[jira] [Commented] (SOLR-13798) SSL: Adding Enabling/Disabling client's hostname verification config

Mon, 30 Sep 2019 08:31:14 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16941070#comment-16941070
 ] 

ASF subversion and git services commented on SOLR-13798:
--------------------------------------------------------

Commit 7350c5031635317c531c2f9249325d304a900772 in lucene-solr's branch 
refs/heads/master from Cao Manh Dat
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=7350c50 ]

SOLR-13798: SSL: Adding Enabling/Disabling client's hostname verification config


> SSL: Adding Enabling/Disabling client's hostname verification config
> --------------------------------------------------------------------
>
>                 Key: SOLR-13798
>                 URL: https://issues.apache.org/jira/browse/SOLR-13798
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 8.2
>            Reporter: Cao Manh Dat
>            Assignee: Cao Manh Dat
>            Priority: Major
>         Attachments: SOLR-13709.patch, SOLR-13709.patch
>
>
> The problem for this after upgrading to Jetty 9.4.19 (SOLR-13541). 
> {{endpointIdentificationAlgorithm}} changed from null → HTTPS. As a result of 
> this client's hostname (identity) is always get verified on connecting Solr. 
> This change improved the security level of Solr, since it requires 2 ways 
> identity verifications (client verify server's identity and vice versa). It 
> leads to a problem when only certificate verification is enough (client's 
> hostname is not known ahead) for users.
> We should introduce a flag in {{solr.in.sh}} to disable client's hostname 
> verification when needed then.
> More about this at : 
> * https://tools.ietf.org/html/rfc2818#section-3
> * https://github.com/eclipse/jetty.project/issues/3454
> * https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to