NIFI-8096 Deprecated ClientAuth references in SSLContextService

- Added SSLContextService.createContext() and refactored referencing components
- Removed references to ClientAuth from SslContextFactory methods

This closes #4737.

Signed-off-by: Mark Payne <markap14@hotmail.com>

nifi-bootstrap/src/test/java/org/apache/nifi/bootstrap/http/TestHttpNotificationServiceSSL.java

@@ -31,7 +31,6 @@ import javax.net.ssl.SSLContext;
 import javax.xml.parsers.ParserConfigurationException;
 import okhttp3.mockwebserver.MockWebServer;
 import org.apache.nifi.bootstrap.NotificationServiceManager;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.StandardTlsConfiguration;
 import org.apache.nifi.security.util.TlsConfiguration;
@@ -138,7 +137,7 @@ public class TestHttpNotificationServiceSSL extends TestHttpNotificationServiceC
 
         TlsConfiguration tlsConfiguration = new StandardTlsConfiguration("./src/test/resources/keystore.jks", "passwordpassword", null, "JKS",
                 "./src/test/resources/truststore.jks", "passwordpassword", "JKS", TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
-        final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED);
+        final SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration);
         mockWebServer.useHttps(sslContext.getSocketFactory(), false);
 
         String configFileOutput = CONFIGURATION_FILE_TEXT.replace("${test.server}", String.valueOf(mockWebServer.url("/")));

nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/SslContextFactory.java

@@ -43,27 +43,13 @@ public final class SslContextFactory {
     // TODO: Move to nifi-security-utils-core
 
     /**
-     * Returns a configured {@link SSLContext} from the provided TLS configuration. Hardcodes the
+     * Create and initialize a {@link SSLContext} from the provided TLS configuration.
-     * client auth setting to {@link ClientAuth#REQUIRED} because this method is usually used when
-     * creating a context for a client, which ignores the setting anyway.
      *
      * @param tlsConfiguration the TLS configuration container object
-     * @return the configured SSLContext
+     * @return {@link SSLContext} initialized from TLS Configuration or null when TLS Configuration is empty
      * @throws TlsException if there is a problem configuring the SSLContext
      */
-    public static SSLContext createSslContext(TlsConfiguration tlsConfiguration) throws TlsException {
+    public static SSLContext createSslContext(final TlsConfiguration tlsConfiguration) throws TlsException {
-        return createSslContext(tlsConfiguration, ClientAuth.REQUIRED);
-    }
-
-    /**
-     * Returns a configured {@link SSLContext} from the provided TLS configuration.
-     *
-     * @param tlsConfiguration the TLS configuration container object
-     * @param clientAuth       the {@link ClientAuth} setting
-     * @return the configured SSLContext
-     * @throws TlsException if there is a problem configuring the SSLContext
-     */
-    public static SSLContext createSslContext(TlsConfiguration tlsConfiguration, ClientAuth clientAuth) throws TlsException {
         if (TlsConfiguration.isEmpty(tlsConfiguration)) {
             logger.debug("Cannot create SSLContext from empty TLS configuration; returning null");
             return null;
@@ -79,31 +65,25 @@ public final class SslContextFactory {
         }
         final TrustManager[] trustManagers = getTrustManagers(tlsConfiguration);
 
-        return createSslContext(tlsConfiguration, trustManagers, clientAuth);
+        return createSslContext(tlsConfiguration, trustManagers);
     }
 
     /**
-     * Returns a configured {@link SSLContext} from the provided TLS configuration and Trust Managers
+     * Create and initialize a {@link SSLContext} from the provided TLS configuration and Trust Managers.
      *
      * @param tlsConfiguration the TLS configuration container object
      * @param trustManagers    Trust Managers can be null to use platform default Trust Managers
-     * @param clientAuth       the {@link ClientAuth} setting
+     * @return {@link SSLContext} initialized from TLS Configuration or null when TLS Configuration is empty
-     * @return the configured SSLContext
      * @throws TlsException if there is a problem configuring the SSLContext
      */
-    public static SSLContext createSslContext(final TlsConfiguration tlsConfiguration, final TrustManager[] trustManagers, ClientAuth clientAuth) throws TlsException {
+    public static SSLContext createSslContext(final TlsConfiguration tlsConfiguration, final TrustManager[] trustManagers) throws TlsException {
         if (TlsConfiguration.isEmpty(tlsConfiguration)) {
             logger.debug("Cannot create SSLContext from empty TLS configuration; returning null");
             return null;
         }
 
-        if (clientAuth == null) {
-            clientAuth = ClientAuth.REQUIRED;
-            logger.debug("ClientAuth was null so defaulting to {}", clientAuth);
-        }
-
         final KeyManager[] keyManagers = getKeyManagers(tlsConfiguration);
-        return initializeSSLContext(tlsConfiguration, clientAuth, keyManagers, trustManagers);
+        return initializeSSLContext(tlsConfiguration, keyManagers, trustManagers);
     }
 
     /**
@@ -131,15 +111,13 @@ public final class SslContextFactory {
 
     /**
      * Convenience method to return the {@link SSLSocketFactory} from the created {@link SSLContext}
-     * because that is what most callers of {@link #createSslContext(TlsConfiguration, ClientAuth)}
-     * actually need and don't know what to provide for the {@link ClientAuth} parameter.
      *
      * @param tlsConfiguration the TLS configuration container object
      * @return the configured SSLSocketFactory (can be {@code null})
      * @throws TlsException if there is a problem creating the SSLContext or SSLSocketFactory
      */
-    public static SSLSocketFactory createSSLSocketFactory(TlsConfiguration tlsConfiguration) throws TlsException {
+    public static SSLSocketFactory createSSLSocketFactory(final TlsConfiguration tlsConfiguration) throws TlsException {
-        SSLContext sslContext = createSslContext(tlsConfiguration, ClientAuth.REQUIRED);
+        SSLContext sslContext = createSslContext(tlsConfiguration);
         if (sslContext == null) {
             // Only display an error in the log if the provided config wasn't empty
             if (!TlsConfiguration.isEmpty(tlsConfiguration)) {
@@ -209,25 +187,12 @@ public final class SslContextFactory {
         return trustManagers;
     }
 
-    private static SSLContext initializeSSLContext(TlsConfiguration tlsConfiguration, ClientAuth clientAuth, KeyManager[] keyManagers, TrustManager[] trustManagers) throws TlsException {
+    private static SSLContext initializeSSLContext(final TlsConfiguration tlsConfiguration, final KeyManager[] keyManagers, final TrustManager[] trustManagers) throws TlsException {
-        final SSLContext sslContext;
         try {
-            sslContext = SSLContext.getInstance(tlsConfiguration.getProtocol());
+            final SSLContext sslContext = SSLContext.getInstance(tlsConfiguration.getProtocol());
             sslContext.init(keyManagers, trustManagers, new SecureRandom());
-            switch (clientAuth) {
-                case REQUIRED:
-                    sslContext.getDefaultSSLParameters().setNeedClientAuth(true);
-                    break;
-                case WANT:
-                    sslContext.getDefaultSSLParameters().setWantClientAuth(true);
-                    break;
-                case NONE:
-                default:
-                    sslContext.getDefaultSSLParameters().setWantClientAuth(false);
-            }
-
             return sslContext;
-        } catch (NoSuchAlgorithmException | KeyManagementException e) {
+        } catch (final NoSuchAlgorithmException | KeyManagementException e) {
             logger.error("Encountered an error creating SSLContext from TLS configuration ({}): {}", tlsConfiguration.toString(), e.getLocalizedMessage());
             throw new TlsException("Error creating SSL context", e);
         }

nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/SslContextFactoryTest.groovy

@@ -99,18 +99,12 @@ class SslContextFactoryTest extends GroovyTestCase {
         logger.info("Creating SSL Context from TLS Configuration: ${tlsConfiguration}")
 
         // Act
-        SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.NONE)
+        SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration)
         logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}")
 
         // Assert
         assert sslContext.protocol == tlsConfiguration.protocol
 
-        def defaultSSLParameters = sslContext.defaultSSLParameters
-        logger.info("Default SSL Parameters: ${KeyStoreUtils.sslParametersToString(defaultSSLParameters)}" as String)
-        assertProtocolVersions(defaultSSLParameters.protocols, TlsPlatform.supportedProtocols)
-        assert !defaultSSLParameters.needClientAuth
-        assert !defaultSSLParameters.wantClientAuth
-
         // Check a socket created from this context
         assertSocketProtocols(sslContext)
     }
@@ -129,18 +123,12 @@ class SslContextFactoryTest extends GroovyTestCase {
         logger.info("Creating SSL Context from TLS Configuration: ${configWithoutKeyPassword}")
 
