Hi Anchal,
the IBM JVM behaves differently in the TLS setup then the Oracle JVM. If
you search for IBM Java TLS 1.2 you find tons of reports of problems
with that. In most cases you can get around that using the system
property "com.ibm.jsse2.overrideDefaultTLS" as documented here:
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html
regards,
Hendrik
On 22.11.2018 07:25, Anchal Sharma2 wrote:
Hi Shawn ,
Thanks for your reply .
Here are the details abut java we are using :
java version "1.8.0_151"
IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References
20171102_369060 (JIT enabled, AOT enabled)
I have already patched the policy jars .
And I tried to comment out the ciphers ,protocol entries in
jetty-ssl.xml ,but it did not work for me .I also tried to use an
"IncludeCipherSuites" entry to include a cipher I wanted to include
,but it did not work either .I started getting
SSL_ERROR_INTERNAL_ERROR_ALERT and ssl_error_no_cypher_overlap errors
on my console URL.I tried this in solr 7.3.1 version ,so jetty version
must also be relatively new.
Do you think java might not be letting me enable TLS1.2?
Thanks & Regards,
-------------------------------------------------
Anchal Sharma
Inactive hide details for Shawn Heisey ---21-11-2018 05:28:50---On
11/20/2018 3:02 AM, Anchal Sharma2 wrote: > I have enabled Shawn
Heisey ---21-11-2018 05:28:50---On 11/20/2018 3:02 AM, Anchal Sharma2
wrote: > I have enabled SSL for solr using steps mentioned o
From: Shawn Heisey <apa...@elyograg.org>
To: solr-user@lucene.apache.org
Date: 21-11-2018 05:28
Subject: Re: solr is using TLS1.0
------------------------------------------------------------------------
On 11/20/2018 3:02 AM, Anchal Sharma2 wrote:
> I have enabled SSL for solr using steps mentioned over Lucene
> website .And though solr console URL is now secure(https) ,it is still
> using TLS v1.0.
> I have tried few things to force SSL to use TLS1.2 protocol ,but
they
> have not worked for me .
>
> While trying to do same ,I have observed solr itself does not offer any
> solr property to specify cipher ,algorithm or TLS version .
>
> Following things have been tried :
> 1.key store /trust store for solr to enable SSL with different key
> algorithm ,etc combinations for the certificates
> 2.different solr versions for step 1(solr 5.x,6.x,7.x-we are using solr
> 5.3 currently)
> 3.using java version 1.8 and adding solr certificate in java keystore to
> enforce TLS1.2
Solr lets Java and Jetty handle TLS. Solr itself doesn't get involved
except to provide information to other software.
There are a whole lot of versions of Java 8, and at least three vendors
for it. The big names are Oracle, IBM, and OpenJDK. What vendor and
exact version of Java are you running? What OS is it on? Do you have
the "unlimited JCE" addition installed in your Java and enabled? If
your Java version is new enough, you won't need to mess with JCE. See
this page:
https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html
Solr 5.3 ships with Jetty 9.2.11, which is considered very outdated by
the Jetty project -- released well over three years ago. From the
perspective of the Solr project, version 5.3 is also very old -- two
major versions behind what's current, and also released three years ago.
Jetty 9.2 is up to 9.2.26. The current version is Jetty 9.4.14. The
latest version of Solr (7.5.0) is shipping with Jetty 9.4.11. I think
Jetty will likely be upgraded to the latest release for Solr 7.6.0.
Have you made any changes to the Jetty config, particularly
jetty-ssl.xml? One thing you might try, although I'll warn you that it
may make no difference at all, is to remove the parts of that config
file that exclude certain protocols and ciphers, letting Jetty decide
for itself what it should use. Recent versions of Jetty and Java have
very good defaults. I do not know whether Jetty 9.2.11 (included with
Solr 5.3, as mentioned) has good defaults or not.
Thanks,
Shawn
