[jira] [Commented] (SOLR-16963) Conflicting SSL options for Http2SolrClient TLS

Mon, 11 Sep 2023 08:38:05 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-16963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17763782#comment-17763782
 ] 

Houston Putman commented on SOLR-16963:
---------------------------------------

Not a solution for the back compat issues, but I have determined that this is 
indeed a bug.

The new mTLS tests (https://github.com/apache/solr/pull/1912) allow me to 
create a mTLS cluster with the server certs using "localhost" and the client 
certs using some made up host, such as "test.solr.apache.org". If I don't do 
anything other than remove the bas clientHostNameVerification option in the 
Http2SolrClient, everything succeeds. However, if I go back to the previous way 
that CLIENT_HOSTNAME_VERIFICATION was used, previous to SOLR-14163, then it 
fails, as I would expect (since the client hostname does not match the client 
certificate). We can now add back that option as it was previously used, and 
use our tests to show that it doesn't break mTLS.

> Conflicting SSL options for Http2SolrClient TLS
> -----------------------------------------------
>
>                 Key: SOLR-16963
>                 URL: https://issues.apache.org/jira/browse/SOLR-16963
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: http2, SolrJ
>    Affects Versions: 8.4.1
>            Reporter: Houston Putman
>            Priority: Major
>
> Since SOLR-14163, the {{solr.jetty.ssl.verifyClientHostName}} and 
> {{solr.ssl.checkPeerName}} options have done the exact same thing in the 
> {{{}Http2SolrClient{}}}, which is control the 
> {{{}EndpointIdentificationAlgorithm{}}}. 
> Since {{solr.jetty.ssl.verifyClientHostName}} is checked second, that is 
> actually the setting that is used to determine the 
> {{{}EndpointIdentificationAlgorithm{}}}, so {{solr.ssl.checkPeerName}} is 
> actually ignored.
> Going forward I suggest that we stop our use of 
> {{{}solr.jetty.ssl.verifyClientHostname{}}}, because it was added after 
> {{solr.ssl.checkPeerName}} and its name is less correct. The 
> endpointIdentificationAlgorithm doesn't do any verification of the client's 
> hostname. That's a mTLS option, and is server-side.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to