TLS 1.2 Compatibility

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS 1.2 Compatibility

Tadiosa, Jeffrey O.
Hi Nifi Dev Team - I am Jeff from Accenture. We are using NiFi in one of our project. is NiFi Version 1.5.0.3.1.0.0-564 compatible with TLS 1.2? Are there anything that we should modify when we shift to TLS 1.2?

Best Regards,
Jeffrey Tadiosa ITIL V3
GDN for Technology in the Philippines | CAP Operations - Data Lake
17/F Global One Bldg, Eastwood City Cyberark, Brgy Bagumbayan, Quezon City, Metro Manila, Philippines 1110
Service Now Queue: CAP-OPERATIONS-DATALAKE;
CAP Ops Data Lake Line: +1 5714345000  or +1 6126432466
CAP Ops Data Lake Email: [hidden email]<mailto:[hidden email]>
CAP Ops Data Lake Skype ID: A04985DIRCAPOps


________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com
Reply | Threaded
Open this post in threaded view
|

Re: TLS 1.2 Compatibility

Andy LoPresto-2
Hi Jeff, 

Yes, NiFI 1.2.0+ uses (only) TLS v1.2 for any incoming connections. There is backward compatible capability to use TLS v1 and v1.1 for outgoing connections to legacy services. 

From the Migration Notes [1]:

(1.2.0)
Jetty has been upgraded to version 9.4.2.  As a result, TLSv1/1.1 is no longer supported.  Users or clients connecting to NiFi through the UI or API now protected with TLS v1.2.  Any custom code that consumes the NiFi API needs to use TLS v1.2 or later.

(1.4.0)
A restricted implementation of the SSLContextService has been added, StandardRestrictedSSLContextService. It provides the ability to configure keystore and/or truststore properties once and reuse that configuration throughout the application, but only allows a restricted ("modern") set of TLS/SSL protocols to be chosen (as of 1.4.0, no SSL protocols are supported, only TLS v1.2). The set of protocols selectable will evolve over time as new protocols emerge and older protocols are deprecated. The generic "TLS" entry is also supported and will automatically select the best available option without user intervention (this is the recommended setting). This service is recommended over StandardSSLContextService if a component doesn't expect to communicate with legacy systems since it is unlikely that legacy systems will support these protocols. 

The following Listen* processors now require a StandardRestrictedSSLContextService (previously requiring StandardSSLContextService): ListenBeats, ListenHTTP, ListenLumberjack, ListenRELP, ListenSMTP, ListenSyslog, ListenTCP, ListenTCPRecord
ListenGRPC is a new processor for 1.4.0, and requires StandardRestrictedSSLContextService
Dataflow managers will need to instantiate a new instance of StandardRestrictedSSLContextService and associate it with any of the above components in an existing flow

(1.7.1)
Hostname validation has become more strict in 1.7.1. In previous versions, NiFi supported certificates which did not contain a Subject Alternative Name (SAN) field matching the node hostname. In following with RFC 6125, all certificates should include an entry in the SAN array which matches the node hostname for hostname verification. 

For clarification, all Apache NiFi versions have only 3 numbers (0.7.4, 1.7.1, etc.). A version with additional numbers following that version is likely provided by a specific vendor and questions about compatibility and features should be directed to that vendor. 


Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Sep 24, 2018, at 4:31 AM, Tadiosa, Jeffrey O. <[hidden email]> wrote:

Hi Nifi Dev Team - I am Jeff from Accenture. We are using NiFi in one of our project. is NiFi Version 1.5.0.3.1.0.0-564 compatible with TLS 1.2? Are there anything that we should modify when we shift to TLS 1.2?

Best Regards,
Jeffrey Tadiosa ITIL V3
GDN for Technology in the Philippines | CAP Operations - Data Lake
17/F Global One Bldg, Eastwood City Cyberark, Brgy Bagumbayan, Quezon City, Metro Manila, Philippines 1110
Service Now Queue: CAP-OPERATIONS-DATALAKE;
CAP Ops Data Lake Line: +1 5714345000  or +1 6126432466
CAP Ops Data Lake Email: [hidden email]<[hidden email]>
CAP Ops Data Lake Skype ID: A04985DIRCAPOps


________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com


signature.asc (849 bytes) Download Attachment