solr is using TLS1.0

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

solr is using TLS1.0

Anchal Sharma2

Hi All,

I have enabled  SSL for solr  using steps mentioned over Lucene
website .And though solr console URL is now secure(https) ,it is still
using TLS v1.0.
I have  tried   few things to force SSL to use  TLS1.2 protocol ,but they
have not worked for me .

While trying to do same ,I have observed solr itself does not offer any
solr property to specify cipher ,algorithm or TLS version .

Following things have been tried :
1.key store /trust store for solr  to enable SSL  with different key
algorithm ,etc combinations for the certificates
2.different  solr versions for step 1(solr 5.x,6.x,7.x-we are using solr
5.3 currently)
3.using java version 1.8 and adding solr certificate in java keystore to
enforce TLS1.2
4.various kind of keystores like JKS,PKCS12,etc

Can anyone offer any suggestions on same ?I have not been able to find much
about same niofficial site.

Thanks & Regards,
-------------------------------------------------
Anchal Sharma
Reply | Threaded
Open this post in threaded view
|

Re: solr is using TLS1.0

Shawn Heisey-2
On 11/20/2018 3:02 AM, Anchal Sharma2 wrote:

> I have enabled  SSL for solr  using steps mentioned over Lucene
> website .And though solr console URL is now secure(https) ,it is still
> using TLS v1.0.
> I have  tried   few things to force SSL to use  TLS1.2 protocol ,but they
> have not worked for me .
>
> While trying to do same ,I have observed solr itself does not offer any
> solr property to specify cipher ,algorithm or TLS version .
>
> Following things have been tried :
> 1.key store /trust store for solr  to enable SSL  with different key
> algorithm ,etc combinations for the certificates
> 2.different  solr versions for step 1(solr 5.x,6.x,7.x-we are using solr
> 5.3 currently)
> 3.using java version 1.8 and adding solr certificate in java keystore to
> enforce TLS1.2

Solr lets Java and Jetty handle TLS.  Solr itself doesn't get involved
except to provide information to other software.

There are a whole lot of versions of Java 8, and at least three vendors
for it.  The big names are Oracle, IBM, and OpenJDK.  What vendor and
exact version of Java are you running? What OS is it on?  Do you have
the "unlimited JCE" addition installed in your Java and enabled?  If
your Java version is new enough, you won't need to mess with JCE.  See
this page:

https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html

Solr 5.3 ships with Jetty 9.2.11, which is considered very outdated by
the Jetty project -- released well over three years ago.  From the
perspective of the Solr project, version 5.3 is also very old -- two
major versions behind what's current, and also released three years ago.

Jetty 9.2 is up to 9.2.26.  The current version is Jetty 9.4.14.  The
latest version of Solr (7.5.0) is shipping with Jetty 9.4.11.  I think
Jetty will likely be upgraded to the latest release for Solr 7.6.0.

Have you made any changes to the Jetty config, particularly
jetty-ssl.xml?  One thing you might try, although I'll warn you that it
may make no difference at all, is to remove the parts of that config
file that exclude certain protocols and ciphers, letting Jetty decide
for itself what it should use.  Recent versions of Jetty and Java have
very good defaults.  I do not know whether Jetty 9.2.11 (included with
Solr 5.3, as mentioned) has good defaults or not.

Thanks,
Shawn

Reply | Threaded
Open this post in threaded view
|

Re: solr is using TLS1.0

Anchal Sharma2

Hi Shawn ,

Thanks for your reply .

Here are the details abut java we are using :
java version "1.8.0_151"
IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References 20171102_369060 (JIT enabled, AOT enabled)
I have already patched the policy jars .

And I tried to comment out the ciphers ,protocol entries in jetty-ssl.xml ,but it did not work for me .I also tried to use an "IncludeCipherSuites" entry to include a cipher I wanted to include ,but it did not work either .I started getting SSL_ERROR_INTERNAL_ERROR_ALERT and ssl_error_no_cypher_overlap errors on my console URL.I tried this in solr 7.3.1 version ,so jetty version must also be relatively new.

Do you think java might not be letting me enable TLS1.2?

Thanks & Regards,
-------------------------------------------------
Anchal Sharma


Shawn Heisey ---21-11-2018 05:28:50---On 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > I have enabled SSL for solr using steps mentioned o

From: Shawn Heisey <[hidden email]>
To: [hidden email]
Date: 21-11-2018 05:28
Subject: Re: solr is using TLS1.0





On 11/20/2018 3:02 AM, Anchal Sharma2 wrote:

> I have enabled  SSL for solr  using steps mentioned over Lucene
> website .And though solr console URL is now secure(https) ,it is still
> using TLS v1.0.
> I have  tried   few things to force SSL to use  TLS1.2 protocol ,but they
> have not worked for me .
>
> While trying to do same ,I have observed solr itself does not offer any
> solr property to specify cipher ,algorithm or TLS version .
>
> Following things have been tried :
> 1.key store /trust store for solr  to enable SSL  with different key
> algorithm ,etc combinations for the certificates
> 2.different  solr versions for step 1(solr 5.x,6.x,7.x-we are using solr
> 5.3 currently)
> 3.using java version 1.8 and adding solr certificate in java keystore to
> enforce TLS1.2

Solr lets Java and Jetty handle TLS.  Solr itself doesn't get involved
except to provide information to other software.

