RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0

2019-05-17 Thread Younge, Kent A - Norman, OK - Contractor 
Also when I run openssl I get the following: 

openssl s_client -showcerts -connect solrsite.com:8983  solr-ssl.p12


keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore 
solr-ssl.keystore.jks -deststoretype pkcs12

solr.in.sh

# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this 
config # to enable https module with custom jetty configuration.
#SOLR_SSL_ENABLED=true
# Uncomment to set SSL-related system properties # Be sure to update the paths 
to the correct keystore for your environment 
SOLR_SSL_KEY_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=password
SOLR_SSL_TRUST_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=password
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require) 
SOLR_SSL_WANT_CLIENT_AUTH=false # SSL Certificates contain host/ip "peer name" 
information that is validated by default. Setting # this to false can be useful 
to disable these checks when re-using a certificate on many hosts 
#SOLR_SSL_CHECK_PEER_NAME=true # Override Key/Trust Store types if necessary 
SOLR_SSL_KEY_STORE_TYPE=JKS SOLR_SSL_TRUST_STORE_TYPE=JKS









Thank you,

Kent Younge
Systems Engineer

ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0

2019-05-17 Thread Younge, Kent A - Norman, OK - Contractor 
Hello,

I have upgraded one of our boxes to Solr 8.1.0 on RHEL 7.6 with Java 12.0.1.  I 
also had a certificate up for renewal and I went through my regular process of 
creating the certificate and key.  Now I get a 
ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.  I have gotten this before however, 
that was due to me adding the certificate into the keystore.   Here are the 
list of cmds I that have run.

keytool -import -trustcacerts -alias root -file RootCA.cer -keystore 
solr-ssl.keystore.jks
keytool -import -trustcacerts -alias POL1 -file Pol1CA.cer -keystore 
solr-ssl.keystore.jks
keytool -import -trustcacerts -alias SUB1 -file Sub1CA.cer -keystore 
solr-ssl.keystore.jks
keytool -import -trustcacerts -alias SUB2 -file Sub2CA.cer -keystore 
solr-ssl.keystore.jks


openssl pkcs12 -export -in solr.cer -inkey solrpk.key > solr-ssl.p12


keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore 
solr-ssl.keystore.jks -deststoretype pkcs12

solr.in.sh

# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this 
config
# to enable https module with custom jetty configuration.
#SOLR_SSL_ENABLED=true
# Uncomment to set SSL-related system properties
# Be sure to update the paths to the correct keystore for your environment
SOLR_SSL_KEY_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=password
SOLR_SSL_TRUST_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=password
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH=false
# SSL Certificates contain host/ip "peer name" information that is validated by 
default. Setting
# this to false can be useful to disable these checks when re-using a 
certificate on many hosts
#SOLR_SSL_CHECK_PEER_NAME=true
# Override Key/Trust Store types if necessary
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS









Thank you,

Kent Younge
Systems Engineer

ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0

2019-05-16 Thread Younge, Kent A - Norman, OK - Contractor 

Hello,

I have upgraded one of our boxes to Solr 8.1.0 on RHEL 7.6 with Java 12.0.1.  I 
also had a certificate up for renewal and I went through my regular process of 
creating the certificate and key.  Now I get a 
ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.  I have gotten this before however, 
that was due to me adding the certificate into the keystore.   Here are the 
list of cmds I that have run.

keytool -import -trustcacerts -alias root -file RootCA.cer -keystore 
solr-ssl.keystore.jks
keytool -import -trustcacerts -alias POL1 -file Pol1CA.cer -keystore 
solr-ssl.keystore.jks
keytool -import -trustcacerts -alias SUB1 -file Sub1CA.cer -keystore 
solr-ssl.keystore.jks
keytool -import -trustcacerts -alias SUB2 -file Sub2CA.cer -keystore 
solr-ssl.keystore.jks


openssl pkcs12 -export -in solr.cer -inkey solrpk.key > solr-ssl.p12


keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore 
solr-ssl.keystore.jks -deststoretype pkcs12

solr.in.sh

# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this 
config
# to enable https module with custom jetty configuration.
#SOLR_SSL_ENABLED=true
# Uncomment to set SSL-related system properties
# Be sure to update the paths to the correct keystore for your environment
SOLR_SSL_KEY_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=password
SOLR_SSL_TRUST_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=password
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH=false
# SSL Certificates contain host/ip "peer name" information that is validated by 
default. Setting
# this to false can be useful to disable these checks when re-using a 
certificate on many hosts
#SOLR_SSL_CHECK_PEER_NAME=true
# Override Key/Trust Store types if necessary
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS




