[
https://issues.apache.org/jira/browse/SOLR-14106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16998678#comment-16998678
]
Jan Høydahl commented on SOLR-14106:
------------------------------------
With this change to the PR I get it running:
{code:java}
Index:
solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
(revision 49a0bd5ebf2a76ff94cf8e322121883ecd19796f)
+++ solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
(date 1576625574674)
@@ -180,13 +180,13 @@
ThreadPoolExecutor httpClientExecutor = new
ExecutorUtil.MDCAwareThreadPoolExecutor(32,
256, 60, TimeUnit.SECONDS, queue, new SolrjNamedThreadFactory("h2sc"));
- SslContextFactory sslContextFactory;
+ SslContextFactory.Server sslContextFactory;
boolean ssl;
if (builder.sslConfig == null) {
sslContextFactory = getDefaultSslContextFactory();
ssl = sslContextFactory.getTrustStore() != null ||
sslContextFactory.getTrustStorePath() != null;
} else {
- sslContextFactory = builder.sslConfig.createContextFactory();
+ sslContextFactory = (SslContextFactory.Server)
builder.sslConfig.createContextFactory();
ssl = true;
}
@@ -921,14 +921,15 @@
Http2SolrClient.defaultSSLConfig = null;
}
- private static SslContextFactory getDefaultSslContextFactory() {
+ private static SslContextFactory.Server getDefaultSslContextFactory() {
String checkPeerNameStr =
System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME);
boolean sslCheckPeerName = true;
if (checkPeerNameStr == null ||
"false".equalsIgnoreCase(checkPeerNameStr)) {
sslCheckPeerName = false;
}
- SslContextFactory.Client sslContextFactory = new
SslContextFactory.Client(!sslCheckPeerName);
+ SslContextFactory.Server sslContextFactory = new
SslContextFactory.Server();
+ sslContextFactory.setTrustAll(!sslCheckPeerName);
if (null != System.getProperty("javax.net.ssl.keyStore")) {
sslContextFactory.setKeyStorePath
{code}
> SSL with SOLR_SSL_NEED_CLIENT_AUTH not working since v8.2.0
> -----------------------------------------------------------
>
> Key: SOLR-14106
> URL: https://issues.apache.org/jira/browse/SOLR-14106
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Server
> Affects Versions: 8.2, 8.3, 8.3.1
> Reporter: Jan Høydahl
> Assignee: Kevin Risden
> Priority: Major
> Labels: jetty, ssl
> Attachments: SOLR-14106.patch
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> For a client we use SSL certificate authentication with Solr through the
> {{SOLR_SSL_NEED_CLIENT_AUTH=true}} setting. The client must then prove
> through a local pem file that it has the correct client certificate.
> This works well until Solr 8.1.1, but fails with Solr 8.2 and also 8.3.1.
> There has been a Jetty upgrade from from jetty-9.4.14 to jetty-9.4.19 and I
> see some deprecation warnings in the log of 8.3.1:
> {noformat}
> o.e.j.x.XmlConfiguration Deprecated method public void
> org.eclipse.jetty.util.ssl.SslContextFactory.setWantClientAuth(boolean) in
> file:///opt/solr-8.3.1/server/etc/jetty-ssl.xml
> {noformat}
> I have made a simple reproduction script using Docker to reproduce first the
> 8.1.1 behaviour that succeeds, then 8.3.1 which fails:
> {code}
> wget https://www.dropbox.com/s/fkjcez1i5anh42i/tls.tgz
> tar -xvzf tls.tgz
> cd tls
> ./repro.sh
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
