Support Questions

johnmteabo · ‎02-10-2017

I am running nifi in an enviroment where TLS 1.0 is the only protocol accepted for https.

How can I allow NiFi 1.1.1 to run using TLS 1.0 instead of TLS 1.1 or TLS 1.2?

Nifi 0.6.1 works file with TLS 1.0, its only when I go to NiFi 1.1.1 that the UI wont load.

I assume they disabled TLS 1.0 by default in 1.1.1

Thank you!

grant1 · ‎02-14-2017

Sorry for the delay.. 70-80% attacks occur internally is pretty much the consensus by every security report out there. Allowing specific access to users is more an authorization/authentication thing than a TLS thing. Anyway.. i digress.

Possible workaround for this issue may require you to investigate removing that hard requirement of TLS in the Jetty Server. I say this may be a possible fix, as I haven't tried it, nor do i recommend downgrading security under any circumstance. Unfortunately, sometimes my recommendations fall on deaf ears.

Code associated with the restriction can been found here:

https://github.com/eclipse/jetty.project/blob/0c8273f2ca1f9bf2064cd9c4c939d2546443f759/jetty-util/sr...

Again, I would strongly recommend you not go down this path. All modern day operating systems support TLSv1.2 and if the OS you are using doesn't, get them to fix it. It's negligent and they've had almost 9 years to fix it.

View solution in original post

bbende · ‎02-10-2017

I would expect NiFi 1.1.1 to work with TLS 1.0.

When you say the UI won't load, is your browser making it to the NiFi page and then you get access denied? or is the browser failing to make the connection all together?

johnmteabo · ‎02-10-2017

Thanks for the help!

The browser fails to make the connection all together. I don't get anything from our nifi instance to agree on an https connection.

Here's what I get in firefox:

Secure Connection Failed

The connection to appprodu1.corp.tsl:9999 was interrupted while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

bbende · ‎02-10-2017

Is it possible that Firefox isn't letting you connect to certain versions of TLS?

I was looking at this:

https://support.mozilla.org/t5/Firefox/Hi-I-I-receive-a-quot-Secure-Connection-Failed-quot-warning-w...

johnmteabo · ‎02-10-2017

Thanks for the Firefox page, but we cant change any browser settings.

But we can change anything about or nifi instance. Is there anything in the bootstrap.conf file we can add to allow TLS 1.0?

ON A SEPARATE NETWORK and Browser:

We disabled TLS 1.1 and 1.2 using the bootstrap.conf and java-security.properties file on our 1.1.1 instance and we lost access to the UI. When we unblock TLS 1.1 and TLS 1.2 the UI becomes available again.

Any idea for how to enable TLS 1.0 on NiFi 1.1.1?

Thanks again!

bbende · ‎02-10-2017

I think the best thing to do would be to turn on SSL debug in NiFi... in bootstrap.conf add:

java.arg.15=-Djavax.net.debug=all:handshake:verbose

Then restart NiFi and try to access the UI and grab the output from nifi-bootstrap.log and we should be able to see what is happening during the handshake.

grant1 · ‎02-12-2017

Not sure why anyone would want to enable such a extremely old protocol with very weak ciphers. TLSv1.0 was defined in Jan, 1999, with updates v1.1 in Apr, 2006 and v1.2 in Aug, 2008. TLSv1.3 is currently (2016) in draft. Every modern day operating system supports TLSv1.2.. even the NIST have strong recommendations that financial services companies do not use anything less than TLSv1.2.

That said.. NiFi itself is not the problem. There is a hard requirement in the Jetty Web Server which states that only strong cipher/protocols be used. By hard requirement, I mean hard coded into the source code.

Is there a reason why you would expose your organisation .. or your customers to security risks?

I would strongly discourage anyone with exposing such risks.

johnmteabo · ‎02-12-2017

Thanks for the history and great warning, but this is on a closed LAN network. So there is no data being transmitted across the internet, meaning that man in the middle or any other entity accessing the data (that is not on our LAN), would be very unlikely.

The only reason for HTTPS is to only allow specific users to access NiFi, and to set permissions on a per user basis.

We do not have a need for the data to be encrypted securely across our LAN.

That being said, do you know of any other work arounds?

grant1 · ‎02-14-2017

Hi @John T,