Thank you,

Kent Younge
Systems Engineer

RE: Certificate issue ERR_SSL_VERSION_OR_CIPHER_MISMATCH

2017-10-23 Thread Younge, Kent A - Norman, OK - Contractor 

I was able to resolve the issue.  I was adding the certificate and then I had 
combined my certificate and private key.  So when I added the certificate plus 
the certificate and private key it was breaking.  I removed just the 
certificate and it resolved the issue.  So I had my root certificates and the 
certificate plus private key and everything starting working correctly. 





Thank you,

Kent Younge
Systems Engineer
USPS MTSC IT Support
600 W. Rock Creek Rd, Norman, OK  73069-8357
O:405 573 2273


-Original Message-
From: Shawn Heisey [mailto:apa...@elyograg.org] 
Sent: Friday, October 20, 2017 4:33 PM
To: solr-user@lucene.apache.org
Subject: Re: Certificate issue ERR_SSL_VERSION_OR_CIPHER_MISMATCH

On 10/19/2017 6:30 AM, Younge, Kent A - Norman, OK - Contractor wrote:
> Built a clean Solr server imported my certificates and when I go to the 
> SSL/HTTPS page it tells me that I have ERR_SSL_VERSION_OR_CIPHER_MISMATCH in 
> Chrome and in IE tells me that I need to TURN ON TLS 1.0, TLS 1.1, and TLS 
> 1.2.

What java version?  What Java vendor?  What operating system?  The OS won't 
have a lot of impact on HTTPS, I just ask in case other information is desired, 
so we can tailor the information requests.

I see other messages where you mention Solr 6.6, which requires Java 8.

As Hoss mentioned to you in another thread, *all* of the SSL capability is 
provided by Java.  The Jetty that ships with Solr includes a config for HTTPS.  
The included Jetty config *excludes* a handful of low-quality ciphers that your 
browser probably already refuses to use, but that's the only cipher-specific 
configuration.  If you haven't changed the Jetty config in the Solr download, 
then Jetty defaults and your local Java settings will control everything else.  
As far as I am aware, Solr doesn't influence the SSL config at all.

  
    
  SSL_RSA_WITH_DES_CBC_SHA
  SSL_DHE_RSA_WITH_DES_CBC_SHA
  SSL_DHE_DSS_WITH_DES_CBC_SHA
  SSL_RSA_EXPORT_WITH_RC4_40_MD5
  SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    
  

It is extremely unlikely that Solr itself is causing these problems.  It is 
more likely that there's something about your environment (java version, custom 
java config, custom Jetty config, browser customization, or maybe something 
else) that is resulting in a protocol and cipher list that your browser doesn't 
like.

Thanks,
Shawn

RE: Certificate issue ERR_SSL_VERSION_OR_CIPHER_MISMATCH

2017-10-19 Thread Younge, Kent A - Norman, OK - Contractor 
Resolved the Cipher Mismatch error. 






Thank you,

Kent Younge
Systems Engineer
USPS MTSC IT Support
600 W. Rock Creek Rd, Norman, OK  73069-8357
O:405 573 2273


