[
https://issues.apache.org/jira/browse/SOLR-14105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17106221#comment-17106221
]
Jan Høydahl edited comment on SOLR-14105 at 5/13/20, 11:43 AM:
---------------------------------------------------------------
Thanks Simone. You did not quote me correctly. I said "..*seems* a bit
incomplete and trappy", and that comment was meant for 9.4.24 that we use, and
it took us several iterations to get the Server/Client split right.
Again, a workaround is to specify a separate SOLR_SSL_CLIENT_KEY_STORE.
I think it is very hard to follow the GitHub issues/PRs you link to, so even
after reading them, I did not understand that 9.4.25 actually allows multi
certs even on the client side? This was the behaviour we had in Solr before
upgrading from 9.4.19 to 9.4.24 - Jetty would pick the first cert on the
keystore instead of throwing an exception. What is the new selection logic
introduced in 9.4.25 (when we use SslContextFactory.Client)?
Sounds like Solr should anyway upgrade Jetty!
was (Author: janhoy):
Thanks Simone. You did not quote me correctly. I said "..*seems* a bit
incomplete and trappy", and that comment is for 9.4.14 that we use.
Again, a workaround is to specify a separate SOLR_SSL_CLIENT_KEY_STORE.
I think it is very hard to follow the GitHub issues/PRs you link to, so even
after reading them, I did not understand that 9.4.25 actually allows multi
certs even on the client side? This was the behaviour we had in Solr before
upgrading from 9.4.19 to 9.4.24 - Jetty would pick the first cert on the
keystore instead of throwing an exception. What is the new selection logic
introduced in 9.4.25 (when we use SslContextFactory.Client)?
Sounds like Solr should anyway upgrade Jetty!
> Http2SolrClient SSL not working in branch_8x
> --------------------------------------------
>
> Key: SOLR-14105
> URL: https://issues.apache.org/jira/browse/SOLR-14105
> Project: Solr
> Issue Type: Bug
> Affects Versions: 8.5
> Reporter: Jan Høydahl
> Assignee: Kevin Risden
> Priority: Major
> Attachments: SOLR-14105.patch
>
>
> In branch_8x we upgraded to Jetty 9.4.24. This causes the following
> exceptions when attempting to start server with SSL:
> {noformat}
> 2019-12-17 14:46:16.646 ERROR (main) [ ] o.a.s.c.SolrCore
> null:org.apache.solr.common.SolrException: Error instantiating
> shardHandlerFactory class [HttpShardHandlerFactory]:
> java.lang.UnsupportedOperationException: X509ExtendedKeyManager only
> supported on Server
> at
> org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:56)
> at org.apache.solr.core.CoreContainer.load(CoreContainer.java:633)
> ...
> Caused by: java.lang.RuntimeException:
> java.lang.UnsupportedOperationException: X509ExtendedKeyManager only
> supported on Server
> at
> org.apache.solr.client.solrj.impl.Http2SolrClient.createHttpClient(Http2SolrClient.java:224)
> at
> org.apache.solr.client.solrj.impl.Http2SolrClient.<init>(Http2SolrClient.java:154)
> at
> org.apache.solr.client.solrj.impl.Http2SolrClient$Builder.build(Http2SolrClient.java:833)
> at
> org.apache.solr.handler.component.HttpShardHandlerFactory.init(HttpShardHandlerFactory.java:321)
> at
> org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:51)
> ... 50 more
> Caused by: java.lang.UnsupportedOperationException: X509ExtendedKeyManager
> only supported on Server
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1273)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1255)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
> at
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
