NIFI-7730 Added regression tests for multiple certificate keystores.

Cleaned up JettyServer code.
Changed test logging severity to include debug statements.
Added test resources.

This closes #4498.

Co-authored-by: Kotaro Terada <kotarot@apache.org>

nifi-commons/nifi-site-to-site-client/src/test/java/org/apache/nifi/remote/client/http/TestHttpClient.java

@@ -453,7 +453,7 @@ public class TestHttpClient {
         final ServletHandler wrongPathServletHandler = new ServletHandler();
         wrongPathContextHandler.insertHandler(wrongPathServletHandler);
 
-        final SslContextFactory sslContextFactory = new SslContextFactory();
+        final SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks");
         sslContextFactory.setKeyStorePassword("passwordpassword");
         sslContextFactory.setKeyStoreType("JKS");

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/JettyServer.java

@@ -975,19 +975,13 @@ public class JettyServer implements NiFiServer, ExtensionUiLoader {
     }
 
     private SslContextFactory createSslContextFactory() {
-        final SslContextFactory contextFactory = new SslContextFactory();
+        final SslContextFactory.Server serverContextFactory = new SslContextFactory.Server();
-        configureSslContextFactory(contextFactory, props);
+        configureSslContextFactory(serverContextFactory, props);
-        return contextFactory;
+        return serverContextFactory;
     }
 
-    protected static void configureSslContextFactory(SslContextFactory contextFactory, NiFiProperties props) {
+    protected static void configureSslContextFactory(SslContextFactory.Server contextFactory, NiFiProperties props) {
-        // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
-        // not a client.  Server does not need to perform hostname verification on the client.
-        // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
-        contextFactory.setEndpointIdentificationAlgorithm(null);
-
         // Explicitly exclude legacy TLS protocol versions
-        // contextFactory.setProtocol(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion());
         contextFactory.setIncludeProtocols(CertificateUtils.getCurrentSupportedTlsProtocolVersions());
         contextFactory.setExcludeProtocols("TLS", "TLSv1", "TLSv1.1", "SSL", "SSLv2", "SSLv2Hello", "SSLv3");
 

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/groovy/org/apache/nifi/web/server/JettyServerGroovyTest.groovy

@@ -19,6 +19,9 @@ package org.apache.nifi.web.server
 import org.apache.log4j.AppenderSkeleton
 import org.apache.log4j.spi.LoggingEvent
 import org.apache.nifi.bundle.Bundle
+import org.apache.nifi.nar.ExtensionManagerHolder
+import org.apache.nifi.nar.ExtensionMapping
+import org.apache.nifi.nar.SystemBundle
 import org.apache.nifi.processor.DataUnit
 import org.apache.nifi.properties.StandardNiFiProperties
 import org.apache.nifi.security.util.CertificateUtils
@@ -121,6 +124,8 @@ class JettyServerGroovyTest extends GroovyTestCase {
 
     @After
     void tearDown() throws Exception {
+        // Cleans up the EMH so it can be reinitialized when a new Jetty server starts
+        ExtensionManagerHolder.INSTANCE = null
         TestAppender.reset()
     }
 
@@ -196,10 +201,9 @@ class JettyServerGroovyTest extends GroovyTestCase {
         assert !bothConfigsPresentForHttp
         assert !bothConfigsPresentForHttps
 
-        // Verifies that the warning was not logged
+        // Verifies that the warning was not logged (messages are duplicated because of log4j.properties settings)
-        assert log.size() == 2
+        assert log.size() == 4
-        assert log.first() == "Both configs present for HTTP properties: false"
+        assert log.every { it =~ "Both configs present for HTTPS? properties: false" }
-        assert log.last() == "Both configs present for HTTPS properties: false"
     }
 
     @Test
@@ -242,10 +246,84 @@ class JettyServerGroovyTest extends GroovyTestCase {
         // Assertions defined above
     }
 