         // Act
-        SSLContext sslContext = SslContextFactory.createSslContext(configWithoutKeyPassword, ClientAuth.NONE)
+        SSLContext sslContext = SslContextFactory.createSslContext(configWithoutKeyPassword)
         logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}")
 
         // Assert
         assert sslContext.protocol == configWithoutKeyPassword.protocol
 
-        def defaultSSLParameters = sslContext.defaultSSLParameters
-        logger.info("Default SSL Parameters: ${KeyStoreUtils.sslParametersToString(defaultSSLParameters)}" as String)
-        assertProtocolVersions(defaultSSLParameters.protocols, TlsPlatform.supportedProtocols)
-        assert !defaultSSLParameters.needClientAuth
-        assert !defaultSSLParameters.wantClientAuth
-
         // Check a socket created from this context
         assertSocketProtocols(sslContext)
     }
@@ -175,12 +163,12 @@ class SslContextFactoryTest extends GroovyTestCase {
 
         // Act
         def noKeystorePathMsg = shouldFail(TlsException) {
-            SSLContext sslContext = SslContextFactory.createSslContext(configNoKeystorePath, ClientAuth.NONE)
+            SSLContext sslContext = SslContextFactory.createSslContext(configNoKeystorePath)
             logger.info("Created SSL Context missing keystore path: ${KeyStoreUtils.sslContextToString(sslContext)}")
         }
 
         def noTruststorePathMsg = shouldFail(TlsException) {
-            SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePath, ClientAuth.NONE)
+            SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePath)
             logger.info("Created SSL Context missing truststore path: ${KeyStoreUtils.sslContextToString(sslContext)}")
         }
 
@@ -206,18 +194,12 @@ class SslContextFactoryTest extends GroovyTestCase {
         logger.info("Creating SSL Context from TLS Configuration: ${configNoTruststorePassword}")
 
         // Act
-        SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePassword, ClientAuth.NONE)
+        SSLContext sslContext = SslContextFactory.createSslContext(configNoTruststorePassword)
         logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}")
 
         // Assert
         assert sslContext.protocol == configNoTruststorePassword.protocol
 
-        def defaultSSLParameters = sslContext.defaultSSLParameters
-        logger.info("Default SSL Parameters: ${KeyStoreUtils.sslParametersToString(defaultSSLParameters)}" as String)
-        assertProtocolVersions(defaultSSLParameters.protocols, TlsPlatform.supportedProtocols)
-        assert !defaultSSLParameters.needClientAuth
-        assert !defaultSSLParameters.wantClientAuth
-
         // Check a socket created from this context
         assertSocketProtocols(sslContext)
     }
@@ -239,7 +221,7 @@ class SslContextFactoryTest extends GroovyTestCase {
 
         // Act
         def msg = shouldFail(TlsException) {
-            SSLContext sslContext = SslContextFactory.createSslContext(keystoreOnlyConfig, ClientAuth.NONE)
+            SSLContext sslContext = SslContextFactory.createSslContext(keystoreOnlyConfig)
             logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}")
         }
         logger.expected(msg)
@@ -259,7 +241,7 @@ class SslContextFactoryTest extends GroovyTestCase {
         logger.info("Creating SSL Context from TLS Configuration: ${emptyConfig}")
 
         // Act
-        SSLContext sslContext = SslContextFactory.createSslContext(emptyConfig, ClientAuth.NONE)
+        SSLContext sslContext = SslContextFactory.createSslContext(emptyConfig)
 
         // Assert
         assert !sslContext

nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/ServerSocketConfiguration.java

@@ -17,7 +17,6 @@
 package org.apache.nifi.io.socket;
 
 import javax.net.ssl.SSLContext;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.TlsConfiguration;
 import org.apache.nifi.security.util.TlsException;
@@ -34,8 +33,7 @@ public final class ServerSocketConfiguration {
     }
 
     public SSLContext createSSLContext() throws TlsException {
-        // ClientAuth was hardcoded to REQUIRED in removed SSLContextFactory and overridden in SocketUtils when the socket is created
+        return SslContextFactory.createSslContext(tlsConfiguration);
-        return SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED);
     }
 
     public void setTlsConfiguration(final TlsConfiguration tlsConfiguration) {

nifi-commons/nifi-socket-utils/src/main/java/org/apache/nifi/io/socket/SocketConfiguration.java

@@ -17,7 +17,6 @@
 package org.apache.nifi.io.socket;
 
 import javax.net.ssl.SSLContext;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.TlsConfiguration;
 import org.apache.nifi.security.util.TlsException;
@@ -35,8 +34,7 @@ public final class SocketConfiguration {
     private TlsConfiguration tlsConfiguration;
 
     public SSLContext createSSLContext() throws TlsException {
-        // This is only used for client sockets, so the client auth setting is ignored
+        return SslContextFactory.createSslContext(tlsConfiguration);
-        return SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.NONE);
     }
 
     public void setTlsConfiguration(final TlsConfiguration tlsConfiguration) {

nifi-nar-bundles/nifi-amqp-bundle/nifi-amqp-processors/src/main/java/org/apache/nifi/amqp/processors/AbstractAMQPProcessor.java

@@ -298,7 +298,7 @@ abstract class AbstractAMQPProcessor<T extends AMQPWorker> extends AbstractProce
         final Boolean useCertAuthentication = context.getProperty(USE_CERT_AUTHENTICATION).asBoolean();
 
         if (sslService != null) {
-            final SSLContext sslContext = sslService.createSSLContext(ClientAuth.NONE);
+            final SSLContext sslContext = sslService.createContext();
             cf.useSslProtocol(sslContext);
 
             if (useCertAuthentication) {

nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/AbstractAWSProcessor.java

@@ -58,7 +58,6 @@ import org.apache.nifi.processor.util.StandardValidators;
 import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors;
 import org.apache.nifi.proxy.ProxyConfiguration;
 import org.apache.nifi.proxy.ProxySpec;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 
 /**
@@ -227,7 +226,7 @@ public abstract class AbstractAWSProcessor<ClientType extends AmazonWebServiceCl
         if(this.getSupportedPropertyDescriptors().contains(SSL_CONTEXT_SERVICE)) {
             final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
             if (sslContextService != null) {
-                final SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.NONE);
+                final SSLContext sslContext = sslContextService.createContext();
                 // NIFI-3788: Changed hostnameVerifier from null to DHV (BrowserCompatibleHostnameVerifier is deprecated)
                 SdkTLSSocketFactory sdkTLSSocketFactory = new SdkTLSSocketFactory(sslContext, new DefaultHostnameVerifier());
                 config.getApacheHttpClientConfig().setSslSocketFactory(sdkTLSSocketFactory);

nifi-nar-bundles/nifi-beats-bundle/nifi-beats-processors/src/main/java/org/apache/nifi/processors/beats/ListenBeats.java

@@ -157,7 +157,7 @@ public class ListenBeats extends AbstractListenEventBatchingProcessor<BeatsEvent
         final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
         if (sslContextService != null) {
             final String clientAuthValue = context.getProperty(CLIENT_AUTH).getValue();
-            sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuthValue));
+            sslContext = sslContextService.createContext();
             clientAuth = ClientAuth.valueOf(clientAuthValue);
 
         }

nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/main/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessor.java

@@ -252,24 +252,10 @@ public abstract class AbstractCassandraProcessor extends AbstractProcessor {
 
             // Set up the client for secure (SSL/TLS communications) if configured to do so
             final SSLContextService sslService = context.getProperty(PROP_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
-            final String rawClientAuth = context.getProperty(CLIENT_AUTH).getValue();
             final SSLContext sslContext;
 
             if (sslService != null) {
-                final ClientAuth clientAuth;
+                sslContext = sslService.createContext();
-
-                if (StringUtils.isBlank(rawClientAuth)) {
-                    clientAuth = ClientAuth.REQUIRED;
-                } else {
-                    try {
-                        clientAuth = ClientAuth.valueOf(rawClientAuth);
-                    } catch (final IllegalArgumentException iae) {
-                        throw new IllegalStateException(String.format("Unrecognized client auth '%s'. Possible values are [%s]",
-                                rawClientAuth, StringUtils.join(ClientAuth.values(), ", ")));
-                    }
-                }
-
-                sslContext = sslService.createSSLContext(clientAuth);
             } else {
                 sslContext = null;
             }

nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-processors/src/test/java/org/apache/nifi/processors/cassandra/AbstractCassandraProcessorTest.java

@@ -232,23 +232,6 @@ public class AbstractCassandraProcessorTest {
         assertNotNull(processor.getCluster());
     }
 
