[ https://issues.apache.org/jira/browse/SOLR-12988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16867086#comment-16867086 ]
Hoss Man commented on SOLR-12988: --------------------------------- {quote}We could potentially try to make the detection very sophisticated, and dependent on checkPeerName ... {quote} while looking into SOLR-12990 i just realized i missread your commit: you *did* make the "don't allow TLSv1.3" logic conditional on whether chechPeerName=true, but it's also a silent modification of the defaults -- users won't get any logging/notice unless they've explicitly set the "https.protocols" sysprop to _only_ specify TLSv1.3 (and get a failure) ... which really seems like bad default behavior ... useres who set checkPeerNames=true to try and ensure _more_ security, silently get _downgraded_ cipher support? ---- I really think that we should just: * make sure jenkins boxes are running 11.0.3 * revert most of your commit, except for the test changes that re-enable SSL testing on java11 * document the known JDK bugs And then consider as a future imporvement logging/warnings about those JDK bugs if we can auto-detect them. > Avoid using TLSv1.3 for HttpClient > ---------------------------------- > > Key: SOLR-12988 > URL: https://issues.apache.org/jira/browse/SOLR-12988 > Project: Solr > Issue Type: Test > Reporter: Hoss Man > Assignee: Cao Manh Dat > Priority: Major > Labels: Java11, Java12 > Attachments: SOLR-13413.patch > > > HTTPCLIENT-1967 indicates that HttpClient can't be used properly with > TLSv1.3. It caused some test failures below, therefore we should enforce > HttpClient to uses TLSv1.2 or lower versions. > TestMiniSolrCloudClusterSSL.testSslWithCheckPeerName seems to fail 100% of > the time when run with java11 (or java12), regardless of seed, on both master > & 7x. > The nature of the problem and the way our htp stack works suggests it *may* > ultimately be a jetty bug (perhaps related to [jetty > issue#2711|https://github.com/eclipse/jetty.project/issues/2711]?) > *HOWEVER* ... as far as i can tell, whatever the root cause is, seems to have > been fixed on the {{jira/http2}} branch (as of > 52bc163dc1804c31af09c1fba99647005da415ad) which should hopefully be getting > merged to master soon. > Filing this issue largely for tracking purpose, although we may also want to > use it for discussions/considerations of other backports/fixes to 7x -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org