sslapache-nifisslcontextsubject-alternative-name

NiFi bypass host name verification in SSL context service


I am trying to connect to a REST endpoint via the GetHTTP Processor in NiFi 1.5.0. The problem that I am faceing is, that the SSL certificate is issued to the domain but I only have direct access to the IP:Port address (company firewall). With that I run into the problem that host name and certificate owners don't match up and the IP is not added as subject alternative name.

When I try to connect, I get this error message:

javax.net.ssl.SSLPeerUnverifiedException: Certificate for <[IP-ADDRESS]> doesn't match any of the subject alternative names: []

Is there a way to bypass the host name verification? I have found this NiFi Jira ticket but it doesn't seem to be addressed yet. Is there a workaround I could use?


Solution

  • You could try using InvokeHttp and use the "Trusted Hostname" property.