-    @Test(expected = IllegalStateException.class)
-    public void testConnectToCassandraWithSSLBadClientAuth() throws Exception {
-        SSLContextService sslService = mock(SSLContextService.class);
-        when(sslService.getIdentifier()).thenReturn("ssl-context");
-        testRunner.addControllerService("ssl-context", sslService);
-        testRunner.enableControllerService(sslService);
-        testRunner.setProperty(AbstractCassandraProcessor.PROP_SSL_CONTEXT_SERVICE, "ssl-context");
-        testRunner.setProperty(AbstractCassandraProcessor.CONSISTENCY_LEVEL, "ONE");
-        testRunner.assertValid(sslService);
-        processor.connectToCassandra(testRunner.getProcessContext());
-        assertNotNull(processor.getCluster());
-        processor.setCluster(null);
-        // Try with a ClientAuth value
-        testRunner.setProperty(AbstractCassandraProcessor.CLIENT_AUTH, "BAD");
-        processor.connectToCassandra(testRunner.getProcessContext());
-    }
-
     @Test
     public void testConnectToCassandraUsernamePassword() throws Exception {
         testRunner.setProperty(AbstractCassandraProcessor.USERNAME, "user");

nifi-nar-bundles/nifi-cassandra-bundle/nifi-cassandra-services/src/main/java/org/apache/nifi/service/CassandraSessionProvider.java

@@ -28,12 +28,10 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
 import javax.net.ssl.SSLContext;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
 import org.apache.nifi.annotation.documentation.Tags;
 import org.apache.nifi.annotation.lifecycle.OnDisabled;
 import org.apache.nifi.annotation.lifecycle.OnEnabled;
-import org.apache.nifi.authentication.exception.ProviderCreationException;
 import org.apache.nifi.cassandra.CassandraSessionProviderService;
 import org.apache.nifi.components.PropertyDescriptor;
 import org.apache.nifi.components.PropertyValue;
@@ -219,24 +217,12 @@ public class CassandraSessionProvider extends AbstractControllerService implemen
             // Set up the client for secure (SSL/TLS communications) if configured to do so
             final SSLContextService sslService =
                     context.getProperty(PROP_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
-            final String rawClientAuth = context.getProperty(CLIENT_AUTH).getValue();
             final SSLContext sslContext;
 
-            if (sslService != null) {
+            if (sslService == null) {
-                final ClientAuth clientAuth;
-                if (StringUtils.isBlank(rawClientAuth)) {
-                    clientAuth = ClientAuth.REQUIRED;
-                } else {
-                    try {
-                        clientAuth = ClientAuth.valueOf(rawClientAuth);
-                    } catch (final IllegalArgumentException iae) {
-                        throw new ProviderCreationException(String.format("Unrecognized client auth '%s'. Possible values are [%s]",
-                                rawClientAuth, StringUtils.join(ClientAuth.values(), ", ")));
-                    }
-                }
-                sslContext = sslService.createSSLContext(clientAuth);
-            } else {
                 sslContext = null;
+            } else {
+                sslContext = sslService.createContext();;
             }
 
             final String username, password;

nifi-nar-bundles/nifi-confluent-platform-bundle/nifi-confluent-schema-registry-service/src/main/java/org/apache/nifi/confluent/schemaregistry/ConfluentSchemaRegistry.java

@@ -51,13 +51,10 @@ import org.apache.nifi.processor.util.StandardValidators;
 import org.apache.nifi.schema.access.SchemaField;
 import org.apache.nifi.schema.access.SchemaNotFoundException;
 import org.apache.nifi.schemaregistry.services.SchemaRegistry;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.serialization.record.RecordSchema;
 import org.apache.nifi.serialization.record.SchemaIdentifier;
 import org.apache.nifi.ssl.SSLContextService;
 
-
-
 @Tags({"schema", "registry", "confluent", "avro", "kafka"})
 @CapabilityDescription("Provides a Schema Registry that interacts with the Confluent Schema Registry so that those Schemas that are stored in the Confluent Schema "
     + "Registry can be used in NiFi. The Confluent Schema Registry has a notion of a \"subject\" for schemas, which is their terminology for a schema name. When a Schema "
@@ -171,7 +168,7 @@ public class ConfluentSchemaRegistry extends AbstractControllerService implement
         if (sslContextService == null) {
             sslContext = null;
         } else {
-            sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED);
+            sslContext = sslContextService.createContext();
         }
 
         final String username = context.getProperty(USERNAME).getValue();

nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-client-service/src/main/java/org/apache/nifi/elasticsearch/ElasticSearchClientServiceImpl.java

@@ -49,7 +49,6 @@ import org.apache.nifi.controller.AbstractControllerService;
 import org.apache.nifi.controller.ConfigurationContext;
 import org.apache.nifi.processor.exception.ProcessException;
 import org.apache.nifi.reporting.InitializationException;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.util.StopWatch;
 import org.apache.nifi.util.StringUtils;
@@ -125,7 +124,7 @@ public class ElasticSearchClientServiceImpl extends AbstractControllerService im
         final SSLContext sslContext;
         try {
             sslContext = (sslService != null && (sslService.isKeyStoreConfigured() || sslService.isTrustStoreConfigured()))
-                    ? sslService.createSSLContext(ClientAuth.NONE) : null;
+                    ? sslService.createContext() : null;
         } catch (Exception e) {
             getLogger().error("Error building up SSL Context from the supplied configuration.", e);
             throw new InitializationException(e);

nifi-nar-bundles/nifi-email-bundle/nifi-email-processors/src/main/java/org/apache/nifi/processors/email/ListenSMTP.java

@@ -249,16 +249,16 @@ public class ListenSMTP extends AbstractSessionFactoryProcessor {
             @Override
             public SSLSocket createSSLSocket(Socket socket) throws IOException {
                 InetSocketAddress remoteAddress = (InetSocketAddress) socket.getRemoteSocketAddress();
-                String clientAuth = context.getProperty(CLIENT_AUTH).getValue();
+                final String clientAuth = context.getProperty(CLIENT_AUTH).getValue();
-                SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuth));
+                final SSLContext sslContext = sslContextService.createContext();
-                SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+                final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
-                SSLSocket sslSocket = (SSLSocket) (socketFactory.createSocket(socket, remoteAddress.getHostName(), socket.getPort(), true));
+                final SSLSocket sslSocket = (SSLSocket) socketFactory.createSocket(socket, remoteAddress.getHostName(), socket.getPort(), true);
                 final TlsConfiguration tlsConfiguration = sslContextService.createTlsConfiguration();
                 sslSocket.setEnabledProtocols(tlsConfiguration.getEnabledProtocols());
 
                 sslSocket.setUseClientMode(false);
 
-                if (ClientAuth.REQUIRED.toString().equals(clientAuth)) {
+                if (ClientAuth.REQUIRED.getType().equals(clientAuth)) {
                     this.setRequireTLS(true);
                     sslSocket.setNeedClientAuth(true);
                 }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/groovy/org/apache/nifi/controller/queue/clustered/server/ConnectionLoadBalanceServerTest.groovy

@@ -18,7 +18,6 @@ package org.apache.nifi.controller.queue.clustered.server
 
 import org.apache.nifi.events.EventReporter
 import org.apache.nifi.reporting.Severity
-import org.apache.nifi.security.util.ClientAuth
 import org.apache.nifi.security.util.KeyStoreUtils
 import org.apache.nifi.security.util.KeystoreType
 import org.apache.nifi.security.util.SslContextFactory
@@ -99,7 +98,7 @@ class ConnectionLoadBalanceServerTest extends GroovyTestCase {
     void testRequestPeerListShouldUseTLS() {
         // Arrange
         logger.info("Creating SSL Context from TLS Configuration: ${tlsConfiguration}")
-        SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.NONE)
+        SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration)
         logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}")
 
         def mockLBP = [

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/src/test/java/org/apache/nifi/controller/queue/clustered/LoadBalancedQueueIT.java

@@ -92,7 +92,6 @@ import org.apache.nifi.controller.repository.claim.ResourceClaimManager;
 import org.apache.nifi.controller.repository.claim.StandardResourceClaimManager;
 import org.apache.nifi.events.EventReporter;
 import org.apache.nifi.provenance.ProvenanceRepository;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.security.util.KeystoreType;
 import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.StandardTlsConfiguration;
@@ -195,7 +194,7 @@ public class LoadBalancedQueueIT {
         final String truststorePass = "wAOR0nQJ2EXvOP0JZ2EaqA/n7W69ILS4sWAHghmIWCc";
         TlsConfiguration tlsConfiguration = new StandardTlsConfiguration(keystore, keystorePass, keyPass, KeystoreType.JKS,
                 truststore, truststorePass, KeystoreType.JKS, TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
-        sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED);
+        sslContext = SslContextFactory.createSslContext(tlsConfiguration);
     }
 
