[
https://issues.apache.org/jira/browse/SOLR-14106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16998637#comment-16998637
]
Kevin Risden commented on SOLR-14106:
-------------------------------------
Sooo this is a interesting from a SAN perspective. Java/Jetty looks to be
blowing up if SAN is not supplied.
generate localhost cert
{code:java}
openssl req -x509 -newkey rsa:4096 -sha256 -days 30 -nodes -keyout solr-ssl.key
-out solr-ssl.pem -subj '/CN=localhost' -extensions san -config <(echo '[req]';
echo 'distinguished_name=req'; echo '[san]'; echo
'subjectAltName=DNS:localhost'; echo 'subjectAltName=IP:127.0.0.1';)
openssl pkcs12 -export -in solr-ssl.pem -inkey solr-ssl.key -out solr-ssl.p12
-passout pass:secret
{code}
then configure Solr ./bin/solr.in.sh
{code:java}
SOLR_SSL_KEY_STORE=/Users/krisden/Downloads/tls/cert/solr-ssl.p12
SOLR_SSL_KEY_STORE_PASSWORD=secret
SOLR_SSL_KEY_STORE_TYPE=PKCS12
SOLR_SSL_TRUST_STORE=/Users/krisden/Downloads/tls/cert/solr-ssl.p12
SOLR_SSL_TRUST_STORE_PASSWORD=secret
SOLR_SSL_TRUST_STORE_TYPE=PKCS12
SOLR_SSL_CHECK_PEER_NAME=false
SOLR_SSL_NEED_CLIENT_AUTH=true
# Avoid IPV6 ip address
SOLR_OPTS="$SOLR_OPTS -Djava.net.preferIPv4Stack=true"
# Debugging
#SOLR_OPTS="$SOLR_OPTS -Djavax.net.debug=all"
# SOLR_LOG_LEVEL=DEBUG
{code}
Then test with the following:
{code:java}
curl -k -i --cert cert/solr-ssl.pem --key cert/solr-ssl.key
"https://localhost:8983/solr/admin/cores?action=STATUS";
{code}
I need to try to reconcile this with [~janhoy]'s example that I started from.
I'll go back and see how 8.2+ works.
> SSL with SOLR_SSL_NEED_CLIENT_AUTH not working since v8.2.0
> -----------------------------------------------------------
>
> Key: SOLR-14106
> URL: https://issues.apache.org/jira/browse/SOLR-14106
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.2, 8.3.1
> Reporter: Jan Høydahl
> Assignee: Kevin Risden
> Priority: Major
> Labels: jetty, ssl
>
> For a client we use SSL certificate authentication with Solr through the
> {{SOLR_SSL_NEED_CLIENT_AUTH=true}} setting. The client must then prove
> through a local pem file that it has the correct client certificate.
> This works well until Solr 8.1.1, but fails with Solr 8.2 and also 8.3.1.
> There has been a Jetty upgrade from from jetty-9.4.14 to jetty-9.4.19 and I
> see some deprecation warnings in the log of 8.3.1:
> {noformat}
> o.e.j.x.XmlConfiguration Deprecated method public void
> org.eclipse.jetty.util.ssl.SslContextFactory.setWantClientAuth(boolean) in
> file:///opt/solr-8.3.1/server/etc/jetty-ssl.xml
> {noformat}
> I have made a simple reproduction script using Docker to reproduce first the
> 8.1.1 behaviour that succeeds, then 8.3.1 which fails:
> {code}
> wget https://www.dropbox.com/s/fkjcez1i5anh42i/tls.tgz
> tar -xvzf tls.tgz
> cd tls
> ./repro.sh
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