+    /**
+     * Regression test added after NiFi 1.12.0 because Jetty upgrade to 9.4.26 no longer works
+     * with multiple certificate keystores.
+     */
+    @Test
+    void testShouldStartWithMultipleCertificatePKCS12Keystore() {
+        // Arrange
+        final String externalHostname = "localhost"
+
+        NiFiProperties httpsProps = new StandardNiFiProperties(rawProperties: new Properties([
+                (NiFiProperties.WEB_HTTPS_PORT): HTTPS_PORT as String,
+                (NiFiProperties.WEB_HTTPS_HOST): externalHostname,
+                (NiFiProperties.SECURITY_KEYSTORE): "src/test/resources/multiple_cert_keystore.p12",
+                (NiFiProperties.SECURITY_KEYSTORE_PASSWD): "passwordpassword",
+                (NiFiProperties.SECURITY_KEYSTORE_TYPE): "PKCS12",
+                (NiFiProperties.NAR_LIBRARY_DIRECTORY): "target/"
+        ]))
+
+        JettyServer jetty = createJettyServer(httpsProps)
+        Server internalServer = jetty.server
+        List<Connector> connectors = Arrays.asList(internalServer.connectors)
+
+        // Act
+        jetty.start()
+
+        // Assert
+        assertServerConnector(connectors, "TLS", CURRENT_TLS_PROTOCOL_VERSIONS, CURRENT_TLS_PROTOCOL_VERSIONS, externalHostname, HTTPS_PORT)
+
+        // Clean up
+        jetty.stop()
+    }
+
+    /**
+     * Regression test added after NiFi 1.12.0 because Jetty upgrade to 9.4.26 no longer works
+     * with multiple certificate keystores.
+     */
+    @Test
+    void testShouldStartWithMultipleCertificateJKSKeystore() {
+        // Arrange
+        final String externalHostname = "localhost"
+
+        NiFiProperties httpsProps = new StandardNiFiProperties(rawProperties: new Properties([
+                (NiFiProperties.WEB_HTTPS_PORT): HTTPS_PORT as String,
+                (NiFiProperties.WEB_HTTPS_HOST): externalHostname,
+                (NiFiProperties.SECURITY_KEYSTORE): "src/test/resources/multiple_cert_keystore.jks",
+                (NiFiProperties.SECURITY_KEYSTORE_PASSWD): "passwordpassword",
+                (NiFiProperties.SECURITY_KEYSTORE_TYPE): "JKS",
+                (NiFiProperties.NAR_LIBRARY_DIRECTORY): "target/"
+        ]))
+
+        JettyServer jetty = createJettyServer(httpsProps)
+        Server internalServer = jetty.server
+        List<Connector> connectors = Arrays.asList(internalServer.connectors)
+
+        // Act
+        jetty.start()
+
+        // Assert
+        assertServerConnector(connectors, "TLS", CURRENT_TLS_PROTOCOL_VERSIONS, CURRENT_TLS_PROTOCOL_VERSIONS, externalHostname, HTTPS_PORT)
+
+        // Clean up
+        jetty.stop()
+    }
+
+    private static JettyServer createJettyServer(StandardNiFiProperties httpsProps) {
+        Server internalServer = new Server()
+        JettyServer jetty = new JettyServer(internalServer, httpsProps)
+        jetty.systemBundle = SystemBundle.create(httpsProps)
+        jetty.bundles = [] as Set<Bundle>
+        jetty.extensionMapping = [size: { -> 0 }] as ExtensionMapping
+        jetty.configureHttpsConnector(internalServer, new HttpConfiguration())
+        jetty
+    }
+
     @Test
     void testShouldConfigureHTTPSConnector() {
         // Arrange
-        final String externalHostname = "secure.host.com"
+        final String externalHostname = "localhost"
 
         NiFiProperties httpsProps = new StandardNiFiProperties(rawProperties: new Properties([
                 (NiFiProperties.WEB_HTTPS_PORT): HTTPS_PORT as String,
@@ -260,9 +338,7 @@ class JettyServerGroovyTest extends GroovyTestCase {
         List<Connector> connectors = Arrays.asList(internalServer.connectors)
 
         // Assert
-
+        assertServerConnector(connectors, "TLS", CURRENT_TLS_PROTOCOL_VERSIONS, CURRENT_TLS_PROTOCOL_VERSIONS, externalHostname, HTTPS_PORT)
-        // Set the expected TLS protocols to null because no actual keystore/truststore is loaded here
-        assertServerConnector(connectors, "TLS", null, null, externalHostname, HTTPS_PORT)
     }
 