 

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/src/test/groovy/org/apache/nifi/remote/SocketRemoteSiteListenerTest.groovy

@@ -16,14 +16,11 @@
  */
 package org.apache.nifi.remote
 
-
-import org.apache.nifi.security.util.ClientAuth
 import org.apache.nifi.security.util.KeyStoreUtils
 import org.apache.nifi.security.util.KeystoreType
 import org.apache.nifi.security.util.SslContextFactory
 import org.apache.nifi.security.util.StandardTlsConfiguration
 import org.apache.nifi.security.util.TlsConfiguration
-import org.apache.nifi.security.util.TlsPlatform
 import org.apache.nifi.util.NiFiProperties
 import org.bouncycastle.jce.provider.BouncyCastleProvider
 import org.junit.After
@@ -115,7 +112,7 @@ class SocketRemoteSiteListenerTest extends GroovyTestCase {
     void testShouldCreateSecureServer() {
         // Arrange
         logger.info("Creating SSL Context from TLS Configuration: ${tlsConfiguration}")
-        SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.NONE)
+        SSLContext sslContext = SslContextFactory.createSslContext(tlsConfiguration)
         logger.info("Created SSL Context: ${KeyStoreUtils.sslContextToString(sslContext)}")
 
         srsListener = new SocketRemoteSiteListener(PORT, sslContext, mockNiFiProperties)
@@ -130,11 +127,5 @@ class SocketRemoteSiteListenerTest extends GroovyTestCase {
         logger.info("Created SSL server socket: ${KeyStoreUtils.sslServerSocketToString(sslServerSocket)}" as String)
         assertProtocolVersions(sslServerSocket.enabledProtocols, TlsConfiguration.getCurrentSupportedTlsProtocolVersions())
         assert sslServerSocket.needClientAuth
-
-        // Assert that the default parameters (which can't be modified) still have legacy protocols and no client auth
-        def defaultSSLParameters = sslContext.defaultSSLParameters
-        logger.info("Default SSL Parameters: ${KeyStoreUtils.sslParametersToString(defaultSSLParameters)}" as String)
-        assertProtocolVersions(defaultSSLParameters.getProtocols(), TlsPlatform.supportedProtocols)
-        assert !defaultSSLParameters.needClientAuth
     }
 }

nifi-nar-bundles/nifi-framework-bundle/nifi-stateless-bundle/nifi-stateless-engine/src/main/java/org/apache/nifi/stateless/config/SslConfigurationUtil.java

@@ -17,7 +17,6 @@
 
 package org.apache.nifi.stateless.config;
 
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.StandardTlsConfiguration;
 import org.apache.nifi.security.util.TlsConfiguration;
@@ -36,7 +35,7 @@ public class SslConfigurationUtil {
         final TlsConfiguration tlsConfiguration = createTlsConfiguration(sslContextDefinition);
 
         try {
-            return SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED);
+            return SslContextFactory.createSslContext(tlsConfiguration);
         } catch (final Exception e) {
             throw new StatelessConfigurationException("Failed to create SSL Context", e);
         }

nifi-nar-bundles/nifi-jms-bundle/nifi-jms-processors/src/main/java/org/apache/nifi/jms/cf/JMSConnectionFactoryHandler.java

@@ -31,7 +31,6 @@ import org.apache.nifi.context.PropertyContext;
 import org.apache.nifi.controller.ConfigurationContext;
 import org.apache.nifi.logging.ComponentLog;
 import org.apache.nifi.processor.ProcessContext;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 
 /**
@@ -173,7 +172,7 @@ public class JMSConnectionFactoryHandler implements IJMSConnectionFactoryProvide
 
         SSLContextService sc = context.getProperty(JMS_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
         if (sc != null) {
-            SSLContext ssl = sc.createSSLContext(ClientAuth.NONE);
+            SSLContext ssl = sc.createContext();
             setProperty("sSLSocketFactory", ssl.getSocketFactory());
         }
 

nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/LdapProvider.java

@@ -32,7 +32,6 @@ import org.apache.nifi.authentication.exception.InvalidLoginCredentialsException
 import org.apache.nifi.authentication.exception.ProviderCreationException;
 import org.apache.nifi.authentication.exception.ProviderDestructionException;
 import org.apache.nifi.configuration.NonComponentConfigurationContext;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.StandardTlsConfiguration;
 import org.apache.nifi.security.util.TlsConfiguration;
@@ -253,14 +252,12 @@ public class LdapProvider implements LoginIdentityProvider {
         final String rawTruststore = configurationContext.getProperty("TLS - Truststore");
         final String rawTruststorePassword = configurationContext.getProperty("TLS - Truststore Password");
         final String rawTruststoreType = configurationContext.getProperty("TLS - Truststore Type");
-        final String rawClientAuth = configurationContext.getProperty("TLS - Client Auth");
         final String rawProtocol = configurationContext.getProperty("TLS - Protocol");
 
         try {
             TlsConfiguration tlsConfiguration = new StandardTlsConfiguration(rawKeystore, rawKeystorePassword, null, rawKeystoreType,
                     rawTruststore, rawTruststorePassword, rawTruststoreType, rawProtocol);
-            ClientAuth clientAuth = ClientAuth.isValidClientAuthType(rawClientAuth) ? ClientAuth.valueOf(rawClientAuth) : ClientAuth.NONE;
+            return SslContextFactory.createSslContext(tlsConfiguration);
-            return SslContextFactory.createSslContext(tlsConfiguration, clientAuth);
         } catch (TlsException e) {
             logger.error("Encountered an error configuring TLS for LDAP identity provider: {}", e.getLocalizedMessage());
             throw new ProviderCreationException("Error configuring TLS for LDAP identity provider", e);

nifi-nar-bundles/nifi-ldap-iaa-providers-bundle/nifi-ldap-iaa-providers/src/main/java/org/apache/nifi/ldap/tenants/LdapUserGroupProvider.java

@@ -34,7 +34,6 @@ import org.apache.nifi.components.PropertyValue;
 import org.apache.nifi.ldap.LdapAuthenticationStrategy;
 import org.apache.nifi.ldap.LdapsSocketFactory;
 import org.apache.nifi.ldap.ReferralStrategy;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.StandardTlsConfiguration;
 import org.apache.nifi.security.util.TlsConfiguration;
@@ -827,14 +826,12 @@ public class LdapUserGroupProvider implements UserGroupProvider {
         final String rawTruststore = configurationContext.getProperty("TLS - Truststore").getValue();
         final String rawTruststorePassword = configurationContext.getProperty("TLS - Truststore Password").getValue();
         final String rawTruststoreType = configurationContext.getProperty("TLS - Truststore Type").getValue();
-        final String rawClientAuth = configurationContext.getProperty("TLS - Client Auth").getValue();
         final String rawProtocol = configurationContext.getProperty("TLS - Protocol").getValue();
 
         try {
             TlsConfiguration tlsConfiguration = new StandardTlsConfiguration(rawKeystore, rawKeystorePassword, null, rawKeystoreType,
                     rawTruststore, rawTruststorePassword, rawTruststoreType, rawProtocol);
-            ClientAuth clientAuth = ClientAuth.isValidClientAuthType(rawClientAuth) ? ClientAuth.valueOf(rawClientAuth) : ClientAuth.NONE;
+            return SslContextFactory.createSslContext(tlsConfiguration);
-            return SslContextFactory.createSslContext(tlsConfiguration, clientAuth);
         } catch (TlsException e) {
             logger.error("Encountered an error configuring TLS for LDAP user group provider: {}", e.getLocalizedMessage());
             throw new ProviderCreationException("Error configuring TLS for LDAP user group provider", e);

nifi-nar-bundles/nifi-lumberjack-bundle/nifi-lumberjack-processors/src/main/java/org/apache/nifi/processors/lumberjack/ListenLumberjack.java

@@ -48,7 +48,6 @@ import org.apache.nifi.processors.lumberjack.frame.LumberjackEncoder;
 import org.apache.nifi.processors.lumberjack.handler.LumberjackSocketChannelHandlerFactory;
 import org.apache.nifi.processors.lumberjack.response.LumberjackChannelResponse;
 import org.apache.nifi.processors.lumberjack.response.LumberjackResponse;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.RestrictedSSLContextService;
 import org.apache.nifi.ssl.SSLContextService;
 
@@ -143,7 +142,7 @@ public class ListenLumberjack extends AbstractListenEventBatchingProcessor<Lumbe
         SSLContext sslContext = null;
         final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
         if (sslContextService != null) {
-            sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED);
+            sslContext = sslContextService.createContext();
         }
 
         // if we decide to support SSL then get the context and pass it in here

nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-processors/src/main/java/org/apache/nifi/processors/mongodb/AbstractMongoProcessor.java

