[jira] [Commented] (SOLR-14163) SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION needs to work with Jetty server/client SSL contexts

Fri, 03 Jan 2020 12:08:18 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-14163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17007736#comment-17007736
 ] 

Kevin Risden commented on SOLR-14163:
-------------------------------------

Copying comment from SOLR-14106:

Ok so looked into this a bit. The split from one ssl context into Server to 
Client definitely applies here. I need to double check the logic, but it could 
very well be that right now after this change, 
SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION doesn't work correctly anymore.

When Jetty Server ssl context is used, endpoint verification is forced to be 
null. It doesn't make sense on the server side.

When Jetty Client ssl context is used, endpoint verification should be enabled 
by default and should only be disabled if you don't want verification.

So what this means is we need to slightly change how 
SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION is implemented to apply only to the 
client ssl context it looks like. I opened SOLR-14163 for this.

References:
* https://github.com/eclipse/jetty.project/issues/3454
* https://github.com/eclipse/jetty.project/issues/3633

> SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION needs to work with Jetty server/client 
> SSL contexts
> -----------------------------------------------------------------------------------------
>
>                 Key: SOLR-14163
>                 URL: https://issues.apache.org/jira/browse/SOLR-14163
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Server
>            Reporter: Kevin Risden
>            Assignee: Kevin Risden
>            Priority: Major
>             Fix For: 8.5, 8.4.1
>
>
> SOLR-14106 ensured that Jetty ssl context used client and server correctly. 
> This however requires that SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION be handled 
> slightly differently to ensure that only clients are affected.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to