-Original Message-
From: Younge, Kent A - Norman, OK - Contractor 
[mailto:kent.a.you...@usps.gov.INVALID] 
Sent: Thursday, October 19, 2017 7:30 AM
To: 'solr-user@lucene.apache.org'
Subject: Certificate issue ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Built a clean Solr server imported my certificates and when I go to the 
SSL/HTTPS page it tells me that I have ERR_SSL_VERSION_OR_CIPHER_MISMATCH in 
Chrome and in IE tells me that I need to TURN ON TLS 1.0, TLS 1.1, and TLS 1.2. 
 TLS is turned on and if I browse to the server name instead of the site name 
the SOLR app comes up with a certificate issue saying that the site certificate 
name is different.  I have also installed one of my other certificates that is 
working on one of my other SOLR servers on the server that is having the issue 
and the HTTPS site comes up just fine.This has been going on for over a 
month now and I do not know what to do next.  I have messed with the 
java.security file to see if maybe it was a cipher however, I do not think that 
is actually the problem b/c as I mentioned before if I take one of my other 
certificates and the SOLR HTTPS site comes up for that site name.  So I am 
thinking that the server is configured correctly.  I have requested my 
certificates at least 5 times to see if it is actually the certificate that is 
having the issue.   And none of the certificates for this site has actually 
worked.  I am at a loss at what to look at next.  If I modify the solr.in.sh 
and comment out the SSL settings the site comes up just fine.   I have also 
looked in DNS to see if that was maybe an issue and it is configured properly.  
 I believe another person is having the same issue as I am on the list as well.

Certificate issue ERR_SSL_VERSION_OR_CIPHER_MISMATCH

2017-10-19 Thread Younge, Kent A - Norman, OK - Contractor 
Built a clean Solr server imported my certificates and when I go to the 
SSL/HTTPS page it tells me that I have ERR_SSL_VERSION_OR_CIPHER_MISMATCH in 
Chrome and in IE tells me that I need to TURN ON TLS 1.0, TLS 1.1, and TLS 1.2. 
 TLS is turned on and if I browse to the server name instead of the site name 
the SOLR app comes up with a certificate issue saying that the site certificate 
name is different.  I have also installed one of my other certificates that is 
working on one of my other SOLR servers on the server that is having the issue 
and the HTTPS site comes up just fine.This has been going on for over a 
month now and I do not know what to do next.  I have messed with the 
java.security file to see if maybe it was a cipher however, I do not think that 
is actually the problem b/c as I mentioned before if I take one of my other 
certificates and the SOLR HTTPS site comes up for that site name.  So I am 
thinking that the server is configured correctly.  I have requested my 
certificates at least 5 times to see if it is actually the certificate that is 
having the issue.   And none of the certificates for this site has actually 
worked.  I am at a loss at what to look at next.  If I modify the solr.in.sh 
and comment out the SSL settings the site comes up just fine.   I have also 
looked in DNS to see if that was maybe an issue and it is configured properly.  
 I believe another person is having the same issue as I am on the list as well.

Certificate issue

2017-10-18 Thread Younge, Kent A - Norman, OK - Contractor 

Jack, 

Are you still having the same issue?





Thank you,

Kent Younge
Systems Engineer
USPS MTSC IT Support
600 W. Rock Creek Rd, Norman, OK  73069-8357
O:405 573 2273


-Original Message-
From: Younge, Kent A - Norman, OK - Contractor 
[mailto:kent.a.you...@usps.gov.INVALID] 
Sent: Monday, October 16, 2017 10:58 AM
To: solr-user@lucene.apache.org
Subject: RE: solrcloud dead-lock

Jack, 

No I still have the issue on one box only.  I have re-requested certificates 
several times and still come back with the same issue.  If I put a working 
certificate on the box everything works the way it should.  Also if I browse 
the https:  to the server name instead of the registered certificate name Solr 
comes up with a untrusted certificate showing that the site is registered to my 
certificate name.  So SOLR is working but, not with my certificates.   I have 
messed with the java security settings that did not help.  The box works like 
it should and for whatever, reason with that certificate it will not work.  I 
have changed the names of the certificate I had a hyphen in the name and 
thought that was causing an issue.  Took the hyphen out it made no difference.  
In IE I get the turn on TLS and even though it is set.  In Chrome I get 
ERR_SSL_Version or Cipher_MISMATCH.  






-Original Message-
From: SOLR6931 [mailto:solrpubl...@gmail.com] 
Sent: Monday, October 16, 2017 9:13 AM
To: solr-user@lucene.apache.org
Subject: Re: solrcloud dead-lock

Hey Kent,
Have you managed to find a solution to your problem?
I'm currently encountering the exact same issue.

