Client Cert Broken in Solr 8.2.0 because of a Jetty Issue (workaround included)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Client Cert Broken in Solr 8.2.0 because of a Jetty Issue (workaround included)

Ryan Rockenbaugh
All,
If you are using client authentication with SSL in Solr (SOLR_SSL_NEED_CLIENT_AUTH=true or  SOLR_SSL_WANT_CLIENT_AUTH=true), be advised that Jetty made a change that will break Solr 8.2.0
The version of Jetty packaged with Solr 8.2.0 changed to 9.4.19.v20190610 (see https://lucene.apache.org/solr/8_2_0/changes/Changes.html#v8.2.0.versions_of_major_components)
The official Jetty issue is here:  https://github.com/eclipse/jetty.project/issues/3554
The stated fix is:
    Set endpointIdentificationAlgorithm=null or better yet use SslContextFactory.Server instead of a plain SslContextFactory. 
I found I couldn't change the class from SslContextFactory to SslContextFactory.Server
My workaround was to update the file server/etc/jetty-ssl.xml, adding the following entry to the <Configure id="sslContextFactory" ...> element:

    <Set name="EndpointIdentificationAlgorithm"></Set>
Thanks,
Ryan Rockenbaugh





"Do all the good you can, By all the means you can, In all the ways
you can, In all the places you can, At all the times you can, To all
the people you can, As long as ever you can."

 - John Wesley
Reply | Threaded
Open this post in threaded view
|

Re: Client Cert Broken in Solr 8.2.0 because of a Jetty Issue (workaround included)

Kevin Risden-3
Thanks for the report Ryan. It looks like this fell through the cracks and
was reported a second time in Jira.

https://issues.apache.org/jira/browse/SOLR-14106

I have a patch up there that should help with some comments about multiple
clientAuth certificates.

Kevin Risden


On Fri, Sep 27, 2019 at 1:04 PM Ryan Rockenbaugh
<[hidden email]> wrote:

> All,
> If you are using client authentication with SSL in Solr
> (SOLR_SSL_NEED_CLIENT_AUTH=true or  SOLR_SSL_WANT_CLIENT_AUTH=true), be
> advised that Jetty made a change that will break Solr 8.2.0
> The version of Jetty packaged with Solr 8.2.0 changed to 9.4.19.v20190610
> (see
> https://lucene.apache.org/solr/8_2_0/changes/Changes.html#v8.2.0.versions_of_major_components
> )
> The official Jetty issue is here:
> https://github.com/eclipse/jetty.project/issues/3554
> The stated fix is:
>     Set endpointIdentificationAlgorithm=null or better yet use
> SslContextFactory.Server instead of a plain SslContextFactory.
> I found I couldn't change the class from SslContextFactory to
> SslContextFactory.Server
> My workaround was to update the file server/etc/jetty-ssl.xml, adding the
> following entry to the <Configure id="sslContextFactory" ...> element:
>
>     <Set name="EndpointIdentificationAlgorithm"></Set>
> Thanks,
> Ryan Rockenbaugh
>
>
>
>
>
> "Do all the good you can, By all the means you can, In all the ways
> you can, In all the places you can, At all the times you can, To all
> the people you can, As long as ever you can."
>
>  - John Wesley