     @Test
@@ -411,16 +487,13 @@ class JettyServerGroovyTest extends GroovyTestCase {
         assert connector.port == EXPECTED_PORT
         assert connector.getProtocols() == ['ssl', 'http/1.1']
 
-        // This kind of testing is not ideal as it breaks encapsulation, but is necessary to enforce verification of the TLS protocol versions specified
         SslConnectionFactory connectionFactory = connector.getConnectionFactory("ssl") as SslConnectionFactory
-        SslContextFactory sslContextFactory = connectionFactory._sslContextFactory as SslContextFactory
+        SslContextFactory sslContextFactory = connectionFactory.getSslContextFactory()
         logger.debug("SSL Context Factory: ${sslContextFactory.dump()}")
 
-        // Using the getters is subject to NPE due to blind array copies
+        assert sslContextFactory.getProtocol() == EXPECTED_TLS_PROTOCOL
-        assert sslContextFactory._sslProtocol == EXPECTED_TLS_PROTOCOL
+        assert Arrays.asList(sslContextFactory.getIncludeProtocols()).containsAll(EXPECTED_INCLUDED_PROTOCOLS ?: Collections.emptySet())
-        assert sslContextFactory._includeProtocols.containsAll(EXPECTED_INCLUDED_PROTOCOLS ?: Collections.emptySet())
+        assert (sslContextFactory.getExcludeProtocols() as List<String>).containsAll(LEGACY_TLS_PROTOCOLS)
-        assert (sslContextFactory._excludeProtocols as List<String>).containsAll(LEGACY_TLS_PROTOCOLS)
-        assert sslContextFactory._selectedProtocols == EXPECTED_SELECTED_PROTOCOLS as String[]
     }
 
     @Test
@@ -531,4 +604,4 @@ class TestAppender extends AppenderSkeleton {
             events.collect { LoggingEvent le -> le.getRenderedMessage() }
         }
     }
-}
+}

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/java/org/apache/nifi/web/server/JettyServerTest.java

@@ -43,12 +43,12 @@ public class JettyServerTest {
         addProps.put(NiFiProperties.SECURITY_KEYSTORE_PASSWD, testKeystorePassword);
         addProps.put(NiFiProperties.SECURITY_KEY_PASSWD, testKeyPassword);
         NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
-        SslContextFactory contextFactory = mock(SslContextFactory.class);
+        SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
 
-        JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
+        JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
 
-        verify(contextFactory).setKeyStorePassword(testKeystorePassword);
+        verify(mockSCF).setKeyStorePassword(testKeystorePassword);
-        verify(contextFactory).setKeyManagerPassword(testKeyPassword);
+        verify(mockSCF).setKeyManagerPassword(testKeyPassword);
     }
 
     @Test
@@ -59,12 +59,12 @@ public class JettyServerTest {
         final Map<String, String> addProps = new HashMap<>();
         addProps.put(NiFiProperties.SECURITY_KEY_PASSWD, testKeyPassword);
         NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
-        SslContextFactory contextFactory = mock(SslContextFactory.class);
+        SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
 
-        JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
+        JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
 
-        verify(contextFactory).setKeyManagerPassword(testKeyPassword);
+        verify(mockSCF).setKeyManagerPassword(testKeyPassword);
-        verify(contextFactory, never()).setKeyStorePassword(anyString());
+        verify(mockSCF, never()).setKeyStorePassword(anyString());
     }
 
     @Test
@@ -75,12 +75,12 @@ public class JettyServerTest {
         final Map<String, String> addProps = new HashMap<>();
         addProps.put(NiFiProperties.SECURITY_KEYSTORE_PASSWD, testKeystorePassword);
         NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
-        SslContextFactory contextFactory = mock(SslContextFactory.class);
+        SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
 
-        JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
+        JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
 
-        verify(contextFactory).setKeyStorePassword(testKeystorePassword);
+        verify(mockSCF).setKeyStorePassword(testKeystorePassword);
-        verify(contextFactory).setKeyManagerPassword(testKeystorePassword);
+        verify(mockSCF).setKeyManagerPassword(testKeystorePassword);
     }
 
