Mark Todd created SOLR-14711:
--------------------------------
Summary: Incorrect insecure settings check in CoreContainer
Key: SOLR-14711
URL: https://issues.apache.org/jira/browse/SOLR-14711
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Mark Todd
I've configured SolrCloud (8.5) with both SSL and Authentication which is
working correctly. However, I get the following warning in the logs
"Solr authentication is enabled, but SSL is off. Consider enabling SSL to
protect user credentials and data with encryption"
Looking at the source code for SolrCloud there appears to be a bug
if (authenticationPlugin !=null &&
StringUtils.isNotEmpty(System.getProperty("solr.jetty.https.port"))) {
log.warn("Solr authentication is enabled, but SSL is off. Consider enabling
SSL to protect user credentials and data with encryption.");
}
Rather than checking for an empty system property (which would indicate SLL is
off) its checking for a populated one which is what you get when SSL is on.
This is a major issue because administrators are very concerned that Solr has
been deployed in an insecure fashion.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
