Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

ListenTCP using SSLStandard contex giving error , Error reading from channel due to failed to decrypt the data IO exception fail to decrypt the data


HI All,

Thanks a lot to this awesome community.

I have a listenTCP which uses StandardSSLCOntextService to encrypted traffic, however I am getting an error as

Error reading from channel due to failed to decrypt the data IO exception fail to decrypt the data

any suggestions,




Please provide the version of NiFi/HDF you are using, the configuration of the StandardSSLContextService, and the full stacktrace from nifi-app.log. The information above is not enough for us to diagnose this issue.


@Andy LoPresto apologies I should have provided that, got busy in troubleshooting please find below the images,



The only error message I am getting in the nifi-app.log is this

"Error reading from channel due to Failed to decrypt data: Failed to decrypt data"

no stack trace as such,

My nifi cluster is 6 nodes cluster, with https enabled.

any suggestion or help,



@dhieru singh

What version of HDF are you using? Also, what SSL Protocol is your StandardSSLContextService controller service configured to use?


@Wynner appreciate your response.

I read on the community that TLSv1.2 is only supported. We are many leagcy SSL versions.



It depends on a number of factors:

  • Apache NiFi version -- < 1.2.0, NiFi will support all SSL and TLS protocol versions. After 1.2.0, only TLS v1.2 is supported for incoming connections (i.e. REST API, UI, ListenHTTP processor, etc.), while the other protocol versions are supported for outgoing connections (i.e. InvokeHTTP connection to a legacy server).
  • Java Runtime Environment -- Java 8 Update 31 and Java 7 Update 75 both disable support for SSLv2 and SSLv3 protocols. If you are running on a JRE later than this, you need to explicitly enable SSL (against best practices) by modifying the file or using static initialization. Again, this is a very bad idea.

The best solution here is to upgrade the protocol version you are using to TLS v1.2 if possible. If not, introduce a proxy server to perform bidirectional handshakes. NiFi/HDF is not designed to allow legacy SSL protocols due to their demonstrated security vulnerabilities.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.