Jack



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

RE: solrcloud dead-lock

2017-10-16 Thread Younge, Kent A - Norman, OK - Contractor 
Jack, 

No I still have the issue on one box only.  I have re-requested certificates 
several times and still come back with the same issue.  If I put a working 
certificate on the box everything works the way it should.  Also if I browse 
the https:  to the server name instead of the registered certificate name Solr 
comes up with a untrusted certificate showing that the site is registered to my 
certificate name.  So SOLR is working but, not with my certificates.   I have 
messed with the java security settings that did not help.  The box works like 
it should and for whatever, reason with that certificate it will not work.  I 
have changed the names of the certificate I had a hyphen in the name and 
thought that was causing an issue.  Took the hyphen out it made no difference.  
In IE I get the turn on TLS and even though it is set.  In Chrome I get 
ERR_SSL_Version or Cipher_MISMATCH.  






-Original Message-
From: SOLR6931 [mailto:solrpubl...@gmail.com] 
Sent: Monday, October 16, 2017 9:13 AM
To: solr-user@lucene.apache.org
Subject: Re: solrcloud dead-lock

Hey Kent,
Have you managed to find a solution to your problem?
I'm currently encountering the exact same issue.

Jack



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

cannot create core when SSL is enabled

2017-09-20 Thread Younge, Kent A - Norman, OK - Contractor 
Hello,

I am getting an error message when trying to create a core when ssl is enabled 
ERROR: Certificate for  doesn't match any of the subject alternative 
names:

However, if I turn off ssl I can create the core just fine.   I have my 
certificates in the solr-6.5.1 directory should they be placed somewhere else 
to resolve this issue?





Thanks,

Kent

Turn on TLS

2017-09-13 Thread Younge, Kent A - Norman, OK - Contractor 


When I enable SSL I am getting page can not be displayed.  How do I check this? 
 I have looked in the java.security file and it is the same as my other solr 
servers.

This page can't be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting 
to https://solrpre-prod:8983 again. If this error persists, it is possible that 
this site uses an unsupported protocol or cipher suite such as RC4 (link for 
the details), which is not 
considered secure. Please contact your site administrator.









Thank you,

Kent Younge
Systems Engineer
USPS MTSC IT Support
600 W. Rock Creek Rd, Norman, OK  73069-8357
O:405 573 2273

RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

2017-09-13 Thread Younge, Kent A - Norman, OK - Contractor 
New Solr Box built Getting Cipher mismatch.  Where are the Solr Java Cipher's 
located?






-Original Message-
From: Younge, Kent A - Norman, OK - Contractor 
[mailto:kent.a.you...@usps.gov.INVALID] 
Sent: Thursday, September 07, 2017 6:42 AM
To: solr-user@lucene.apache.org
Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Still receiving the same issue.  I have cloned another machine and it has the 
same issue.  Not sure what to do next.  Last resort build machine from scratch 
and see if it has the same issue if it does then I have no clue what is going 
on. 








-Original Message-
From: Younge, Kent A - Norman, OK - Contractor 
[mailto:kent.a.you...@usps.gov.INVALID] 
Sent: Tuesday, September 05, 2017 6:54 AM
To: solr-user@lucene.apache.org
Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

The new box is a clone of all the boxes so nothing should have changed other 
than the certificates and the keystore.  That is why I am at such a loss on 
this issue.   Java is the same across five servers all settings are the same 
across five servers.  I will look into the JVM security and see if it is the 
same across all the boxes.






-Original Message-
From: Chris Hostetter [mailto:hossman_luc...@fucit.org] 
Sent: Friday, September 01, 2017 5:46 PM
To: solr-user@lucene.apache.org
Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH


all of the low level SSL code used by Solr comes from the JVM.

double check which version of java you are using and make sure it's consistent 
on all of your servers -- if you disable SSL on the affected server you can use 
the Solr Admin UI to be 100% certain of exactly which version of java is being 
used...

https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html

If the JVM Runtime *versions* are identicle, the next thing to check would be 
the the JVM security settings which control which ciphers are used.  
For Oracle JVMs this file is named "java.security" -- compare that file between 
your functional/non-functional servers.

There are lots of docs out there on SSL protocol and cipher configuration in 
java's java.security file, here's a quick one that links deep into the details 
of enabling/disabling protocols...

