On 11/20/2018 3:02 AM, Anchal Sharma2 wrote:
I have enabled SSL for solr using steps mentioned over Lucene
website .And though solr console URL is now secure(https) ,it is still
using TLS v1.0.
I have tried few things to force SSL to use TLS1.2 protocol ,but they
have not worked for me .
While trying to do same ,I have observed solr itself does not offer any
solr property to specify cipher ,algorithm or TLS version .
Following things have been tried :
1.key store /trust store for solr to enable SSL with different key
algorithm ,etc combinations for the certificates
2.different solr versions for step 1(solr 5.x,6.x,7.x-we are using solr
5.3 currently)
3.using java version 1.8 and adding solr certificate in java keystore to
enforce TLS1.2
Solr lets Java and Jetty handle TLS. Solr itself doesn't get involved
except to provide information to other software.
There are a whole lot of versions of Java 8, and at least three vendors
for it. The big names are Oracle, IBM, and OpenJDK. What vendor and
exact version of Java are you running? What OS is it on? Do you have
the "unlimited JCE" addition installed in your Java and enabled? If
your Java version is new enough, you won't need to mess with JCE. See
this page:
https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html
Solr 5.3 ships with Jetty 9.2.11, which is considered very outdated by
the Jetty project -- released well over three years ago. From the
perspective of the Solr project, version 5.3 is also very old -- two
major versions behind what's current, and also released three years ago.
Jetty 9.2 is up to 9.2.26. The current version is Jetty 9.4.14. The
latest version of Solr (7.5.0) is shipping with Jetty 9.4.11. I think
Jetty will likely be upgraded to the latest release for Solr 7.6.0.
Have you made any changes to the Jetty config, particularly
jetty-ssl.xml? One thing you might try, although I'll warn you that it
may make no difference at all, is to remove the parts of that config
file that exclude certain protocols and ciphers, letting Jetty decide
for itself what it should use. Recent versions of Jetty and Java have
very good defaults. I do not know whether Jetty 9.2.11 (included with
Solr 5.3, as mentioned) has good defaults or not.
Thanks,
Shawn
