Nifi安全连接没有密码

Question

我正在使用nifi，并开始为https配置它，以便启用用户。Nifi不工作，jetty服务器会失败，说没有密码。不知道怎么调试这个，有什么提示吗？同样的证书已经在我的电脑上测试过了，而且它们也能工作。感谢你的任何帮助

更新

好吧..。我启用了SSL日志。最大的区别在于Java环境，在生产服务器上是java-1.8.0-openjdk，在我的本地机器上是java-8-oracle。日志之间仍然存在一些重要的差异。

作为ssl协商的参考，请参阅此帖子关于协议应该如何工作以及所涉及的会话。

最显著的区别是

生产主机上没有*** ECDH ServerKeyExchange会话。

从ClientHello开始的日志在两台机器之间有很大的不同：

本地(我截断了太长的行，只报告了很少的日志会话)

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 2028150611 bytes = { 31, 20, 137, 167, 52, 224, 12, 129, 113, 59, 113, 45, 161, 54, 164, 147, 115, 148

Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_2
cc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, T
TH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RS

Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA2

Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Initialized:  [Session-2, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
matching alias: 1
matching alias: 1
matching alias: 1
%% Negotiating:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
%% Negotiating:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
*** ServerHello, TLSv1.2
RandomCookie:  RandomCookie:  GMT: 1459404759 bytes = { GMT: 1459404759 bytes = { 196, 84, 148, 21, 202, 175, 156, 35, 50,
2 }
Session ID:  {87, 253, 192, 215, 210, 220, 163, 93, 88, 20, 237, 50, 37, 61, 50, 192, 225, 180, 252, 8, 19, 154, 0, 18, 13

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
47, 15, 107, 214, 199, 60, 245, 207, 215, 148, 102, 224, 0, 41, 172, 70, 101, 85, 85, 173, 79, 238, 15, 167, 136, 20, 14, 
Session ID:  {87, 253, 192, 215, 117, 67, 238, 169, 141, 93, 171, 129, 181, 146, 239, 178, 242, 31, 104, 115, 209, 119, 20

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT

***
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 75079925706380992652797512247021193282035431148032843217618352685456618206389
  public y coord: 43896241059818662260698096293954076915685388487376127769285950062051599700758
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,

Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-21, WRITE: TLSv1.2 Handshake, length = 1753
NiFi Web Server-21, called closeInbound()
NiFi Web Server-21, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
NiFi Web Server-21, SEND TLSv1.2 ALERT:  fatal, description = internal_error
NiFi Web Server-21, WRITE: TLSv1.2 Alert, length = 2
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 115351230770955196648507742599468345245507684591583302635044967727219906604428
  public y coord: 93087459299146270258246635135187638789539141095594448725666354447366218509864
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,

....

在生产上，事物是不同的：

(我截断了太长的行，只报告了很少的日志会话)

*** ClientHello, TLSv1.2
RandomCookie:  GMT: -1695295875 bytes = { 197, 207, 66, 60, 4, 242, 21, 101, 190, 160, 124, 185, 72, 238, 141, 237, 251

Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_12
ES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES
CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
H_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=nifi-dev.buongiorno.com]
Unsupported extension type_23, data: 
Unsupported extension type_35, data: 
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, S

Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data: 
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, java.security.spec.ECParameterSpec@7862cc21, java.security.s

***
%% Initialized:  [Session-4, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
%% Negotiating:  [Session-4, TLS_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1459415539 bytes = { 67, 58, 139, 150, 47, 53, 247, 222, 255, 192, 141, 66, 114, 19, 171, 52, 6, 18

Session ID:  {87, 253, 234, 243, 97, 92, 182, 14, 121, 224, 54, 149, 111, 196, 87, 79, 36, 149, 33, 51, 182, 47, 184, 6

Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: 
***
Cipher suite:  TLS_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain

chain [0] = [
[
  Version: V3
  Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  :
  . 

*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDS
withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-16, WRITE: TLSv1.2 Handshake, length = 1428
NiFi Web Server-21, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***

更新2

我要求安装Java 8，现在密钥交换可以工作了，这时我的问题就会消失。

Answer 1

如果您可以提供$NIFI_HOME/logs/nifi-app.log和$NIFI_HOME/logs/nifi-bootstrap.log的输出(必要时进行消毒)，以及您正在使用的硬件、OS、JRE和NiFi版本，这将有助于诊断。以下是几个常见的原因：

• 密钥存储库中的证书无效(过期，尚未有效，无法验证链)，因此Jetty跳过了依赖RSA/DSA密钥进行签名或加密的可用密码套件。您可以通过在$NIFI_HOME/conf/bootstrap.conf：java.arg.15=-Djavax.net.debug=ssl,handshake中添加一个新的参数来检查这一点(在这里，参数号被更新以确保它不与现有的参数冲突)。这将为您的日志文件添加大量输出，包括信任存储配置和每个TLS握手协商，包括Jetty认为可用的密码套件。
  • 一个小问题是，加载到keystore中的动态生成的证书不能用于在测试用例中提供TLSv1.1密码套件。请参阅NIFI-1688 PR 624

​

• 运行NiFi的JRE不会使浏览器接受的任何密码套件可用。这并不常见，但是JRE 7使TLSv1.0成为默认的，一些浏览器(夜间构建，等等)可能只将TLS限制为TLSv1.1或TLSv1.2。您可以通过运行以下命令来验证这一点：$ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>。NiFi 0.x可以在Java 7上运行，但是NiFi 1.x需要Java 8+。如果仅限于Java 7，则可以通过另一个Java参数java.arg.16=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2显式启用这些协议。