[
https://issues.apache.org/jira/browse/SOLR-16963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Houston Putman updated SOLR-16963:
----------------------------------
Fix Version/s: main (10.0)
8.11.3
9.4
> verifyClientHostName is used incorrectly
> ----------------------------------------
>
> Key: SOLR-16963
> URL: https://issues.apache.org/jira/browse/SOLR-16963
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: http2, SolrJ
> Affects Versions: 8.4.1
> Reporter: Houston Putman
> Priority: Major
> Fix For: main (10.0), 8.11.3, 9.4
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Since SOLR-14163, the {{solr.jetty.ssl.verifyClientHostName}} and
> {{solr.ssl.checkPeerName}} options have done the exact same thing in the
> {{{}Http2SolrClient{}}}, which is control the
> {{{}EndpointIdentificationAlgorithm{}}}.
> Since {{solr.jetty.ssl.verifyClientHostName}} is checked second, that is
> actually the setting that is used to determine the
> {{{}EndpointIdentificationAlgorithm{}}}, so {{solr.ssl.checkPeerName}} is
> actually ignored.
> Going forward I suggest that we stop our use of
> {{{}solr.jetty.ssl.verifyClientHostname{}}}, because it was added after
> {{solr.ssl.checkPeerName}} and its name is less correct. The
> endpointIdentificationAlgorithm doesn't do any verification of the client's
> hostname. That's a mTLS option, and is server-side.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
