nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <alopresto.apa...@gmail.com>
Subject Re: Nifi api - SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
Date Tue, 02 Feb 2016 02:00:10 GMT
Hi Chakri,

Running curl with -k will instruct it to ignore certificate validation, and you can see from
the output that is skipping that. However, the issue seems to be a cipher suite mismatch between
your version of curl and the underlying Jetty server of NiFi, specifically one using *DHE*
or ephemeral Diffie Hellman key parameters (likely < 1024 bits).

Can you please run the following command and paste the output here to help us diagnose? You
can redact the key information, but what we are interested in are any error codes and the
supported cipher suite your server accepts. Are you using NiFi 0.4.1 and have you done any
customization to the nifi.properties file? Did you follow the steps listed here [1] to set
up TLS for NiFi?

$ openssl s_client -connect 10.233.0.153:8081 -debug

You can also run with -tls1 or -cipher flags to specify custom cipher lists. See OpenSSL documentation
[2] for more details.

There is also a nifty command-line tool called cipherscan [3] which will attempt to connect
to a TLS server and report on all server-supported cipher suites.

I hope this helps and if you can provide us with more information, we can help further. Thanks.

[1] https://community.hortonworks.com/articles/886/securing-nifi-step-by-step.html
[2] https://www.openssl.org/docs/manmaster/apps/s_client.html
[3] https://github.com/jvehent/cipherscan

Andy LoPresto
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Feb 1, 2016, at 5:14 PM, Chakrader Dewaragatla <Chakrader.Dewaragatla@lifelock.com>
wrote:
> 
> Hi,
> When I try to connect nifi api end point with curl as "curl -k -XGET https://10.233.0.153:8081/nifi-api/access/config
-v
> " it fails as follows despite I use "-k" option to ignore validation.
> * Proxy replied OK to CONNECT request
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * skipping SSL peer certificate verification
> * NSS error -12173 (SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY)
> * SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
> * Closing connection 0
> curl: (35) SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake
message.
> 
> curl -V
> curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.18 Basic ECC zlib/1.2.8 libidn/1.32
libssh2/1.5.0
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp
scp sftp smtp smtps telnet tftp
> Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink
> 
> How do I configure nifi to use certain cifers and protocols? Looks like this ticket is
resolved, https://issues.apache.org/jira/browse/NIFI-419 how do I use the settings?
> https://issues.apache.org/jira/browse/NIFI-700 is still open.
> 
> Using curl is one side of our use, other side we have JSS tomcat service that use stronger
cipers and protocols. Eventually we would like tomcat to run nifi REST apis.
> 
> Thanks,
> -Chakri
> The information contained in this transmission may contain privileged and confidential
information. It is intended only for the use of the person(s) named above. If you are not
the intended recipient, you are hereby notified that any review, dissemination, distribution
or duplication of this communication is strictly prohibited. If you are not the intended recipient,
please contact the sender by reply email and destroy all copies of the original message.


Mime
View raw message