https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-force-TLS1-1-for-HandleHTTPRequest-with-NiFi-1-4/m-p/218132#M69454 <P>Thanks Andy for your very complete answer !</P><P>I read that Jetty improved recently the security with TLS 1.2 only (very good !) but I hoped it was possible to force a weak protocol (bad but sometime, it's necessary...).</P><P>As you told me, my only choice is the installation of a proxy like HAProxy or Squid !</P> Thu, 12 Oct 2017 02:50:36 GMT marsip 2017-10-12T02:50:36Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-force-TLS1-1-for-HandleHTTPRequest-with-NiFi-1-4/m-p/218130#M69452 <P>Hello everyone,</P><P>I'm using NiFi 1.4 and I'm trying to accept Protocol TLS1.1 for the HandleHTTPRequest processor (thanks to StandardSSLContextService) but only TLS 1.2 is accepted.</P><P>How to force the protocol TLS 1.1 ? I already try something like "java.arg.16=-Ddeployment.security.TLSv1.1=true" in the <A href="http://bootstrap.conf">bootstrap.conf</A> but nothing changed.</P><P>Have you an idea ?!</P><P>Thanks for your help.</P><P>Laurent<BR /><IMG alt=":)" src="https://ip1.i.lithium.com/150b18cbf3021a936808a9d9b8110d351922f3c8/68747470733a2f2f64756a72737273677364336e682e636c6f756466726f6e742e6e65742f696d672f656d6f7469636f6e732f736d696c654032782e706e67" /></P> Wed, 11 Oct 2017 21:50:12 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-force-TLS1-1-for-HandleHTTPRequest-with-NiFi-1-4/m-p/218130#M69452 marsip 2017-10-11T21:50:12Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-force-TLS1-1-for-HandleHTTPRequest-with-NiFi-1-4/m-p/218131#M69453 <P>Hi Laurent,</P><P>Apache NiFi 1.4.0 uses Jetty 9.4.2 to provide the underlying web server, and Jetty after versions 9.4.0 only supports TLS v1.2 for incoming connections. I would recommend using a proxy with TLS termination which accepts incoming TLS v1.1 connections and re-establishing a connection to your NiFi service which uses TLS v1.2. </P><P>* Ticket - NIFI-3361 Upgrade Jetty <A href="https://issues.apache.org/jira/browse/NIFI-3361" target="_blank">https://issues.apache.org/jira/browse/NIFI-3361</A></P><P>* Ticket - NIFI-3720 Update documentation for TLS protocol version changes <A href="https://issues.apache.org/jira/browse/NIFI-3720" target="_blank">https://issues.apache.org/jira/browse/NIFI-3720</A></P><P>* Jetty Documentation TLS and SSL Versions <A href="https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#tls-and-ssl-versions" target="_blank">https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#tls-and-ssl-versions</A></P><P>* Apache NiFi Release Notes for 1.2.0 noting TLS protocol version changes <A href="https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.2.0" target="_blank">https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.2.0</A></P><P>* Apache NiFi Migration Guidance for 1.1.0 -&gt; 1.2.0 noting the change <A href="https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance" target="_blank">https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance</A></P><P>The actual announcement that Jetty changed the protocol versions supported is buried in their release notes somewhere. </P> Wed, 11 Oct 2017 23:57:42 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-force-TLS1-1-for-HandleHTTPRequest-with-NiFi-1-4/m-p/218131#M69453 alopresto 2017-10-11T23:57:42Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-force-TLS1-1-for-HandleHTTPRequest-with-NiFi-1-4/m-p/218132#M69454 <P>Thanks Andy for your very complete answer !</P><P>I read that Jetty improved recently the security with TLS 1.2 only (very good !) but I hoped it was possible to force a weak protocol (bad but sometime, it's necessary...).</P><P>As you told me, my only choice is the installation of a proxy like HAProxy or Squid !</P> Thu, 12 Oct 2017 02:50:36 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-force-TLS1-1-for-HandleHTTPRequest-with-NiFi-1-4/m-p/218132#M69454 marsip 2017-10-12T02:50:36Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-force-TLS1-1-for-HandleHTTPRequest-with-NiFi-1-4/m-p/218133#M69455 <P>Laurent, feel free to contact me directly at alopresto@apache.org for further discussion. </P> Thu, 12 Oct 2017 04:54:10 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-force-TLS1-1-for-HandleHTTPRequest-with-NiFi-1-4/m-p/218133#M69455 alopresto 2017-10-12T04:54:10Z