There are a whole lot of versions of Java 8, and at least three vendors
for it.  The big names are Oracle, IBM, and OpenJDK.  What vendor and
exact version of Java are you running? What OS is it on?  Do you have
the "unlimited JCE" addition installed in your Java and enabled?  If
your Java version is new enough, you won't need to mess with JCE.  See
this page:

https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html

Solr 5.3 ships with Jetty 9.2.11, which is considered very outdated by
the Jetty project -- released well over three years ago.  From the
perspective of the Solr project, version 5.3 is also very old -- two
major versions behind what's current, and also released three years ago.

Jetty 9.2 is up to 9.2.26.  The current version is Jetty 9.4.14.  The
latest version of Solr (7.5.0) is shipping with Jetty 9.4.11.  I think
Jetty will likely be upgraded to the latest release for Solr 7.6.0.

Have you made any changes to the Jetty config, particularly
jetty-ssl.xml?  One thing you might try, although I'll warn you that it
may make no difference at all, is to remove the parts of that config
file that exclude certain protocols and ciphers, letting Jetty decide
for itself what it should use.  Recent versions of Jetty and Java have
very good defaults.  I do not know whether Jetty 9.2.11 (included with
Solr 5.3, as mentioned) has good defaults or not.

Thanks,
Shawn





Reply | Threaded
Open this post in threaded view
|

Re: solr is using TLS1.0

Hendrik Haddorp
Hi Anchal,

the IBM JVM behaves differently in the TLS setup then the Oracle JVM. If
you search for IBM Java TLS 1.2 you find tons of reports of problems
with that. In most cases you can get around that using the system
property "com.ibm.jsse2.overrideDefaultTLS" as documented here:
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html

regards,
Hendrik

On 22.11.2018 07:25, Anchal Sharma2 wrote:

>
> Hi Shawn ,
>
> Thanks for your reply .
>
> Here are the details abut java we are using :
> java version "1.8.0_151"
> IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References
> 20171102_369060 (JIT enabled, AOT enabled)
> I have already patched the policy jars .
>
> And I tried to comment out the ciphers ,protocol entries in
> jetty-ssl.xml ,but it did not work for me .I also tried to use an
> "IncludeCipherSuites" entry to include a cipher I wanted to include
> ,but it did not work either .I started getting
> SSL_ERROR_INTERNAL_ERROR_ALERT and ssl_error_no_cypher_overlap errors
> on my console URL.I tried this in solr 7.3.1 version ,so jetty version
> must also be relatively new.
>
> Do you think java might not be letting me enable TLS1.2?
>
> Thanks & Regards,
> -------------------------------------------------
> Anchal Sharma
>
>
> Inactive hide details for Shawn Heisey ---21-11-2018 05:28:50---On
> 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > I have enabled Shawn
> Heisey ---21-11-2018 05:28:50---On 11/20/2018 3:02 AM, Anchal Sharma2
> wrote: > I have enabled SSL for solr using steps mentioned o
>
> From: Shawn Heisey <[hidden email]>
> To: [hidden email]
> Date: 21-11-2018 05:28
> Subject: Re: solr is using TLS1.0
>
> ------------------------------------------------------------------------
>
>
>
> On 11/20/2018 3:02 AM, Anchal Sharma2 wrote:
> > I have enabled  SSL for solr  using steps mentioned over Lucene
> > website .And though solr console URL is now secure(https) ,it is still
> > using TLS v1.0.
> > I have  tried   few things to force SSL to use  TLS1.2 protocol ,but
> they
> > have not worked for me .
> >
> > While trying to do same ,I have observed solr itself does not offer any
> > solr property to specify cipher ,algorithm or TLS version .
> >
> > Following things have been tried :
> > 1.key store /trust store for solr  to enable SSL  with different key
> > algorithm ,etc combinations for the certificates
> > 2.different  solr versions for step 1(solr 5.x,6.x,7.x-we are using solr
> > 5.3 currently)
> > 3.using java version 1.8 and adding solr certificate in java keystore to
> > enforce TLS1.2
>
> Solr lets Java and Jetty handle TLS.  Solr itself doesn't get involved
> except to provide information to other software.
>
> There are a whole lot of versions of Java 8, and at least three vendors
> for it.  The big names are Oracle, IBM, and OpenJDK.  What vendor and
> exact version of Java are you running? What OS is it on?  Do you have
> the "unlimited JCE" addition installed in your Java and enabled?  If
> your Java version is new enough, you won't need to mess with JCE.  See
> this page:
>
> https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html
>
> Solr 5.3 ships with Jetty 9.2.11, which is considered very outdated by
> the Jetty project -- released well over three years ago.  From the
> perspective of the Solr project, version 5.3 is also very old -- two
> major versions behind what's current, and also released three years ago.
>
> Jetty 9.2 is up to 9.2.26.  The current version is Jetty 9.4.14.  The
> latest version of Solr (7.5.0) is shipping with Jetty 9.4.11. I think
> Jetty will likely be upgraded to the latest release for Solr 7.6.0.
>
> Have you made any changes to the Jetty config, particularly
> jetty-ssl.xml?  One thing you might try, although I'll warn you that it
> may make no difference at all, is to remove the parts of that config
> file that exclude certain protocols and ciphers, letting Jetty decide
> for itself what it should use.  Recent versions of Jetty and Java have
> very good defaults.  I do not know whether Jetty 9.2.11 (included with
> Solr 5.3, as mentioned) has good defaults or not.
>
> Thanks,
> Shawn
>
>
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: solr is using TLS1.0

