Nifi安全连接没有密码

时间:2016-10-11 15:48:21

标签: ssl hadoop2 apache-nifi bigdata

我正在使用nifi,我开始为https配置它以启用用户。 Nifi不起作用,码头Web服务器失败说没有密码。不知道如何调试这个,任何提示? 我的计算机上已经测试了相同的证书并且它们可以工作。 任何帮助表示赞赏

更新

嗯......我启用了SSL日志记录。 最大的区别在于Java环境,在生产服务器上是java-1.8.0-openjdk,在我的本地机器上是java-8-oracle。 日志之间仍然存在一些重要的差异。

作为ssl协商参考,请参阅此POST,了解协议应如何工作以及所涉及的会话。

最显着的差异是

生产主机上没有*** ECDH ServerKeyExchange会话。

从ClientHello开始的日志在两台机器之间有很大不同:

本地(我截断太长的行并报告只有很少的日志会话)

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 2028150611 bytes = { 31, 20, 137, 167, 52, 224, 12, 129, 113, 59, 113, 45, 161, 54, 164, 147, 115, 148

Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_2
cc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, T
TH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RS

Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA2

Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Initialized:  [Session-2, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
matching alias: 1
matching alias: 1
matching alias: 1
%% Negotiating:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
%% Negotiating:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
*** ServerHello, TLSv1.2
RandomCookie:  RandomCookie:  GMT: 1459404759 bytes = { GMT: 1459404759 bytes = { 196, 84, 148, 21, 202, 175, 156, 35, 50,
2 }
Session ID:  {87, 253, 192, 215, 210, 220, 163, 93, 88, 20, 237, 50, 37, 61, 50, 192, 225, 180, 252, 8, 19, 154, 0, 18, 13

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
47, 15, 107, 214, 199, 60, 245, 207, 215, 148, 102, 224, 0, 41, 172, 70, 101, 85, 85, 173, 79, 238, 15, 167, 136, 20, 14, 
Session ID:  {87, 253, 192, 215, 117, 67, 238, 169, 141, 93, 171, 129, 181, 146, 239, 178, 242, 31, 104, 115, 209, 119, 20

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT

***
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 75079925706380992652797512247021193282035431148032843217618352685456618206389
  public y coord: 43896241059818662260698096293954076915685388487376127769285950062051599700758
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,

Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-21, WRITE: TLSv1.2 Handshake, length = 1753
NiFi Web Server-21, called closeInbound()
NiFi Web Server-21, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
NiFi Web Server-21, SEND TLSv1.2 ALERT:  fatal, description = internal_error
NiFi Web Server-21, WRITE: TLSv1.2 Alert, length = 2
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 115351230770955196648507742599468345245507684591583302635044967727219906604428
  public y coord: 93087459299146270258246635135187638789539141095594448725666354447366218509864
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,

....

关于生产的事情是不同的:

(我截断的行太长,只报告了很少的日志会话)

*** ClientHello, TLSv1.2
RandomCookie:  GMT: -1695295875 bytes = { 197, 207, 66, 60, 4, 242, 21, 101, 190, 160, 124, 185, 72, 238, 141, 237, 251

Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_12
ES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES
CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
H_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=nifi-dev.buongiorno.com]
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, S

Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, java.security.spec.ECParameterSpec@7862cc21, java.security.s

***
%% Initialized:  [Session-4, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
%% Negotiating:  [Session-4, TLS_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1459415539 bytes = { 67, 58, 139, 150, 47, 53, 247, 222, 255, 192, 141, 66, 114, 19, 171, 52, 6, 18

Session ID:  {87, 253, 234, 243, 97, 92, 182, 14, 121, 224, 54, 149, 111, 196, 87, 79, 36, 149, 33, 51, 182, 47, 184, 6

Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: 
***
Cipher suite:  TLS_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain

chain [0] = [
[
  Version: V3
  Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  :
  . 

*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDS
withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-16, WRITE: TLSv1.2 Handshake, length = 1428
NiFi Web Server-21, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***

更新2

我要求安装Java 8,现在keyexchange工作,此时我的问题就会消失。

1 个答案:

答案 0 :(得分:1)

如果您可以提供$NIFI_HOME/logs/nifi-app.log$NIFI_HOME/logs/nifi-bootstrap.log的输出(必要时已消毒),以及您正在使用的硬件,操作系统,JRE和NiFi版本,这将有助于诊断。以下是几个常见原因:

  • 密钥库中的证书无效(已过期,尚未生效,无法验证链),因此Jetty会跳过依赖于RSA / DSA密钥进行签名或加密的可用密码套件。您可以通过在$NIFI_HOME/conf/bootstrap.conf中添加新参数来检查这一点:java.arg.15=-Djavax.net.debug=ssl,handshake(更新参数号以确保它不与现有参数冲突)。这将为您的日志文件添加大量输出,涵盖信任库配置和每个TLS握手协商,包括Jetty认为可用的密码套件。
    • 存在一个小问题,即加载到密钥库中的动态生成的证书无法用于在测试用例中提供TLSv1.1密码套件。请参阅NIFI-1688 PR 624
  • 运行NiFi的JRE不会使浏览器可以使用任何密码套件。这种情况不太常见,但JRE 7使TLSv1.0成为默认值,而某些浏览器(夜间构建等)可能仅将TLS限制为TLSv1.1TLSv1.2。您可以通过运行以下命令来验证这一点:$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>。 NiFi 0.x可以在Java 7上运行,但NiFi 1.x需要Java 8+。如果您受限于Java 7,则可以通过另一个Java参数java.arg.16=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2显式启用这些协议。