ssl - Nifi安全连接没有密码

标签 ssl hadoop2 apache-nifi bigdata

我正在使用 nifi,我开始为 https 配置它以启用用户。 Nifi 不工作,码头 Web 服务器失败,说没有密码。不知道如何调试这个,有什么提示吗? 相同的证书已经在我的计算机上进行了测试并且可以正常工作。 任何帮助表示赞赏

更新

嗯...我启用了 SSL 日志记录。 最大的区别是Java环境,生产服务器上是java-1.8.0-openjdk,我本地机器上是java-8-oracle。 日志之间仍然存在一些重要差异。

作为 ssl 协商引用,请参阅此 POST,了解该协议(protocol)应该如何工作以及涉及的 session 。

最显着的区别是

生产主机上没有 *** ECDH ServerKeyExchange session 。

从 ClientHello 开始的日志在两台机器上有很大不同:

本地(我截断了太长的行并且只报告了很少的日志 session )

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 2028150611 bytes = { 31, 20, 137, 167, 52, 224, 12, 129, 113, 59, 113, 45, 161, 54, 164, 147, 115, 148

Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_2
cc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, T
TH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RS

Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA2

Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Initialized:  [Session-2, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
matching alias: 1
matching alias: 1
matching alias: 1
%% Negotiating:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
%% Negotiating:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
*** ServerHello, TLSv1.2
RandomCookie:  RandomCookie:  GMT: 1459404759 bytes = { GMT: 1459404759 bytes = { 196, 84, 148, 21, 202, 175, 156, 35, 50,
2 }
Session ID:  {87, 253, 192, 215, 210, 220, 163, 93, 88, 20, 237, 50, 37, 61, 50, 192, 225, 180, 252, 8, 19, 154, 0, 18, 13

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
47, 15, 107, 214, 199, 60, 245, 207, 215, 148, 102, 224, 0, 41, 172, 70, 101, 85, 85, 173, 79, 238, 15, 167, 136, 20, 14, 
Session ID:  {87, 253, 192, 215, 117, 67, 238, 169, 141, 93, 171, 129, 181, 146, 239, 178, 242, 31, 104, 115, 209, 119, 20

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT

***
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 75079925706380992652797512247021193282035431148032843217618352685456618206389
  public y coord: 43896241059818662260698096293954076915685388487376127769285950062051599700758
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,

Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-21, WRITE: TLSv1.2 Handshake, length = 1753
NiFi Web Server-21, called closeInbound()
NiFi Web Server-21, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
NiFi Web Server-21, SEND TLSv1.2 ALERT:  fatal, description = internal_error
NiFi Web Server-21, WRITE: TLSv1.2 Alert, length = 2
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 115351230770955196648507742599468345245507684591583302635044967727219906604428
  public y coord: 93087459299146270258246635135187638789539141095594448725666354447366218509864
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,

....

生产上的东西是不同的:

(我截断了太长的行,只报告了很少的日志 session )

*** ClientHello, TLSv1.2
RandomCookie:  GMT: -1695295875 bytes = { 197, 207, 66, 60, 4, 242, 21, 101, 190, 160, 124, 185, 72, 238, 141, 237, 251

Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_12
ES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES
CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
H_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=nifi-dev.buongiorno.com]
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, S

Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, java.security.spec.ECParameterSpec@7862cc21, java.security.s

***
%% Initialized:  [Session-4, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
%% Negotiating:  [Session-4, TLS_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1459415539 bytes = { 67, 58, 139, 150, 47, 53, 247, 222, 255, 192, 141, 66, 114, 19, 171, 52, 6, 18

Session ID:  {87, 253, 234, 243, 97, 92, 182, 14, 121, 224, 54, 149, 111, 196, 87, 79, 36, 149, 33, 51, 182, 47, 184, 6

Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: 
***
Cipher suite:  TLS_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain

chain [0] = [
[
  Version: V3
  Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  :
  . 

*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDS
withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-16, WRITE: TLSv1.2 Handshake, length = 1428
NiFi Web Server-21, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***

更新 2

我要求安装 Java 8,现在 keyexchange 可以工作了,此时我的问题将消失。

最佳答案

如果您可以提供 $NIFI_HOME/logs/nifi-app.log 的输出(如有必要,经过 sanitizer )和 $NIFI_HOME/logs/nifi-bootstrap.log ,以及您正在使用的硬件、操作系统、JRE 和 NiFi 版本,这将有助于诊断。以下是几个常见原因:

  • keystore 中的证书无效(已过期、尚未生效、无法验证链),因此 Jetty 会跳过依赖 RSA/DSA key 进行签名或加密的可用密码套件。您可以通过在 $NIFI_HOME/conf/bootstrap.conf 中添加一个新参数来检查这一点: java.arg.15=-Djavax.net.debug=ssl,handshake (更新参数编号以确保它不与现有参数冲突)。这将向您的日志文件添加大量输出,涵盖信任库配置和每次 TLS 握手协商,包括 Jetty 认为哪些密码套件可用。
    • 存在一个小问题,加载到 keystore 中的动态生成的证书无法用于提供 TLSv1.1测试用例中的密码套件。参见 NIFI-1688 PR 624
  • 运行 NiFi 的 JRE 不会提供浏览器可以接受的任何密码套件。这不太常见,但 JRE 7 使 TLSv1.0默认情况下,某些浏览器(夜间构建等)可能会将 TLS 限制为 TLSv1.1TLSv1.2仅有的。您可以通过运行以下命令来验证这一点:$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem> .尼菲0.x可以在 Java 7 上运行,但 NiFi 1.x需要 Java 8+。如果您仅限于 Java 7,则可以通过另一个 Java 参数显式启用这些协议(protocol):java.arg.16=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 .

关于ssl - Nifi安全连接没有密码,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/39981402/

上一篇:java - 证书链中的 SSLHandshakeException 行为

下一篇:security - 创建自签名 SSL 证书时出错

相关文章:

SSL - 浏览器地址栏中的 EV 和 OV 区别

json - 需要帮助推断 NiFi 中 json 文件的 avro 架构

hadoop - 如何在不使用时间戳的情况下在配置单元中查找最近更新的值

hadoop2 - 使用hadoop-ha时出现java.net.UnknownHostException?

java - 读取处理器中的自定义属性

apache-nifi - 如何使用 NIFI 中的自定义处理器逐一传输流程文件

.htaccess - 从非 www 重定向到 www 并强制使用 SSL

php - 如何调整我的 .htaccess 文件以允许子文件夹中的全功能网站

android - 在 Android 上创建 SSL 连接时出现 SSLPeerUnverifiedException

mysql - Hive 查询问题 - 无效的表别名或列引用

©2024 IT工具网  联系我们