[jira] [Commented] (SOLR-14105) Http2SolrClient SSL not working in branch_8x

Wed, 13 May 2020 04:43:23 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-14105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17106221#comment-17106221
 ] 

Jan Høydahl commented on SOLR-14105:
------------------------------------

Thanks Simone. You did not quote me correctly. I said "..*seems* a bit 
incomplete and trappy", and that comment is for 9.4.14 that we use.

Again, a workaround is to specify a separate SOLR_SSL_CLIENT_KEY_STORE.

I think it is very hard to follow the GitHub issues/PRs you link to, so even 
after reading them, I did not understand that 9.4.25 actually allows multi 
certs even on the client side? This was the behaviour we had in Solr before 
upgrading from 9.4.19 to 9.4.24 - Jetty would pick the first cert on the 
keystore instead of throwing an exception. What is the new selection logic 
introduced in 9.4.25 (when we use  SslContextFactory.Client)?

Sounds like Solr should anyway upgrade Jetty!

> Http2SolrClient SSL not working in branch_8x
> --------------------------------------------
>
>                 Key: SOLR-14105
>                 URL: https://issues.apache.org/jira/browse/SOLR-14105
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 8.5
>            Reporter: Jan Høydahl
>            Assignee: Kevin Risden
>            Priority: Major
>         Attachments: SOLR-14105.patch
>
>
> In branch_8x we upgraded to Jetty 9.4.24. This causes the following 
> exceptions when attempting to start server with SSL:
> {noformat}
> 2019-12-17 14:46:16.646 ERROR (main) [   ] o.a.s.c.SolrCore 
> null:org.apache.solr.common.SolrException: Error instantiating 
> shardHandlerFactory class [HttpShardHandlerFactory]: 
> java.lang.UnsupportedOperationException: X509ExtendedKeyManager only 
> supported on Server
>       at 
> org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:56)
>       at org.apache.solr.core.CoreContainer.load(CoreContainer.java:633)
> ...
> Caused by: java.lang.RuntimeException: 
> java.lang.UnsupportedOperationException: X509ExtendedKeyManager only 
> supported on Server
>       at 
> org.apache.solr.client.solrj.impl.Http2SolrClient.createHttpClient(Http2SolrClient.java:224)
>       at 
> org.apache.solr.client.solrj.impl.Http2SolrClient.<init>(Http2SolrClient.java:154)
>       at 
> org.apache.solr.client.solrj.impl.Http2SolrClient$Builder.build(Http2SolrClient.java:833)
>       at 
> org.apache.solr.handler.component.HttpShardHandlerFactory.init(HttpShardHandlerFactory.java:321)
>       at 
> org.apache.solr.handler.component.ShardHandlerFactory.newInstance(ShardHandlerFactory.java:51)
>       ... 50 more
> Caused by: java.lang.UnsupportedOperationException: X509ExtendedKeyManager 
> only supported on Server
>       at 
> org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1273)
>       at 
> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1255)
>       at 
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
>       at 
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
>  {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to