[
https://issues.apache.org/jira/browse/SOLR-16964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17763129#comment-17763129
]
ASF subversion and git services commented on SOLR-16964:
--------------------------------------------------------
Commit 7ae613c6c3fcefb9393ef55ca4501e7452cc4ca1 in solr's branch
refs/heads/main from Houston Putman
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=7ae613c6c3f ]
SOLR-16964: Default the sniHostCheck setting to the checkPeerName envVar (#1897)
> sniHostCheck should default to SOLR_SSL_CHECK_PEER_NAME
> -------------------------------------------------------
>
> Key: SOLR-16964
> URL: https://issues.apache.org/jira/browse/SOLR-16964
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Server
> Affects Versions: 9.2
> Reporter: Houston Putman
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When we upgraded Solr to Jetty 10, it started doing SNI checks by default. To
> combat this, Tomas added an option to skip SNI Host checking in SOLR-16735. I
> think that this should default to the option already given in
> SOLR_SSL_CHECK_PEER_NAME, which is practically the same check for clients.
> (SNI is a server setting).
> So if we start to set {{solr.jetty.ssl.sniHostCheck}} by default to the value
> that {{SOLR_SSL_CHECK_PEER_NAME}} has, then users will see no issues when
> using Solr as they had been. If users want to separate their server/client
> settings. They can always still provide the {{solr.jetty.ssl.sniHostCheck}}
> option themselves in SOLR_OPTS, which will override the option defaulted by
> Solr.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