     @Test
@@ -90,12 +90,12 @@ public class JettyServerTest {
         String keyStoreType = KeystoreType.JKS.toString();
         addProps.put(NiFiProperties.SECURITY_KEYSTORE_TYPE, keyStoreType);
         NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
-        SslContextFactory contextFactory = mock(SslContextFactory.class);
+        SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
 
-        JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
+        JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
 
-        verify(contextFactory).setKeyStoreType(keyStoreType);
+        verify(mockSCF).setKeyStoreType(keyStoreType);
-        verify(contextFactory).setKeyStoreProvider(SUN_PROVIDER_NAME);
+        verify(mockSCF).setKeyStoreProvider(SUN_PROVIDER_NAME);
     }
 
     @Test
@@ -105,12 +105,12 @@ public class JettyServerTest {
         String keyStoreType = KeystoreType.PKCS12.toString();
         addProps.put(NiFiProperties.SECURITY_KEYSTORE_TYPE, keyStoreType);
         NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
-        SslContextFactory contextFactory = mock(SslContextFactory.class);
+        SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
 
-        JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
+        JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
 
-        verify(contextFactory).setKeyStoreType(keyStoreType);
+        verify(mockSCF).setKeyStoreType(keyStoreType);
-        verify(contextFactory).setKeyStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
+        verify(mockSCF).setKeyStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
     }
 
     @Test
@@ -120,12 +120,12 @@ public class JettyServerTest {
         String trustStoreType = KeystoreType.JKS.toString();
         addProps.put(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, trustStoreType);
         NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
-        SslContextFactory contextFactory = mock(SslContextFactory.class);
+        SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
 
-        JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
+        JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
 
-        verify(contextFactory).setTrustStoreType(trustStoreType);
+        verify(mockSCF).setTrustStoreType(trustStoreType);
-        verify(contextFactory).setTrustStoreProvider(SUN_PROVIDER_NAME);
+        verify(mockSCF).setTrustStoreProvider(SUN_PROVIDER_NAME);
     }
 
     @Test
@@ -135,11 +135,11 @@ public class JettyServerTest {
         String trustStoreType = KeystoreType.PKCS12.toString();
         addProps.put(NiFiProperties.SECURITY_TRUSTSTORE_TYPE, trustStoreType);
         NiFiProperties nifiProperties = NiFiProperties.createBasicNiFiProperties(null, addProps);
-        SslContextFactory contextFactory = mock(SslContextFactory.class);
+        SslContextFactory.Server mockSCF = mock(SslContextFactory.Server.class);
 
-        JettyServer.configureSslContextFactory(contextFactory, nifiProperties);
+        JettyServer.configureSslContextFactory(mockSCF, nifiProperties);
 
-        verify(contextFactory).setTrustStoreType(trustStoreType);
+        verify(mockSCF).setTrustStoreType(trustStoreType);
-        verify(contextFactory).setTrustStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
+        verify(mockSCF).setTrustStoreProvider(BouncyCastleProvider.PROVIDER_NAME);
     }
 }

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/test/resources/log4j.properties

@@ -16,6 +16,7 @@
 #
 
 log4j.rootLogger=INFO,console,test
+log4j.logger.org.apache.nifi.web=DEBUG,console,test
 
 log4j.appender.console=org.apache.log4j.ConsoleAppender
 log4j.appender.console.Target=System.err

nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-api/src/test/java/org/apache/nifi/integration/util/NiFiTestServer.java

@@ -77,12 +77,7 @@ public class NiFiTestServer {
 
     // TODO: Refactor this method to use proper factory methods
     private void createSecureConnector() {
-        org.eclipse.jetty.util.ssl.SslContextFactory contextFactory = new org.eclipse.jetty.util.ssl.SslContextFactory();
+        org.eclipse.jetty.util.ssl.SslContextFactory contextFactory = new org.eclipse.jetty.util.ssl.SslContextFactory.Server();
-
-        // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
-        // not a client.  Server does not need to perform hostname verification on the client.
-        // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
-        contextFactory.setEndpointIdentificationAlgorithm(null);
 
         // require client auth when not supporting login or anonymous access
         if (StringUtils.isBlank(properties.getProperty(NiFiProperties.SECURITY_USER_LOGIN_IDENTITY_PROVIDER))) {

nifi-nar-bundles/nifi-prometheus-bundle/nifi-prometheus-reporting-task/src/main/java/org/apache/nifi/reporting/prometheus/PrometheusServer.java

