[jira] [Commented] (SOLR-14105) Http2SolrClient SSL not working in branch_8x

Wed, 13 May 2020 02:35:23 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-14105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17106155#comment-17106155
 ] 

Jan Høydahl commented on SOLR-14105:
------------------------------------

Yes, the SSL code in Jetty seems a bit incomplete and trappy.

But perhaps your solution is to use a separate KEY STORE for your client cert, 
specifying {{SOLR_SSL_CLIENT_KEY_STORE}} and 
{{SOLR_SSL_CLIENT_KEY_STORE_PASSWORD}} in solr.in.sh (there is already a 
section in the file describing the option, but it is not documented in 
RefGuide). Then you can have wildcard certs in the main keystore and they will 
work fine. But the code in Http2SolrClient will use the CLIENT keystore, in 
which you'll put a nice and clean client cert that will validate. I have done 
this myself.

> Http2SolrClient SSL not working in branch_8x
> --------------------------------------------
>
>                 Key: SOLR-14105
>                 URL: https://issues.apache.org/jira/browse/SOLR-14105
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 8.5
>            Reporter: Jan Høydahl
>            Assignee: Kevin Risden
>            Priority: Major
>         Attachments: SOLR-14105.patch
>
>
> In branch_8x we upgraded to Jetty 9.4.24. This causes the following 
> exceptions when attempting to start server with SSL:
> {noformat}
> 2019-12-17 14:46:16.646 ERROR (main) [   ] o.a.s.c.SolrCore 
> null:org.apache.solr.common.SolrException: Error instantiating 
> shardHandlerFactory class [HttpShardHandlerFactory]: 
> java.lang.UnsupportedOperationException: X509ExtendedKeyManager only 
> supported on Server
>       at 
> org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:56)
>       at org.apache.solr.core.CoreContainer.load(CoreContainer.java:633)
> ...
> Caused by: java.lang.RuntimeException: 
> java.lang.UnsupportedOperationException: X509ExtendedKeyManager only 
> supported on Server
>       at 
> org.apache.solr.client.solrj.impl.Http2SolrClient.createHttpClient(Http2SolrClient.java:224)
>       at 
> org.apache.solr.client.solrj.impl.Http2SolrClient.<init>(Http2SolrClient.java:154)
>       at 
> org.apache.solr.client.solrj.impl.Http2SolrClient$Builder.build(Http2SolrClient.java:833)
>       at 
> org.apache.solr.handler.component.HttpShardHandlerFactory.init(HttpShardHandlerFactory.java:321)
>       at 
> org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:51)
>       ... 50 more
> Caused by: java.lang.UnsupportedOperationException: X509ExtendedKeyManager 
> only supported on Server
>       at 
> org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1273)
>       at 
> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1255)
>       at 
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
>       at 
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
>  {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to