Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Nifi SSL TLS qestion

Solved Go to solution

Nifi SSL TLS qestion

New Contributor

When we enabled HTTPS with Nifi  using certificates.  Do we know if NIFI is using SSL or TLS, and what version of SSL or TLS is being  used.   Is there a way to dictate TLS 1.2 for NIFI to use?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Nifi SSL TLS qestion

Super Mentor

@Love-Nifi 

What is your NiFi Version?     From NiFi 1.2.0 release it should be default to TLS 1.2 as per
https://issues.apache.org/jira/browse/NIFI-3720
Snippet from JIRA:

 

Users/client connecting to NiFi through the UI or API now protected with TLS v1.2. TLSv1/1.1 are no longer supported.

 

 


https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.2.0

Snippet from the Doc:

 

Security
Users/client connecting to NiFi through the UI or API now protected with TLS v1.2 due to upgrade to Jetty version 9.4.2

 

So if you are using HDF then please check the NiFi Version. For example HDF3.0 (NiFi 1.2.0) will allow TLS 1.2 for all in coming connections. Other TLS versions will still be used for outgoing connections.

.

In General,  One option to disable all TLS protocols except TLSv1.2, can be achieved by editing "$JAVA_HOME/jre/lib/security/java.security" file. Here JAVA_HOME is the one which is used by NiFi process and  changing the "jdk.tls.disabledAlgorithms" property value to something like following as mentioned in https://java.com/en/configure_crypto.html

Example:

 

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize, SSLv2Hello, TLSv1, TLSv1.1 < 768

 

.

You can further validate your NiFi by using the OpenSSL commands as following to attempt to connect to it using different options like following

 

# openssl s_client -connect <NiFIhostname>:<port>


# openssl s_client -connect <NiFIhostname>:<port> -tls1_2 
# openssl s_client -connect <NiFIhostname>:<port> -tls1_2 
# openssl s_client -connect <NiFIhostname>:<port> -tls1
# openssl s_client -connect <NiFIhostname>:<port> -ssl3

 

.

 

2 REPLIES 2

Re: Nifi SSL TLS qestion

Super Mentor

@Love-Nifi 

What is your NiFi Version?     From NiFi 1.2.0 release it should be default to TLS 1.2 as per
https://issues.apache.org/jira/browse/NIFI-3720
Snippet from JIRA:

 

Users/client connecting to NiFi through the UI or API now protected with TLS v1.2. TLSv1/1.1 are no longer supported.

 

 


https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.2.0

Snippet from the Doc:

 

Security
Users/client connecting to NiFi through the UI or API now protected with TLS v1.2 due to upgrade to Jetty version 9.4.2

 

So if you are using HDF then please check the NiFi Version. For example HDF3.0 (NiFi 1.2.0) will allow TLS 1.2 for all in coming connections. Other TLS versions will still be used for outgoing connections.

.

In General,  One option to disable all TLS protocols except TLSv1.2, can be achieved by editing "$JAVA_HOME/jre/lib/security/java.security" file. Here JAVA_HOME is the one which is used by NiFi process and  changing the "jdk.tls.disabledAlgorithms" property value to something like following as mentioned in https://java.com/en/configure_crypto.html

Example:

 

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize, SSLv2Hello, TLSv1, TLSv1.1 < 768

 

.

You can further validate your NiFi by using the OpenSSL commands as following to attempt to connect to it using different options like following

 

# openssl s_client -connect <NiFIhostname>:<port>


# openssl s_client -connect <NiFIhostname>:<port> -tls1_2 
# openssl s_client -connect <NiFIhostname>:<port> -tls1_2 
# openssl s_client -connect <NiFIhostname>:<port> -tls1
# openssl s_client -connect <NiFIhostname>:<port> -ssl3

 

.

 

Highlighted

Re: Nifi SSL TLS qestion

Master Guru

 @Love-Nifi 

Just wanted to add that as @jsensharma mentioned, NiFi will enforce TLS 1.2 as of Apache NiFi release version 1.2.0 but only for all inbound connections to NiFi.  NiFi can still support negotiating lower TLS version when making outbound connections in order to support older destination systems.  Those processor would use a sslContextService which can be configured to restrict what TLS version is used/allowed.

Don't have an account?
Coming from Hortonworks? Activate your account here