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols

...but the bottomline is: you probably want to fix your broken server to match 
your working servers, and unless the JVM versions are different, that means 
someone/thing must have modified the JVM security settings on one of your 
servers -- find out who & why.


-Hoss
http://www.lucidworks.com/

RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

2017-09-07 Thread Younge, Kent A - Norman, OK - Contractor 
Still receiving the same issue.  I have cloned another machine and it has the 
same issue.  Not sure what to do next.  Last resort build machine from scratch 
and see if it has the same issue if it does then I have no clue what is going 
on. 








-Original Message-
From: Younge, Kent A - Norman, OK - Contractor 
[mailto:kent.a.you...@usps.gov.INVALID] 
Sent: Tuesday, September 05, 2017 6:54 AM
To: solr-user@lucene.apache.org
Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

The new box is a clone of all the boxes so nothing should have changed other 
than the certificates and the keystore.  That is why I am at such a loss on 
this issue.   Java is the same across five servers all settings are the same 
across five servers.  I will look into the JVM security and see if it is the 
same across all the boxes.






-Original Message-
From: Chris Hostetter [mailto:hossman_luc...@fucit.org] 
Sent: Friday, September 01, 2017 5:46 PM
To: solr-user@lucene.apache.org
Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH


all of the low level SSL code used by Solr comes from the JVM.

double check which version of java you are using and make sure it's consistent 
on all of your servers -- if you disable SSL on the affected server you can use 
the Solr Admin UI to be 100% certain of exactly which version of java is being 
used...

https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html

If the JVM Runtime *versions* are identicle, the next thing to check would be 
the the JVM security settings which control which ciphers are used.  
For Oracle JVMs this file is named "java.security" -- compare that file between 
your functional/non-functional servers.

There are lots of docs out there on SSL protocol and cipher configuration in 
java's java.security file, here's a quick one that links deep into the details 
of enabling/disabling protocols...

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols

...but the bottomline is: you probably want to fix your broken server to match 
your working servers, and unless the JVM versions are different, that means 
someone/thing must have modified the JVM security settings on one of your 
servers -- find out who & why.


-Hoss
http://www.lucidworks.com/

RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

2017-09-05 Thread Younge, Kent A - Norman, OK - Contractor 
The java.security files are the same.  I even copied over the files from a 
machine that is working and renamed the security files and it still did not 
work.. I am getting the same error.







-Original Message-
From: Younge, Kent A - Norman, OK - Contractor 
[mailto:kent.a.you...@usps.gov.INVALID] 
Sent: Tuesday, September 05, 2017 6:54 AM
To: solr-user@lucene.apache.org
Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

The new box is a clone of all the boxes so nothing should have changed other 
than the certificates and the keystore.  That is why I am at such a loss on 
this issue.   Java is the same across five servers all settings are the same 
across five servers.  I will look into the JVM security and see if it is the 
same across all the boxes.





-Original Message-
From: Chris Hostetter [mailto:hossman_luc...@fucit.org] 
Sent: Friday, September 01, 2017 5:46 PM
To: solr-user@lucene.apache.org
Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH


all of the low level SSL code used by Solr comes from the JVM.

double check which version of java you are using and make sure it's consistent 
on all of your servers -- if you disable SSL on the affected server you can use 
the Solr Admin UI to be 100% certain of exactly which version of java is being 
used...

https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html

If the JVM Runtime *versions* are identicle, the next thing to check would be 
the the JVM security settings which control which ciphers are used.  
For Oracle JVMs this file is named "java.security" -- compare that file between 
your functional/non-functional servers.

There are lots of docs out there on SSL protocol and cipher configuration in 
java's java.security file, here's a quick one that links deep into the details 
of enabling/disabling protocols...

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols

...but the bottomline is: you probably want to fix your broken server to match 
your working servers, and unless the JVM versions are different, that means 
someone/thing must have modified the JVM security settings on one of your 
servers -- find out who & why.


-Hoss
http://www.lucidworks.com/

RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

2017-09-05 Thread Younge, Kent A - Norman, OK - Contractor 
The new box is a clone of all the boxes so nothing should have changed other 
than the certificates and the keystore.  That is why I am at such a loss on 
this issue.   Java is the same across five servers all settings are the same 
across five servers.  I will look into the JVM security and see if it is the 
same across all the boxes.






