[ https://issues.apache.org/jira/browse/SOLR-16735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tomas Eduardo Fernandez Lobbe reassigned SOLR-16735: ---------------------------------------------------- Assignee: Tomas Eduardo Fernandez Lobbe > "Invalid SNI" error when request server name doesn't match host certificate > --------------------------------------------------------------------------- > > Key: SOLR-16735 > URL: https://issues.apache.org/jira/browse/SOLR-16735 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Affects Versions: 9.2 > Reporter: Tomas Eduardo Fernandez Lobbe > Assignee: Tomas Eduardo Fernandez Lobbe > Priority: Major > > Jetty 10 slightly changed the behavior for handling SNI validation. See > [Jetty9.4|https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L262] > vs [Jetty > 10|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L242]. > In Jetty 9, by default (which Solr uses up to version 9.1), SNI extension > was not validated if not present, but in Jetty 10, by default, the host name > is validated against the host certificate, and {{400: Invalid SNI}} is thrown > if they don't match. > I think the right approach for Solr is to set {{sniHostCheck}} to {{false}}, > and at the most be the option to configure using jetty internal sysprops like > [here|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/config/etc/jetty-ssl.xml#L56-L61] > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org