND TLSv1.2 ALERT: fatal, description = internal_error 
NiFi Web Server-21, WRITE: TLSv1.2 Alert, length = 2 
*** ECDH ServerKeyExchange 
Signature Algorithm SHA512withRSA 
Server key: Sun EC public key, 256 bits 
    public x coord: 115351230770955196648507742599468345245507684591583302635044967727219906604428 
    public y coord: 93087459299146270258246635135187638789539141095594448725666354447366218509864 
    parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) 
*** CertificateRequest 
Cert Types: RSA, DSS, ECDSA 
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, 

.... 

在生產的東西型動物：

（我截斷了太長的行，並且只報告了很少的日誌會話）

*** ClientHello, TLSv1.2 
RandomCookie: GMT: -1695295875 bytes = { 197, 207, 66, 60, 4, 242, 21, 101, 190, 160, 124, 185, 72, 238, 141, 237, 251 

Session ID: {} 
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_12 
ES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES 
CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL 
H_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA] 
Compression Methods: { 0 } 
Extension renegotiation_info, renegotiated_connection: <empty> 
Extension server_name, server_name: [type=host_name (0), value=nifi-dev.buongiorno.com] 
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, S 

Unsupported extension status_request, data: 01:00:00:00:00 
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31 
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed] 
Extension elliptic_curves, curve names: {unknown curve 29, java.security.spec.ECParameterSpec@7862cc21, java.security.s 

*** 
%% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL] 
matching alias: 1 
%% Negotiating: [Session-4, TLS_RSA_WITH_AES_256_GCM_SHA384] 
*** ServerHello, TLSv1.2 
RandomCookie: GMT: 1459415539 bytes = { 67, 58, 139, 150, 47, 53, 247, 222, 255, 192, 141, 66, 114, 19, 171, 52, 6, 18 

Session ID: {87, 253, 234, 243, 97, 92, 182, 14, 121, 224, 54, 149, 111, 196, 87, 79, 36, 149, 33, 51, 182, 47, 184, 6 

Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 
Compression Method: 0 
Extension renegotiation_info, renegotiated_connection: <empty> 
Extension server_name, server_name: 
*** 
Cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 
*** Certificate chain 

chain [0] = [ 
[ 
    Version: V3 
    Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT 
    Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 

    Key: Sun RSA public key, 2048 bits 
    : 
    . 

*** CertificateRequest 
Cert Types: RSA, DSS, ECDSA 
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDS 
withECDSA, SHA1withRSA, SHA1withDSA 
Cert Authorities: 
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US> 
*** ServerHelloDone 
NiFi Web Server-16, WRITE: TLSv1.2 Handshake, length = 1428 
NiFi Web Server-21, READ: TLSv1.2 Handshake, length = 7 
*** Certificate chain 
<Empty> 
*** 

更新2

我要求安裝Java 8，現在keyexchange的作品，在這一點上我的問題會去消失。

Answer 1

如果您可以提供$NIFI_HOME/logs/nifi-app.log和$NIFI_HOME/logs/nifi-bootstrap.log的輸出（消毒，如果需要的話），以及硬件，操作系統，JRE，並且您正在使用NiFi版本，這將有助於診斷。這裏有幾個常見的原因：

• 密鑰庫中的證書是無效的（過期，尚未生效，無法驗證鏈），因此依賴的RSA/DSA密鑰簽名可用的加密套件或Jetty跳過加密。您可以通過在$NIFI_HOME/conf/bootstrap.conf：java.arg.15=-Djavax.net.debug=ssl,handshake（其中參數號更新以確保它不與現有參數衝突）中添加新參數來檢查此問題。這將爲包含信任庫配置和每次TLS握手協商的日誌文件添加大量輸出，包括Jetty認爲可用的密碼套件。
  • 存在一個小問題，即加載到密鑰庫中的動態生成的證書不能用於在測試用例中提供TLSv1.1密碼套件。請參閱NIFI-1688 PR 624
• 運行NiFi的JRE不會提供任何瀏覽器可以接受的密碼套件。這是不常見的，但JRE 7使TLSv1.0爲默認值，並且一些瀏覽器（夜間構建等等））可能會將TLS限制爲僅限於TLSv1.1或​​。您可以通過運行以下命令來驗證它：$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>。 NiFi​​3210可以在Java 7上運行，但NiFi 1.x需要Java 8+。如果您僅限於Java 7，則可以通過另一個Java參數顯式啓用這些協議：java.arg.16=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2。