Thank you,

Kent Younge
Systems Engineer
USPS MTSC IT Support
600 W. Rock Creek Rd, Norman, OK  73069-8357
O:405 573 2273


-Original Message-
From: Chris Hostetter [mailto:hossman_luc...@fucit.org] 
Sent: Friday, September 01, 2017 5:46 PM
To: solr-user@lucene.apache.org
Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH


all of the low level SSL code used by Solr comes from the JVM.

double check which version of java you are using and make sure it's consistent 
on all of your servers -- if you disable SSL on the affected server you can use 
the Solr Admin UI to be 100% certain of exactly which version of java is being 
used...

https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html

If the JVM Runtime *versions* are identicle, the next thing to check would be 
the the JVM security settings which control which ciphers are used.  
For Oracle JVMs this file is named "java.security" -- compare that file between 
your functional/non-functional servers.

There are lots of docs out there on SSL protocol and cipher configuration in 
java's java.security file, here's a quick one that links deep into the details 
of enabling/disabling protocols...

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols

...but the bottomline is: you probably want to fix your broken server to match 
your working servers, and unless the JVM versions are different, that means 
someone/thing must have modified the JVM security settings on one of your 
servers -- find out who & why.


-Hoss
http://www.lucidworks.com/

Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

2017-09-01 Thread Younge, Kent A - Norman, OK - Contractor 
Sorry I am not using Tomcat.  This is a fresh build of solr.  

Sent from my iPhone

> On Sep 1, 2017, at 3:33 PM, Rick Leir  wrote:
> 
> Kent,
> Did you say you are using Tomcat? Solr does not use Tomcat by default, so you 
> will need to tell us more about your configuration. 
> 
> But first, think of what you might have changed just before it stopped 
> working.
> Cheers -- Rick
> 
>> On September 1, 2017 11:55:47 AM EDT, "Younge, Kent A - Norman, OK - 
>> Contractor"  wrote:
>> 
>> Hello,
>> 
>> I am getting an error ERR_SSL_VERSION_OR_CIPHER_MISMATCH on one of my
>> Solr servers.   The details show that it's an Unsupported protocol: 
>> The client and server don't support a common SSL protocol version or
>> cipher suite.  I have changed my browser settings and nothing seems to
>> work.  If I comment out the SSL configuration in the solr.in.sh and use
>> HTTP the site Admin site comes up fine.  I have searched for where the
>> ciphers might be but, I am unsuccessful as I am not sure that they are
>> the ciphers in TOMCAT or do they get written somewhere else?  I've gone
>> over the certs several times I have compared it to a working Solr
>> server and nothing seems different.  Other than this one does not work.
>> 
>> 
>> 
>> 
>> 
>> 
>> Thank you,
>> 
>> Kent
> 
> -- 
> Sorry for being brief. Alternate email is rickleir at yahoo dot com

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

2017-09-01 Thread Younge, Kent A - Norman, OK - Contractor 

Hello,

I am getting an error ERR_SSL_VERSION_OR_CIPHER_MISMATCH on one of my Solr 
servers.   The details show that it's an Unsupported protocol:  The client and 
server don't support a common SSL protocol version or cipher suite.  I have 
changed my browser settings and nothing seems to work.  If I comment out the 
SSL configuration in the solr.in.sh and use HTTP the site Admin site comes up 
fine.  I have searched for where the ciphers might be but, I am unsuccessful as 
I am not sure that they are the ciphers in TOMCAT or do they get written 
somewhere else?  I've gone over the certs several times I have compared it to a 
working Solr server and nothing seems different.  Other than this one does not 
work.






Thank you,

Kent

SSL configuration on Solr 6.6

2017-07-27 Thread Younge, Kent A - Norman, OK - Contractor 


Hello,

I am having an issue.  I have modified the solr.in.sh file to allow ssl 
however, when I go to the https site it gives an error that I need to enable 
TLS.  But the http site is up and running.  I have imported my certificates not 
sure what I am missing.




Thank you,

Kent Younge
Systems Engineer
USPS MTSC IT Support
600 W. Rock Creek Rd, Norman, OK  73069-8357
O:405 573 2273