@@ -241,22 +241,10 @@ public abstract class AbstractMongoProcessor extends AbstractProcessor {
 
         // Set up the client for secure (SSL/TLS communications) if configured to do so
         final SSLContextService sslService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
-        final String rawClientAuth = context.getProperty(CLIENT_AUTH).getValue();
         final SSLContext sslContext;
 
         if (sslService != null) {
-            final ClientAuth clientAuth;
+            sslContext = sslService.createContext();
-            if (StringUtils.isBlank(rawClientAuth)) {
-                clientAuth = ClientAuth.REQUIRED;
-            } else {
-                try {
-                    clientAuth = ClientAuth.valueOf(rawClientAuth);
-                } catch (final IllegalArgumentException iae) {
-                    throw new IllegalStateException(String.format("Unrecognized client auth '%s'. Possible values are [%s]",
-                            rawClientAuth, StringUtils.join(ClientAuth.values(), ", ")));
-                }
-            }
-            sslContext = sslService.createSSLContext(clientAuth);
         } else {
             sslContext = null;
         }

nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-processors/src/test/java/org/apache/nifi/processors/mongodb/AbstractMongoProcessorTest.java

@@ -17,7 +17,6 @@
 package org.apache.nifi.processors.mongodb;
 
 import static org.junit.Assert.assertNotNull;
-import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -27,7 +26,6 @@ import javax.net.ssl.SSLContext;
 import org.apache.nifi.processor.ProcessContext;
 import org.apache.nifi.processor.ProcessSession;
 import org.apache.nifi.processor.exception.ProcessException;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.util.TestRunner;
 import org.apache.nifi.util.TestRunners;
@@ -46,11 +44,11 @@ public class AbstractMongoProcessorTest {
     }
 
     @Test
-    public void testcreateClientWithSSL() throws Exception {
+    public void testCreateClientWithSSL() throws Exception {
         SSLContextService sslService = mock(SSLContextService.class);
         SSLContext sslContext = mock(SSLContext.class);
         when(sslService.getIdentifier()).thenReturn("ssl-context");
-        when(sslService.createSSLContext(any(ClientAuth.class))).thenReturn(sslContext);
+        when(sslService.createContext()).thenReturn(sslContext);
         testRunner.addControllerService("ssl-context", sslService);
         testRunner.enableControllerService(sslService);
         testRunner.setProperty(AbstractMongoProcessor.URI, "mongodb://localhost:27017");
@@ -59,30 +57,10 @@ public class AbstractMongoProcessorTest {
         processor.createClient(testRunner.getProcessContext());
         assertNotNull(processor.mongoClient);
         processor.mongoClient = null;
-        testRunner.setProperty(AbstractMongoProcessor.CLIENT_AUTH, "WANT");
         processor.createClient(testRunner.getProcessContext());
         assertNotNull(processor.mongoClient);
     }
 
-    @Test(expected = IllegalStateException.class)
-    public void testcreateClientWithSSLBadClientAuth() throws Exception {
-        SSLContextService sslService = mock(SSLContextService.class);
-        SSLContext sslContext = mock(SSLContext.class);
-        when(sslService.getIdentifier()).thenReturn("ssl-context");
-        when(sslService.createSSLContext(any(ClientAuth.class))).thenReturn(sslContext);
-        testRunner.addControllerService("ssl-context", sslService);
-        testRunner.enableControllerService(sslService);
-        testRunner.setProperty(AbstractMongoProcessor.URI, "mongodb://localhost:27017");
-        testRunner.setProperty(AbstractMongoProcessor.SSL_CONTEXT_SERVICE, "ssl-context");
-        testRunner.assertValid(sslService);
-        processor.createClient(testRunner.getProcessContext());
-        assertNotNull(processor.mongoClient);
-        processor.mongoClient = null;
-        testRunner.setProperty(AbstractMongoProcessor.CLIENT_AUTH, "BAD");
-        processor.createClient(testRunner.getProcessContext());
-    }
-
-
     /**
      * Provides a stubbed processor instance for testing
      */

nifi-nar-bundles/nifi-mongodb-bundle/nifi-mongodb-services/src/main/java/org/apache/nifi/mongodb/MongoDBControllerService.java

@@ -25,7 +25,6 @@ import com.mongodb.client.MongoDatabase;
 import java.util.ArrayList;
 import java.util.List;
 import javax.net.ssl.SSLContext;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
 import org.apache.nifi.annotation.documentation.Tags;
 import org.apache.nifi.annotation.lifecycle.OnDisabled;
@@ -34,7 +33,6 @@ import org.apache.nifi.annotation.lifecycle.OnStopped;
 import org.apache.nifi.components.PropertyDescriptor;
 import org.apache.nifi.controller.AbstractControllerService;
 import org.apache.nifi.controller.ConfigurationContext;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 
 @Tags({"mongo", "mongodb", "service"})
@@ -71,24 +69,12 @@ public class MongoDBControllerService extends AbstractControllerService implemen
 
         // Set up the client for secure (SSL/TLS communications) if configured to do so
         final SSLContextService sslService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
-        final String rawClientAuth = context.getProperty(CLIENT_AUTH).getValue();
         final SSLContext sslContext;
 
-        if (sslService != null) {
+        if (sslService == null) {
-            final ClientAuth clientAuth;
-            if (StringUtils.isBlank(rawClientAuth)) {
-                clientAuth = ClientAuth.REQUIRED;
-            } else {
-                try {
-                    clientAuth = ClientAuth.valueOf(rawClientAuth);
-                } catch (final IllegalArgumentException iae) {
-                    throw new IllegalStateException(String.format("Unrecognized client auth '%s'. Possible values are [%s]",
-                            rawClientAuth, StringUtils.join(ClientAuth.values(), ", ")));
-                }
-            }
-            sslContext = sslService.createSSLContext(clientAuth);
-        } else {
             sslContext = null;
+        } else {
+            sslContext = sslService.createContext();
         }
 
         try {

nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/s2s/SiteToSiteUtils.java

@@ -33,7 +33,6 @@ import org.apache.nifi.remote.protocol.SiteToSiteTransportProtocol;
 import org.apache.nifi.remote.protocol.http.HttpProxy;
 import org.apache.nifi.remote.util.SiteToSiteRestApiClient;
 import org.apache.nifi.reporting.ReportingContext;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.RestrictedSSLContextService;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.util.StringUtils;
@@ -147,7 +146,7 @@ public class SiteToSiteUtils {
 
     public static SiteToSiteClient getClient(PropertyContext reportContext, ComponentLog logger, StateManager stateManager) {
         final SSLContextService sslContextService = reportContext.getProperty(SiteToSiteUtils.SSL_CONTEXT).asControllerService(SSLContextService.class);
-        final SSLContext sslContext = sslContextService == null ? null : sslContextService.createSSLContext(ClientAuth.REQUIRED);
+        final SSLContext sslContext = sslContextService == null ? null : sslContextService.createContext();
         final EventReporter eventReporter = (EventReporter) (severity, category, message) -> {
             switch (severity) {
                 case WARNING:

nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/main/java/org/apache/nifi/processors/solr/SolrUtils.java

@@ -55,7 +55,6 @@ import org.apache.nifi.kerberos.KerberosCredentialsService;
 import org.apache.nifi.processor.ProcessContext;
 import org.apache.nifi.processor.io.OutputStreamCallback;
 import org.apache.nifi.processor.util.StandardValidators;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.serialization.RecordSetWriterFactory;
 import org.apache.nifi.serialization.record.DataType;
 import org.apache.nifi.serialization.record.ListRecordSet;
@@ -78,13 +77,9 @@ import org.apache.solr.common.SolrDocument;
 import org.apache.solr.common.SolrInputDocument;
 import org.apache.solr.common.params.ModifiableSolrParams;
 import org.apache.solr.common.params.MultiMapSolrParams;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 public class SolrUtils {
 
-    static final Logger LOGGER = LoggerFactory.getLogger(SolrUtils.class);
-
     public static final AllowableValue SOLR_TYPE_CLOUD = new AllowableValue(
             "Cloud", "Cloud", "A SolrCloud instance.");
 
@@ -251,7 +246,7 @@ public class SolrUtils {
         }
 
         if (sslContextService != null) {
-            final SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED);
+            final SSLContext sslContext = sslContextService.createContext();
             final SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext);
             HttpClientUtil.setSchemaRegistryProvider(new HttpClientUtil.SchemaRegistryProvider() {
                 @Override

nifi-nar-bundles/nifi-solr-bundle/nifi-solr-processors/src/test/java/org/apache/nifi/processors/solr/MockSSLContextService.java

@@ -34,6 +34,11 @@ public class MockSSLContextService extends AbstractControllerService implements
         return null;
     }
 
