[
https://issues.apache.org/jira/browse/SOLR-14106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17007735#comment-17007735
]
Kevin Risden commented on SOLR-14106:
-------------------------------------
Ok so looked into this a bit. The split from one ssl context into Server to
Client definitely applies here. I need to double check the logic, but it could
very well be that right now after this change,
SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION doesn't work correctly anymore.
When Jetty Server ssl context is used, endpoint verification is forced to be
null. It doesn't make sense on the server side.
When Jetty Client ssl context is used, endpoint verification should be enabled
by default and should only be disabled if you don't want verification.
So what this means is we need to slightly change how
SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION is implemented to apply only to the
client ssl context it looks like. I opened SOLR-14163 for this.
References:
* https://github.com/eclipse/jetty.project/issues/3454
* https://github.com/eclipse/jetty.project/issues/3633
> SSL with SOLR_SSL_NEED_CLIENT_AUTH not working since v8.2.0
> -----------------------------------------------------------
>
> Key: SOLR-14106
> URL: https://issues.apache.org/jira/browse/SOLR-14106
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Server
> Affects Versions: 8.2, 8.3, 8.4, 8.3.1
> Reporter: Jan Høydahl
> Assignee: Kevin Risden
> Priority: Major
> Labels: jetty, ssl
> Fix For: 8.5, 8.4.1
>
> Attachments: SOLR-14106.patch, SOLR-14106.patch, SOLR-14106.patch,
> deprecation-warning.patch
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> For a client we use SSL certificate authentication with Solr through the
> {{SOLR_SSL_NEED_CLIENT_AUTH=true}} setting. The client must then prove
> through a local pem file that it has the correct client certificate.
> This works well until Solr 8.1.1, but fails with Solr 8.2 and also 8.3.1.
> There has been a Jetty upgrade from from jetty-9.4.14 to jetty-9.4.19 and I
> see some deprecation warnings in the log of 8.3.1:
> {noformat}
> o.e.j.x.XmlConfiguration Deprecated method public void
> org.eclipse.jetty.util.ssl.SslContextFactory.setWantClientAuth(boolean) in
> file:///opt/solr-8.3.1/server/etc/jetty-ssl.xml
> {noformat}
> I have made a simple reproduction script using Docker to reproduce first the
> 8.1.1 behaviour that succeeds, then 8.3.1 which fails:
> {code}
> wget https://www.dropbox.com/s/fkjcez1i5anh42i/tls.tgz
> tar -xvzf tls.tgz
> cd tls
> ./repro.sh
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