@@ -113,7 +113,7 @@ public class PrometheusServer {
     }
 
     private SslContextFactory createSslFactory(final SSLContextService sslService, boolean needClientAuth, boolean wantClientAuth) {
-        SslContextFactory sslFactory = new SslContextFactory();
+        SslContextFactory sslFactory = new SslContextFactory.Server();
 
         sslFactory.setNeedClientAuth(needClientAuth);
         sslFactory.setWantClientAuth(wantClientAuth);

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/HandleHttpRequest.java

@@ -520,18 +520,13 @@ public class HandleHttpRequest extends AbstractProcessor {
     }
 
     private SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth) {
-        final SslContextFactory sslFactory = new SslContextFactory();
+        final SslContextFactory sslFactory = new SslContextFactory.Server();
 
         sslFactory.setNeedClientAuth(needClientAuth);
         sslFactory.setWantClientAuth(wantClientAuth);
 
         sslFactory.setProtocol(sslService.getSslAlgorithm());
 
-        // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
-        // not a client.  Server does not need to perform hostname verification on the client.
-        // Previous to Jetty 9.4.15.v20190215, this defaulted to null.
-        sslFactory.setEndpointIdentificationAlgorithm(null);
-
         if (sslService.isKeyStoreConfigured()) {
             sslFactory.setKeyStorePath(sslService.getKeyStoreFile());
             sslFactory.setKeyStorePassword(sslService.getKeyStorePassword());

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/ListenHTTP.java

@@ -256,14 +256,9 @@ public class ListenHTTP extends AbstractSessionFactoryProcessor {
 
         final boolean needClientAuth = sslContextService != null && sslContextService.getTrustStoreFile() != null;
 
-        final SslContextFactory contextFactory = new SslContextFactory();
+        final SslContextFactory contextFactory = new SslContextFactory.Server();
         contextFactory.setNeedClientAuth(needClientAuth);
 
-        // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
-        // not a client.  Server does not need to perform hostname verification on the client.
-        // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
-        contextFactory.setEndpointIdentificationAlgorithm(null);
-
         if (needClientAuth) {
             contextFactory.setTrustStorePath(sslContextService.getTrustStoreFile());
             contextFactory.setTrustStoreType(sslContextService.getTrustStoreType());

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestGetHTTPGroovy.groovy

@@ -141,7 +141,7 @@ class TestGetHTTPGroovy extends GroovyTestCase {
 
     private
     static SslContextFactory createSslContextFactory(List supportedProtocols = DEFAULT_PROTOCOLS, List supportedCipherSuites = DEFAULT_CIPHER_SUITES) {
-        final SslContextFactory contextFactory = new SslContextFactory()
+        final SslContextFactory contextFactory = new SslContextFactory.Server()
         contextFactory.needClientAuth = false
         contextFactory.wantClientAuth = false
 
@@ -485,4 +485,4 @@ class TestGetHTTPGroovy extends GroovyTestCase {
         runner.clearTransferState()
         logger.info("Ran successfully")
     }
-}
+}

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/groovy/org/apache/nifi/processors/standard/TestPostHTTPGroovy.groovy

@@ -133,7 +133,7 @@ class TestPostHTTPGroovy extends GroovyTestCase {
 
     private
     static SslContextFactory createSslContextFactory(List supportedProtocols = DEFAULT_PROTOCOLS, List supportedCipherSuites = DEFAULT_CIPHER_SUITES) {
-        final SslContextFactory contextFactory = new SslContextFactory()
+        final SslContextFactory contextFactory = new SslContextFactory.Server()
         contextFactory.needClientAuth = false
         contextFactory.wantClientAuth = false
 
@@ -440,4 +440,4 @@ class TestPostHTTPGroovy extends GroovyTestCase {
         runner.clearTransferState()
         logger.info("Ran successfully")
     }
-}
+}

nifi-nar-bundles/nifi-standard-bundle/nifi-standard-web-test-utils/src/main/java/org/apache/nifi/web/util/TestServer.java