+    @Override
+    public SSLContext createContext() {
+        return null;
+    }
+
     @Override
     public SSLContext createSSLContext(org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException {
         return null;

nifi-nar-bundles/nifi-spark-bundle/nifi-livy-controller-service/src/main/java/org/apache/nifi/controller/livy/LivySessionController.java

@@ -77,7 +77,6 @@ import org.apache.nifi.hadoop.KerberosKeytabSPNegoAuthSchemeProvider;
 import org.apache.nifi.kerberos.KerberosCredentialsService;
 import org.apache.nifi.logging.ComponentLog;
 import org.apache.nifi.processor.util.StandardValidators;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 import org.codehaus.jettison.json.JSONException;
 import org.codehaus.jettison.json.JSONObject;
@@ -225,7 +224,7 @@ public class LivySessionController extends AbstractControllerService implements
         final String jars = context.getProperty(JARS).evaluateAttributeExpressions().getValue();
         final String files = context.getProperty(FILES).evaluateAttributeExpressions().getValue();
         sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
-        sslContext = sslContextService == null ? null : sslContextService.createSSLContext(ClientAuth.NONE);
+        sslContext = sslContextService == null ? null : sslContextService.createContext();
         connectTimeout = Math.toIntExact(context.getProperty(CONNECT_TIMEOUT).asTimePeriod(TimeUnit.MILLISECONDS));
         credentialsService = context.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
 

nifi-nar-bundles/nifi-splunk-bundle/nifi-splunk-processors/src/main/java/org/apache/nifi/processors/splunk/PutSplunk.java

@@ -45,7 +45,6 @@ import org.apache.nifi.processor.exception.ProcessException;
 import org.apache.nifi.processor.io.InputStreamCallback;
 import org.apache.nifi.processor.util.put.AbstractPutEventProcessor;
 import org.apache.nifi.processor.util.put.sender.ChannelSender;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.stream.io.ByteCountingInputStream;
 import org.apache.nifi.stream.io.StreamUtils;
@@ -120,7 +119,7 @@ public class PutSplunk extends AbstractPutEventProcessor {
 
         SSLContext sslContext = null;
         if (sslContextService != null) {
-            sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED);
+            sslContext = sslContextService.createContext();
         }
 
         return createSender(protocol, host, port, timeout, maxSendBuffer, sslContext);

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java

@@ -98,7 +98,6 @@ import org.apache.nifi.processor.Relationship;
 import org.apache.nifi.processor.exception.ProcessException;
 import org.apache.nifi.processor.util.StandardValidators;
 import org.apache.nifi.processors.standard.util.HTTPUtils;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.security.util.KeyStoreUtils;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.util.StopWatch;
@@ -439,7 +438,8 @@ public class GetHTTP extends AbstractSessionFactoryProcessor {
 
             // set the ssl context if necessary
             if (sslContextService != null) {
-                clientBuilder.setSslcontext(sslContextService.createSSLContext(ClientAuth.REQUIRED));
+                final SSLContext sslContext = sslContextService.createContext();
+                clientBuilder.setSSLContext(sslContext);
             }
 
             final String username = context.getProperty(USERNAME).getValue();

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java

@@ -403,12 +403,19 @@ public class ListenHTTP extends AbstractSessionFactoryProcessor {
     }
 
     private SslContextFactory createSslContextFactory(SSLContextService sslContextService, final ClientAuth clientAuth) {
-        final SslContextFactory contextFactory = new SslContextFactory.Server();
+        final SslContextFactory.Server contextFactory = new SslContextFactory.Server();
-        final SSLContext sslContext = sslContextService.createSSLContext(clientAuth);
+        final SSLContext sslContext = sslContextService.createContext();
         contextFactory.setSslContext(sslContext);
 
         final TlsConfiguration tlsConfiguration = sslContextService.createTlsConfiguration();
         contextFactory.setIncludeProtocols(tlsConfiguration.getEnabledProtocols());
+
+        if (ClientAuth.REQUIRED.equals(clientAuth)) {
+            contextFactory.setNeedClientAuth(true);
+        } else if (ClientAuth.WANT.equals(clientAuth)) {
+            contextFactory.setWantClientAuth(true);
+        }
+
         return contextFactory;
     }
 

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenRELP.java

@@ -146,9 +146,8 @@ public class ListenRELP extends AbstractListenEventBatchingProcessor<RELPEvent>
         final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
         if (sslContextService != null) {
             final String clientAuthValue = context.getProperty(CLIENT_AUTH).getValue();
-            sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuthValue));
+            sslContext = sslContextService.createContext();
             clientAuth = ClientAuth.valueOf(clientAuthValue);
-
         }
 
         // if we decide to support SSL then get the context and pass it in here

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenSyslog.java

@@ -347,7 +347,7 @@ public class ListenSyslog extends AbstractSyslogProcessor {
 
             if (sslContextService != null) {
                 final String clientAuthValue = context.getProperty(CLIENT_AUTH).getValue();
-                sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuthValue));
+                sslContext = sslContextService.createContext();
                 clientAuth = ClientAuth.valueOf(clientAuthValue);
             }
 

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCP.java

@@ -177,7 +177,7 @@ public class ListenTCP extends AbstractListenEventBatchingProcessor<StandardEven
         final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
         if (sslContextService != null) {
             final String clientAuthValue = context.getProperty(CLIENT_AUTH).getValue();
-            sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuthValue));
+            sslContext = sslContextService.createContext();
             clientAuth = ClientAuth.valueOf(clientAuthValue);
         }
 

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenTCPRecord.java

@@ -280,7 +280,7 @@ public class ListenTCPRecord extends AbstractProcessor {
         final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
         if (sslContextService != null) {
             final String clientAuthValue = context.getProperty(CLIENT_AUTH).getValue();
-            sslContext = sslContextService.createSSLContext(ClientAuth.valueOf(clientAuthValue));
+            sslContext = sslContextService.createContext();
             clientAuth = ClientAuth.valueOf(clientAuthValue);
         }
 

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutSyslog.java

@@ -54,7 +54,6 @@ import org.apache.nifi.processor.util.put.sender.ChannelSender;
 import org.apache.nifi.processor.util.put.sender.DatagramChannelSender;
 import org.apache.nifi.processor.util.put.sender.SSLSocketChannelSender;
 import org.apache.nifi.processor.util.put.sender.SocketChannelSender;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.syslog.parsers.SyslogParser;
 import org.apache.nifi.util.StopWatch;
@@ -249,7 +248,7 @@ public class PutSyslog extends AbstractSyslogProcessor {
         } else {
             // if an SSLContextService is provided then we make a secure sender
             if (sslContextService != null) {
-                final SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED);
+                final SSLContext sslContext = sslContextService.createContext();
                 sender = new SSLSocketChannelSender(host, port, maxSendBufferSize, sslContext, getLogger());
             } else {
                 sender = new SocketChannelSender(host, port, maxSendBufferSize, getLogger());

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutTCP.java

@@ -42,7 +42,6 @@ import org.apache.nifi.processor.exception.ProcessException;
 import org.apache.nifi.processor.util.put.AbstractPutEventProcessor;
 import org.apache.nifi.processor.util.put.sender.ChannelSender;
 import org.apache.nifi.processor.util.put.sender.SocketChannelSender;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.util.StopWatch;
 
@@ -115,7 +114,7 @@ public class PutTCP extends AbstractPutEventProcessor {
 
         SSLContext sslContext = null;
         if (sslContextService != null) {
-            sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED);
+            sslContext = sslContextService.createContext();
         }
 
         return createSender(protocol, hostname, port, timeout, bufferSize, sslContext);

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestGetHTTPGroovy.groovy

@@ -366,7 +366,7 @@ class TestGetHTTPGroovy extends GroovyTestCase {
         runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, KEYSTORE_TYPE)
         runner.setProperty(sslContextService, StandardSSLContextService.SSL_ALGORITHM, protocol)
         runner.enableControllerService(sslContextService)
-        def sslContext = sslContextService.createSSLContext(org.apache.nifi.security.util.ClientAuth.NONE)
+        def sslContext = sslContextService.createContext();
         logger.info("GetHTTP supported protocols: ${sslContext.protocol}")
         logger.info("GetHTTP supported cipher suites: ${sslContext.supportedSSLParameters.cipherSuites}")
     }

