Why is there no SSL Context Service for the GetSQS Processor?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Why is there no SSL Context Service for the GetSQS Processor?

jcrooke
Hello nice nifi dev folks,

I'm trying to use GetSQS to pull SQS messages from an SQS queue whose URL begins with "https://sqs..."

I get the following error when I run the processor: "Unable to execute HTTP request: Remote host closed connection during handshake"

And I'm having a hard time figuring out where nifi is getting its certificates, or even which certificate it's presenting, if any.

It's a curious thing that the GetSQS processor does NOT let you choose an SSL Context Service, but other AWS-related processors such as "FetchS3Object" do have the "SSL Context Service" property.

I have valid AWS credentials. I can "FetchS3Object" all day long. But this GetSQS processor isn't working at all and I suspect it's because of this missing property.

Does anyone know why it's missing or how I can work around it?

Thanks!

John
Reply | Threaded
Open this post in threaded view
|

Re: Why is there no SSL Context Service for the GetSQS Processor?

Andy LoPresto-2
Hi John,

You’re right, it looks like the absence of an SSL Context Service was an oversight from the initial contributor. If you’re comfortable opening a Jira ticket [1] and documenting this need, we can start working on it. Thanks for bringing this to our attention.

In the meantime, if you need an immediate fix, I would suggest using an ExecuteScript processor using Groovy with the AWS Java SDK (basically copy/paste from the existing GetSQS processor body) (if you need help with the code, let us know).

The certificate issue would likely only be NiFi trusting the certificate presented by the AWS SQS instance; unless you have mutual authentication TLS enabled (which is uncommon in AWS for client connections), NiFi isn’t presenting a certificate for the connection handshake negotiation.

[1] https://issues.apache.org/jira/browse/NIFI/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel 


Andy LoPresto
[hidden email]
[hidden email]
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Jun 10, 2019, at 11:03 AM, [hidden email] <[hidden email]> wrote:
>
> Hello nice nifi dev folks,
>
> I'm trying to use GetSQS to pull SQS messages from an SQS queue whose URL begins with "https://sqs..."
>
> I get the following error when I run the processor: "Unable to execute HTTP request: Remote host closed connection during handshake"
>
> And I'm having a hard time figuring out where nifi is getting its certificates, or even which certificate it's presenting, if any.
>
> It's a curious thing that the GetSQS processor does NOT let you choose an SSL Context Service, but other AWS-related processors such as "FetchS3Object" do have the "SSL Context Service" property.
>
> I have valid AWS credentials. I can "FetchS3Object" all day long. But this GetSQS processor isn't working at all and I suspect it's because of this missing property.
>
> Does anyone know why it's missing or how I can work around it?
>
> Thanks!
>
> John