[ https://issues.apache.org/jira/browse/SOLR-9713?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Miloš Havránek updated SOLR-9713: --------------------------------- Security: Public (was: Private (Security Issue)) > TLS-SSL Mutual-Auth doesn't work, Unable to load keyStore with given password > ----------------------------------------------------------------------------- > > Key: SOLR-9713 > URL: https://issues.apache.org/jira/browse/SOLR-9713 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Authentication, config-api, scripts and tools, security > Affects Versions: 6.2.1 > Environment: Windows only > Reporter: Miloš Havránek > Labels: security, windows > > Official manual 6.2 says that for enabling HTTPS you have to create keystore > with keypair having "secret" as password (example), assume that i have done > everything else needed to enable HTTPS correctly. > When i want to create keystore and keypair with another password it works > only on Linux OS but on Windows only with "secret" as a password. > solr.in.cmd properties aren't used by server properly on Windows: > CASE1: > keystore password: secret > kepair password: secret > SOLR_SSL_KEY_STORE_PASSWORD=secret > SOLR_SSL_TRUST_STORE_PASSWORD=secret > Everything works > CASE2: > keystore password: secret > kepair password: secret > SOLR_SSL_KEY_STORE_PASSWORD=changeit > SOLR_SSL_TRUST_STORE_PASSWORD=changeit > No "Keystore was tampered with, or password was incorrect" -> which means it > uses "secret" as password when it shouldn't > Multiple repeating Errors: > INFO - 2016-11-02 07:52:00.657; > org.apache.http.impl.client.DefaultRequestDirector; I/O exception > (java.net.SocketException) caught when connecting to > {s}->https://localhost:8983: java.security.NoSuchAlgorithmException: Error > constructing implementation (algorithm: Default, provider: SunJSSE, class: > sun.security.ssl.SSLContextImpl$DefaultSSLContext) > INFO - 2016-11-02 07:52:00.657; > org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to > {s}->https://localhost:8983 > CASE3: > keystore password: changeit > kepair password: changeit > SOLR_SSL_KEY_STORE_PASSWORD=changeit > SOLR_SSL_TRUST_STORE_PASSWORD=changeit > Errors: > java.lang.reflect.InvocationTargetException > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.eclipse.jetty.start.Main.invokeMain(Main.java:214) > at org.eclipse.jetty.start.Main.start(Main.java:457) > at org.eclipse.jetty.start.Main.main(Main.java:75) > Caused by: java.io.IOException: Keystore was tampered with, or password was > incorrect > at > sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) > at > sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) > at > sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) > at > sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) > at java.security.KeyStore.load(KeyStore.java:1445) > at > org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:52) > at > org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1016) > at > org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:332) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) > at > org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) > at > org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:260) > at > org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) > at > org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:244) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) > at org.eclipse.jetty.server.Server.doStart(Server.java:384) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) > at > org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1510) > at java.security.AccessController.doPrivileged(Native Method) > at > org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1435) > ... 7 more > Caused by: java.security.UnrecoverableKeyException: Password verification > failed > at > sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) > ... 30 more > Usage: java -jar start.jar [options] [properties] [configs] > java -jar start.jar --help # for more information > INFO - 2016-11-02 07:53:55.221; > org.apache.http.impl.client.DefaultRequestDirector; I/O exception > (java.net.SocketException) caught when connecting to > {s}->https://localhost:8983: Connection reset > INFO - 2016-11-02 07:53:55.225; > org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to > {s}->https://localhost:8983 > Another issue: > I want for the server to require Client Authentification by certificate but > the properties aren't passed to the server or used by the server. Doens't > work on Windows, works on Linux. > CASE1: > set SOLR_SSL_NEED_CLIENT_AUTH=true > set SOLR_SSL_WANT_CLIENT_AUTH=false > server doesn't require client certificate for authentification > CASE2: > set SOLR_SSL_NEED_CLIENT_AUTH=false > set SOLR_SSL_WANT_CLIENT_AUTH=true > server doesn't want client certificate for authentification > I found that i can set the properties defaults in jetty-ssl.xml > which somehow helps a bit but the server still won't start and throws errors: > INFO - 2016-11-02 09:29:05.036; > org.apache.http.impl.client.DefaultRequestDirector; I/O exception > (java.net.SocketException) caught when connecting to > {s}->https://localhost:8983: java.security.NoSuchAlgorithmException: Error > constructing implementation (algorithm: Default, provider: SunJSSE, class: > sun.security.ssl.SSLContextImpl$DefaultSSLContext) > INFO - 2016-11-02 09:29:05.036; > org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to > {s}->https://localhost:8983 > I know that most of the solr projects probably runs on Linux but we use also > Windows environment for testing, because we have to ensure that our solution > is platform independent. > Would be cool if someone would lay an eye on that. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org