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestPostHTTPGroovy.groovy

@@ -330,7 +330,7 @@ class TestPostHTTPGroovy extends GroovyTestCase {
         runner.setProperty(sslContextService, StandardSSLContextService.TRUSTSTORE_TYPE, KEYSTORE_TYPE)
         runner.setProperty(sslContextService, StandardSSLContextService.SSL_ALGORITHM, protocol)
         runner.enableControllerService(sslContextService)
-        def sslContext = sslContextService.createSSLContext(org.apache.nifi.security.util.ClientAuth.NONE)
+        def sslContext = sslContextService.createContext();
         logger.info("PostHTTP supported protocols: ${sslContext.protocol}")
         logger.info("PostHTTP supported cipher suites: ${sslContext.supportedSSLParameters.cipherSuites}")
     }

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/ITestHandleHttpRequest.java

@@ -60,7 +60,6 @@ import org.apache.nifi.http.HttpContextMap;
 import org.apache.nifi.processor.ProcessContext;
 import org.apache.nifi.processors.standard.util.HTTPUtils;
 import org.apache.nifi.reporting.InitializationException;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.StandardTlsConfiguration;
 import org.apache.nifi.security.util.TlsConfiguration;
@@ -107,7 +106,7 @@ public class ITestHandleHttpRequest {
         return properties;
     }
 
-    private static SSLContext useSSLContextService(final TestRunner controller, final Map<String, String> sslProperties, ClientAuth clientAuth) {
+    private static SSLContext useSSLContextService(final TestRunner controller, final Map<String, String> sslProperties) {
         final SSLContextService service = new StandardRestrictedSSLContextService();
         try {
             controller.addControllerService("ssl-service", service, sslProperties);
@@ -118,7 +117,7 @@ public class ITestHandleHttpRequest {
         }
 
         controller.setProperty(HandleHttpRequest.SSL_CONTEXT, "ssl-service");
-        return service.createSSLContext(clientAuth);
+        return service.createContext();
     }
 
     @Before
@@ -653,7 +652,7 @@ public class ITestHandleHttpRequest {
         final Map<String, String> sslProperties = getServerKeystoreProperties();
         sslProperties.putAll(getTruststoreProperties());
         sslProperties.put(StandardSSLContextService.SSL_ALGORITHM.getName(), TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
-        useSSLContextService(runner, sslProperties, twoWaySsl ? ClientAuth.REQUIRED : ClientAuth.NONE);
+        useSSLContextService(runner, sslProperties);
 
         final Thread httpThread = new Thread(new Runnable() {
             @Override

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenRELP.java

@@ -38,7 +38,6 @@ import org.apache.nifi.processors.standard.relp.response.RELPResponse;
 import org.apache.nifi.provenance.ProvenanceEventRecord;
 import org.apache.nifi.provenance.ProvenanceEventType;
 import org.apache.nifi.reporting.InitializationException;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.ssl.StandardSSLContextService;
 import org.apache.nifi.util.MockFlowFile;
@@ -226,7 +225,7 @@ public class TestListenRELP {
 
             // create either a regular socket or ssl socket based on context being passed in
             if (sslContextService != null) {
-                final SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED);
+                final SSLContext sslContext = sslContextService.createContext();
                 socket = sslContext.getSocketFactory().createSocket("localhost", realPort);
             } else {
                 socket = new Socket("localhost", realPort);

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/TestListenTCP.java

@@ -140,7 +140,7 @@ public class TestListenTCP {
         messages.add("This is message 5\n");
 
         // Make an SSLContext with a key and trust store to send the test messages
-        final SSLContext clientSslContext = SslContextFactory.createSslContext(clientTlsConfiguration, ClientAuth.NONE);
+        final SSLContext clientSslContext = SslContextFactory.createSslContext(clientTlsConfiguration);
 
         runTCP(messages, messages.size(), clientSslContext);
 

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/java/org/apache/nifi/processors/standard/util/TCPTestServer.java

@@ -26,7 +26,6 @@ import java.util.List;
 import java.util.concurrent.ArrayBlockingQueue;
 import javax.net.ServerSocketFactory;
 import javax.net.ssl.SSLContext;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.security.util.SslContextFactory;
 import org.apache.nifi.security.util.StandardTlsConfiguration;
 import org.apache.nifi.security.util.TlsConfiguration;
@@ -57,7 +56,7 @@ public class TCPTestServer implements Runnable {
             if(ssl){
                 TlsConfiguration tlsConfiguration = new StandardTlsConfiguration("src/test/resources/keystore.jks","passwordpassword", null, "JKS", "src/test/resources/truststore.jks",
                         "passwordpassword", "JKS", TlsConfiguration.getHighestCurrentSupportedTlsProtocolVersion());
-                final SSLContext sslCtx = SslContextFactory.createSslContext(tlsConfiguration, ClientAuth.REQUIRED);
+                final SSLContext sslCtx = SslContextFactory.createSslContext(tlsConfiguration);
 
                 ServerSocketFactory sslSocketFactory = sslCtx.getServerSocketFactory();
                 serverSocket = sslSocketFactory.createServerSocket(0, 0, ipAddress);

nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-client-service/src/main/java/org/apache/nifi/distributed/cache/client/DistributedMapCacheClientService.java

@@ -43,7 +43,6 @@ import org.apache.nifi.distributed.cache.protocol.exception.HandshakeException;
 import org.apache.nifi.processor.util.StandardValidators;
 import org.apache.nifi.remote.StandardVersionNegotiator;
 import org.apache.nifi.remote.VersionNegotiator;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -408,7 +407,7 @@ public class DistributedMapCacheClientService extends AbstractControllerService
         if (sslContextService == null) {
             commsSession = new StandardCommsSession(hostname, port, timeoutMillis);
         } else {
-            commsSession = new SSLCommsSession(sslContextService.createSSLContext(ClientAuth.REQUIRED), hostname, port, timeoutMillis);
+            commsSession = new SSLCommsSession(sslContextService.createContext(), hostname, port, timeoutMillis);
         }
 
         commsSession.setTimeout(timeoutMillis, TimeUnit.MILLISECONDS);

nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-client-service/src/main/java/org/apache/nifi/distributed/cache/client/DistributedSetCacheClientService.java

@@ -39,7 +39,6 @@ import org.apache.nifi.distributed.cache.protocol.exception.HandshakeException;
 import org.apache.nifi.processor.util.StandardValidators;
 import org.apache.nifi.remote.StandardVersionNegotiator;
 import org.apache.nifi.remote.VersionNegotiator;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -115,7 +114,7 @@ public class DistributedSetCacheClientService extends AbstractControllerService
         if (sslContextService == null) {
             commsSession = new StandardCommsSession(hostname, port, timeoutMillis);
         } else {
-            commsSession = new SSLCommsSession(sslContextService.createSSLContext(ClientAuth.REQUIRED), hostname, port, timeoutMillis);
+            commsSession = new SSLCommsSession(sslContextService.createContext(), hostname, port, timeoutMillis);
         }
 
         commsSession.setTimeout(timeoutMillis, TimeUnit.MILLISECONDS);

nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/DistributedSetCacheServer.java

@@ -21,7 +21,6 @@ import javax.net.ssl.SSLContext;
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
 import org.apache.nifi.annotation.documentation.Tags;
 import org.apache.nifi.controller.ConfigurationContext;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 
 @Tags({"distributed", "set", "distinct", "cache", "server"})
@@ -41,7 +40,7 @@ public class DistributedSetCacheServer extends DistributedCacheServer {
         if (sslContextService == null) {
             sslContext = null;
         } else {
-            sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED);
+            sslContext = sslContextService.createContext();
         }
 
         final EvictionPolicy evictionPolicy;

nifi-nar-bundles/nifi-standard-services/nifi-distributed-cache-services-bundle/nifi-distributed-cache-server/src/main/java/org/apache/nifi/distributed/cache/server/map/DistributedMapCacheServer.java

@@ -26,7 +26,6 @@ import org.apache.nifi.controller.ConfigurationContext;
 import org.apache.nifi.distributed.cache.server.CacheServer;
 import org.apache.nifi.distributed.cache.server.DistributedCacheServer;
 import org.apache.nifi.distributed.cache.server.EvictionPolicy;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.ssl.SSLContextService;
 
 @Tags({"distributed", "cluster", "map", "cache", "server", "key/value"})
@@ -47,7 +46,7 @@ public class DistributedMapCacheServer extends DistributedCacheServer {
         if (sslContextService == null) {
             sslContext = null;
         } else {
-            sslContext = sslContextService.createSSLContext(ClientAuth.REQUIRED);
+            sslContext = sslContextService.createContext();
         }
 
         final EvictionPolicy evictionPolicy;

nifi-nar-bundles/nifi-standard-services/nifi-oauth2-provider-bundle/nifi-oauth2-provider-service/src/main/java/org/apache/nifi/oauth2/OAuth2TokenProviderImpl.java

