NiFi bypass host name verification in SSL context service

Question

I am trying to connect to a REST endpoint via the GetHTTP Processor in NiFi 1.5.0. The problem that I am faceing is, that the SSL certificate is issued to the domain but I only have direct access to the IP:Port address (company firewall). With that I run into the problem that host name and certificate owners don't match up and the IP is not added as subject alternative name.

When I try to connect, I get this error message:

javax.net.ssl.SSLPeerUnverifiedException: Certificate for <[IP-ADDRESS]> doesn't match any of the subject alternative names: []

Is there a way to bypass the host name verification? I have found this NiFi Jira ticket but it doesn't seem to be addressed yet. Is there a workaround I could use?

Answer 1

You could try using InvokeHttp and use the "Trusted Hostname" property.

Answer 2

As the "Trusted Hostname" property is deprecated in recent versions of NiFi you can use the ExecuteScript processor with Ruby. The example is below. The body of the POST request must be in FlowFile contents. The body of the response will be in FlowFile contents after the processor.

require "uri"
require "net/http"
require "openssl"

java_import org.apache.commons.io.IOUtils
java_import java.nio.charset.StandardCharsets
java_import org.apache.nifi.processor.io.StreamCallback

# Define a subclass of StreamCallback for use in session.read()
class JRubyStreamCallback
  include StreamCallback
  def process(inputStream, outputStream)
    text = IOUtils.toString(inputStream, 'utf-8')

    url = URI("https://...")
    https = Net::HTTP.new(url.host, url.port)
    https.use_ssl = true
    https.verify_mode = OpenSSL::SSL::VERIFY_NONE
    request = Net::HTTP::Post.new(url)
    request["Authorization"] = "Basic ..."
    request["Content-Type"] = "application/json"
    request.body = text
    response = https.request(request)

    outputStream.write((response.read_body).to_java.getBytes(StandardCharsets::UTF_8))
  end
end

jrubyStreamCallback = JRubyStreamCallback.new
flowFile = session.get()
if flowFile != nil
  flowFile = session.write(flowFile, jrubyStreamCallback)
  session.transfer(flowFile, REL_SUCCESS)
end