[
https://issues.apache.org/jira/browse/SOLR-14106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17007669#comment-17007669
]
Jan Høydahl commented on SOLR-14106:
------------------------------------
This whole issue is fairly complex. I was testing branch_8_4 with this fix
merged and I get it working with my sample certificate.
But then I wanted to test again with my {{repo.sh}} script to validate that the
newly released 8.4.0 docker image fails too. But it did not. I was able to do
client auth towards 8.4.0. A little digging revealed a difference from my
earlier repro tests. As long as I set env.var
{{SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false}} I get it working on both 8.3.1,
8.4.0 (but not 8.2.0 since that env.var was introduced in 8.3.0). Conversely,
If I *don't* set the variable (i.e. let it default to {{HTTPS}}), then even
{{branch_8_4}} fails on me.
This got me confused. I know that this Jira fixes other things and removes
deprecations, I was surprised by the findings above. Have not tried to generate
a client cert with a proper host name to check this validation yet. I'm not
generating certs..
I discussed this with Kevin in ASF slack today. He'd take another look.
> SSL with SOLR_SSL_NEED_CLIENT_AUTH not working since v8.2.0
> -----------------------------------------------------------
>
> Key: SOLR-14106
> URL: https://issues.apache.org/jira/browse/SOLR-14106
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Server
> Affects Versions: 8.2, 8.3, 8.4, 8.3.1
> Reporter: Jan Høydahl
> Assignee: Kevin Risden
> Priority: Major
> Labels: jetty, ssl
> Fix For: 8.5, 8.4.1
>
> Attachments: SOLR-14106.patch, SOLR-14106.patch, SOLR-14106.patch,
> deprecation-warning.patch
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> For a client we use SSL certificate authentication with Solr through the
> {{SOLR_SSL_NEED_CLIENT_AUTH=true}} setting. The client must then prove
> through a local pem file that it has the correct client certificate.
> This works well until Solr 8.1.1, but fails with Solr 8.2 and also 8.3.1.
> There has been a Jetty upgrade from from jetty-9.4.14 to jetty-9.4.19 and I
> see some deprecation warnings in the log of 8.3.1:
> {noformat}
> o.e.j.x.XmlConfiguration Deprecated method public void
> org.eclipse.jetty.util.ssl.SslContextFactory.setWantClientAuth(boolean) in
> file:///opt/solr-8.3.1/server/etc/jetty-ssl.xml
> {noformat}
> I have made a simple reproduction script using Docker to reproduce first the
> 8.1.1 behaviour that succeeds, then 8.3.1 which fails:
> {code}
> wget https://www.dropbox.com/s/fkjcez1i5anh42i/tls.tgz
> tar -xvzf tls.tgz
> cd tls
> ./repro.sh
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
