[
https://issues.apache.org/jira/browse/SOLR-14711?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Houston Putman updated SOLR-14711:
----------------------------------
Security: (was: Public)
> Incorrect insecure settings check in CoreContainer
> --------------------------------------------------
>
> Key: SOLR-14711
> URL: https://issues.apache.org/jira/browse/SOLR-14711
> Project: Solr
> Issue Type: Bug
> Reporter: Mark Todd
> Priority: Major
>
> I've configured SolrCloud (8.5) with both SSL and Authentication which is
> working correctly. However, I get the following warning in the logs
>
> "Solr authentication is enabled, but SSL is off. Consider enabling SSL to
> protect user credentials and data with encryption"
>
> Looking at the source code for SolrCloud there appears to be a bug
> if (authenticationPlugin !=null &&
> StringUtils.isNotEmpty(System.getProperty("solr.jetty.https.port"))) {
> log.warn("Solr authentication is enabled, but SSL is off. Consider enabling
> SSL to protect user credentials and data with encryption.");
> }
>
> Rather than checking for an empty system property (which would indicate SLL
> is off) its checking for a populated one which is what you get when SSL is on.
> This is a major issue because administrators are very concerned that Solr has
> been deployed in an insecure fashion.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