@@ -34,7 +34,6 @@ import org.apache.nifi.components.PropertyDescriptor;
 import org.apache.nifi.controller.AbstractControllerService;
 import org.apache.nifi.controller.ConfigurationContext;
 import org.apache.nifi.processor.exception.ProcessException;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.security.util.OkHttpClientUtils;
 import org.apache.nifi.security.util.TlsConfiguration;
 import org.apache.nifi.ssl.SSLContextService;
@@ -60,7 +59,7 @@ public class OAuth2TokenProviderImpl extends AbstractControllerService implement
 
         sslService = context.getProperty(SSL_CONTEXT).asControllerService(SSLContextService.class);
 
-        sslContext = sslService == null ? null : sslService.createSSLContext(ClientAuth.NONE);
+        sslContext = sslService == null ? null : sslService.createContext();
     }
 
 

nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java

@@ -238,41 +238,57 @@ public class StandardSSLContextService extends AbstractControllerService impleme
     }
 
     /**
-     * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred
+     * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated
-     * over the overloaded method which accepts the deprecated {@link ClientAuth} enum.
+     * methods due to not requiring a client authentication policy. Invokes createTlsConfiguration() to prepare
+     * properties for processing.
      *
-     * @param clientAuth the desired level of client authentication
+     * @return {@link SSLContext} initialized using configured properties
-     * @return the configured SSLContext
-     * @throws ProcessException if there is a problem configuring the context
      */
     @Override
-    public SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException {
+    public SSLContext createContext() {
-        try {
         final TlsConfiguration tlsConfiguration = createTlsConfiguration();
         if (!tlsConfiguration.isTruststorePopulated()) {
             getLogger().warn("Trust Store properties not found: using platform default Certificate Authorities");
         }
+
+        try {
             final TrustManager[] trustManagers = SslContextFactory.getTrustManagers(tlsConfiguration);
-            return SslContextFactory.createSslContext(tlsConfiguration, trustManagers, clientAuth);
+            return SslContextFactory.createSslContext(tlsConfiguration, trustManagers);
-        } catch (TlsException e) {
+        } catch (final TlsException e) {
-            getLogger().error("Encountered an error creating the SSL context from the SSL context service: {}", new String[]{e.getLocalizedMessage()});
+            getLogger().error("Unable to create SSLContext: {}", new String[]{e.getLocalizedMessage()});
-            throw new ProcessException("Error creating SSL context", e);
+            throw new ProcessException("Unable to create SSLContext", e);
         }
     }
 
     /**
      * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
-     * due to the use of the deprecated {@link ClientAuth} enum and the overloaded method
+     * due to the Client Authentication policy not being applicable when initializing the SSLContext
-     * ({@link #createSSLContext(org.apache.nifi.security.util.ClientAuth)}) is preferred.
      *
      * @param clientAuth the desired level of client authentication
      * @return the configured SSLContext
      * @throws ProcessException if there is a problem configuring the context
+     * @deprecated The {@link #createContext()} method should be used instead
      */
+    @Deprecated
+    @Override
+    public SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException {
+        return createContext();
+    }
+
+    /**
+     * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
+     * due to the use of the deprecated {@link ClientAuth} enum
+     * {@link #createContext()} method is preferred.
+     *
+     * @param clientAuth the desired level of client authentication
+     * @return the configured SSLContext
+     * @throws ProcessException if there is a problem configuring the context
+     * @deprecated The {@link #createContext()} method should be used instead
+     */
+    @Deprecated
     @Override
     public SSLContext createSSLContext(final ClientAuth clientAuth) throws ProcessException {
-        org.apache.nifi.security.util.ClientAuth resolvedClientAuth = org.apache.nifi.security.util.ClientAuth.valueOf(clientAuth.name());
+        return createContext();
-            return createSSLContext(resolvedClientAuth);
     }
 
     @Override

nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/groovy/org/apache/nifi/ssl/StandardSSLContextServiceTest.groovy

@@ -176,7 +176,7 @@ class StandardSSLContextServiceTest {
         runner.assertValid(sslContextService)
 
         // Act
-        SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.NONE)
+        SSLContext sslContext = sslContextService.createContext();
 
         // Assert
         assert sslContext
@@ -198,7 +198,7 @@ class StandardSSLContextServiceTest {
         runner.assertValid(sslContextService)
 
         // Act
-        SSLContext sslContext = sslContextService.createSSLContext(ClientAuth.NONE)
+        SSLContext sslContext = sslContextService.createContext();
 
         // Assert
         assert sslContext

nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/test/java/org/apache/nifi/ssl/SSLContextServiceTest.java

@@ -38,7 +38,6 @@ import org.apache.nifi.components.AllowableValue;
 import org.apache.nifi.components.ValidationContext;
 import org.apache.nifi.components.ValidationResult;
 import org.apache.nifi.reporting.InitializationException;
-import org.apache.nifi.security.util.ClientAuth;
 import org.apache.nifi.util.MockProcessContext;
 import org.apache.nifi.util.MockValidationContext;
 import org.apache.nifi.util.TestRunner;
@@ -146,9 +145,7 @@ public class SSLContextServiceTest {
         service = (SSLContextService) runner.getProcessContext().getControllerServiceLookup().getControllerService("test-good1");
         Assert.assertNotNull(service);
         SSLContextService sslService = service;
-        sslService.createSSLContext(ClientAuth.REQUIRED);
+        sslService.createContext();
-        sslService.createSSLContext(ClientAuth.WANT);
-        sslService.createSSLContext(ClientAuth.NONE);
     }
 
     @Test
@@ -257,7 +254,7 @@ public class SSLContextServiceTest {
             runner.assertValid();
             Assert.assertNotNull(service);
             assertTrue(service instanceof StandardSSLContextService);
-            service.createSSLContext(ClientAuth.NONE);
+            service.createContext();
         } catch (InitializationException e) {
         }
     }
@@ -280,7 +277,7 @@ public class SSLContextServiceTest {
             Assert.assertNotNull(service);
             assertTrue(service instanceof StandardSSLContextService);
             SSLContextService sslService = service;
-            sslService.createSSLContext(ClientAuth.NONE);
+            sslService.createContext();
         } catch (Exception e) {
             System.out.println(e);
             Assert.fail("Should not have thrown a exception " + e.getMessage());
@@ -311,7 +308,7 @@ public class SSLContextServiceTest {
             runner.setProperty("SSL Context Svc ID", "test-diff-keys");
             runner.assertValid();
             Assert.assertNotNull(service);
-            service.createSSLContext(ClientAuth.NONE);
+            service.createContext();
         } catch (Exception e) {
             System.out.println(e);
             Assert.fail("Should not have thrown a exception " + e.getMessage());

nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-service-api/src/main/java/org/apache/nifi/ssl/SSLContextService.java

@@ -56,26 +56,38 @@ public interface SSLContextService extends ControllerService {
     }
 
     /**
-     * Returns a configured {@link SSLContext} from the populated configuration values. This method is preferred
+     * Create and initialize {@link SSLContext} using configured properties. This method is preferred over deprecated
-     * over the overloaded method which accepts the deprecated {@link ClientAuth} enum.
+     * create methods due to not requiring a client authentication policy.
      *
-     * @param clientAuth the desired level of client authentication
+     * @return {@link SSLContext} initialized using configured properties
-     * @return the configured SSLContext
-     * @throws ProcessException if there is a problem configuring the context
      */
-    SSLContext createSSLContext(final org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException;
+    SSLContext createContext();
 
     /**
      * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
-     * due to the use of the deprecated {@link ClientAuth} enum and the overloaded method
+     * due to {@link org.apache.nifi.security.util.ClientAuth} not being applicable or used when initializing the
-     * ({@link #createSSLContext(org.apache.nifi.security.util.ClientAuth)}) is preferred.
+     * {@link SSLContext}
      *
      * @param clientAuth the desired level of client authentication
      * @return the configured SSLContext
      * @throws ProcessException if there is a problem configuring the context
+     * @deprecated The {@link #createContext()} method should be used instead
      */
     @Deprecated
-    SSLContext createSSLContext(final ClientAuth clientAuth) throws ProcessException;
+    SSLContext createSSLContext(org.apache.nifi.security.util.ClientAuth clientAuth) throws ProcessException;
+
+    /**
+     * Returns a configured {@link SSLContext} from the populated configuration values. This method is deprecated
+     * due to the use of the deprecated {@link ClientAuth} enum and the
+     * ({@link #createContext()}) method is preferred.
+     *
+     * @param clientAuth the desired level of client authentication
+     * @return the configured SSLContext
+     * @throws ProcessException if there is a problem configuring the context
+     * @deprecated The {@link #createContext()} method should be used instead
+     */
+    @Deprecated
+    SSLContext createSSLContext(ClientAuth clientAuth) throws ProcessException;
 
     String getTrustStoreFile();