@@ -76,7 +76,7 @@ public class TestServer {
     }
 
     private void createSecureConnector(final Map<String, String> sslProperties) {
-        SslContextFactory ssl = new SslContextFactory();
+        SslContextFactory ssl = new SslContextFactory.Server();
 
         if (sslProperties.get(StandardSSLContextService.KEYSTORE.getName()) != null) {
             ssl.setKeyStorePath(sslProperties.get(StandardSSLContextService.KEYSTORE.getName()));
@@ -97,11 +97,6 @@ public class TestServer {
             ssl.setNeedClientAuth(Boolean.parseBoolean(clientAuth));
         }
 
-        // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
-        // not a client.  Server does not need to perform hostname verification on the client.
-        // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
-        ssl.setEndpointIdentificationAlgorithm(null);
-
         // build the connector
         final ServerConnector https = new ServerConnector(jetty, ssl);
 

nifi-nar-bundles/nifi-websocket-bundle/nifi-websocket-services-jetty/src/main/java/org/apache/nifi/websocket/jetty/AbstractJettyWebSocketService.java

@@ -67,7 +67,7 @@ public abstract class AbstractJettyWebSocketService extends AbstractWebSocketSer
 
 
     protected SslContextFactory createSslFactory(final SSLContextService sslService, final boolean needClientAuth, final boolean wantClientAuth, final String endpointIdentificationAlgorithm) {
-        final SslContextFactory sslFactory = new SslContextFactory();
+        final SslContextFactory sslFactory = new SslContextFactory.Server();
 
         sslFactory.setNeedClientAuth(needClientAuth);
         sslFactory.setWantClientAuth(wantClientAuth);

nifi-nar-bundles/nifi-websocket-bundle/nifi-websocket-services-jetty/src/test/java/org/apache/nifi/websocket/example/WebSocketClientExample.java

@@ -46,7 +46,7 @@ public class WebSocketClientExample {
         String destUri = "wss://localhost:50010/test";
 
         final CountDownLatch replyLatch = new CountDownLatch(1);
-        final SslContextFactory sslContextFactory = new SslContextFactory();
+        final SslContextFactory sslContextFactory = new SslContextFactory.Client();
         sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks");
         sslContextFactory.setKeyStorePassword("passwordpassword");
         sslContextFactory.setKeyStoreType("JKS");

nifi-nar-bundles/nifi-websocket-bundle/nifi-websocket-services-jetty/src/test/java/org/apache/nifi/websocket/example/WebSocketServerExample.java

@@ -152,16 +152,11 @@ public class WebSocketServerExample {
         httpConnector = new ServerConnector(server);
         httpConnector.setPort(50010);
 
-        final SslContextFactory sslContextFactory = new SslContextFactory();
+        final SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath("src/test/resources/certs/keystore.jks");
         sslContextFactory.setKeyStorePassword("passwordpassword");
         sslContextFactory.setKeyStoreType("JKS");
 
-        // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
-        // not a client.  Server does not need to perform hostname verification on the client.
-        // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
-        sslContextFactory.setEndpointIdentificationAlgorithm(null);
-
         final HttpConfiguration https = new HttpConfiguration();
         https.addCustomizer(new SecureRequestCustomizer());
         sslConnector = new ServerConnector(server,

nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/service/server/TlsCertificateAuthorityService.java

@@ -62,16 +62,11 @@ public class TlsCertificateAuthorityService {
     private static Server createServer(Handler handler, int port, KeyStore keyStore, String keyPassword) throws Exception {
         Server server = new Server();
 
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setIncludeProtocols(CertificateUtils.getHighestCurrentSupportedTlsProtocolVersion());
         sslContextFactory.setKeyStore(keyStore);
         sslContextFactory.setKeyManagerPassword(keyPassword);
 
-        // Need to set SslContextFactory's endpointIdentificationAlgorithm to null; this is a server,
-        // not a client.  Server does not need to perform hostname verification on the client.
-        // Previous to Jetty 9.4.15.v20190215, this defaulted to null, and now defaults to "HTTPS".
-        sslContextFactory.setEndpointIdentificationAlgorithm(null);
-
         HttpConfiguration httpsConfig = new HttpConfiguration();
         httpsConfig.addCustomizer(new SecureRequestCustomizer());