Anchal Sharma2

Hi Hendrick

This did the trick .Overriding default TLS version for IBM Java enabled TLS 1.2 for solr .

Thank you Hendrick /Shawn for your help and suggestions.

Thanks & Regards,
-------------------------------------------------
Anchal Sharma


Hendrik Haddorp ---22-11-2018 12:53:06---Hi Anchal, the IBM JVM behaves differently in the TLS setup then the Oracle JVM. If

From: Hendrik Haddorp <[hidden email]>
To: [hidden email]
Date: 22-11-2018 12:53
Subject: Re: solr is using TLS1.0





Hi Anchal,

the IBM JVM behaves differently in the TLS setup then the Oracle JVM. If
you search for IBM Java TLS 1.2 you find tons of reports of problems
with that. In most cases you can get around that using the system
property "com.ibm.jsse2.overrideDefaultTLS" as documented here:
https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html

regards,
Hendrik

On 22.11.2018 07:25, Anchal Sharma2 wrote:

>
> Hi Shawn ,
>
> Thanks for your reply .
>
> Here are the details abut java we are using :
> java version "1.8.0_151"
> IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References
> 20171102_369060 (JIT enabled, AOT enabled)
> I have already patched the policy jars .
>
> And I tried to comment out the ciphers ,protocol entries in
> jetty-ssl.xml ,but it did not work for me .I also tried to use an
> "IncludeCipherSuites" entry to include a cipher I wanted to include
> ,but it did not work either .I started getting
> SSL_ERROR_INTERNAL_ERROR_ALERT and ssl_error_no_cypher_overlap errors
> on my console URL.I tried this in solr 7.3.1 version ,so jetty version
> must also be relatively new.
>
> Do you think java might not be letting me enable TLS1.2?
>
> Thanks & Regards,
> -------------------------------------------------
> Anchal Sharma
>
>
> Inactive hide details for Shawn Heisey ---21-11-2018 05:28:50---On
> 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > I have enabled Shawn
> Heisey ---21-11-2018 05:28:50---On 11/20/2018 3:02 AM, Anchal Sharma2
> wrote: > I have enabled SSL for solr using steps mentioned o
>
> From: Shawn Heisey <[hidden email]>
> To: [hidden email]
> Date: 21-11-2018 05:28
> Subject: Re: solr is using TLS1.0
>
> ------------------------------------------------------------------------
>
>
>
> On 11/20/2018 3:02 AM, Anchal Sharma2 wrote:
> > I have enabled  SSL for solr  using steps mentioned over Lucene
> > website .And though solr console URL is now secure(https) ,it is still
> > using TLS v1.0.
> > I have  tried   few things to force SSL to use  TLS1.2 protocol ,but
> they
> > have not worked for me .
> >
> > While trying to do same ,I have observed solr itself does not offer any
> > solr property to specify cipher ,algorithm or TLS version .
> >
> > Following things have been tried :
> > 1.key store /trust store for solr  to enable SSL  with different key
> > algorithm ,etc combinations for the certificates
> > 2.different  solr versions for step 1(solr 5.x,6.x,7.x-we are using solr
> > 5.3 currently)
> > 3.using java version 1.8 and adding solr certificate in java keystore to
> > enforce TLS1.2
>
> Solr lets Java and Jetty handle TLS.  Solr itself doesn't get involved
> except to provide information to other software.
>
> There are a whole lot of versions of Java 8, and at least three vendors
> for it.  The big names are Oracle, IBM, and OpenJDK.  What vendor and
> exact version of Java are you running? What OS is it on?  Do you have
> the "unlimited JCE" addition installed in your Java and enabled?  If
> your Java version is new enough, you won't need to mess with JCE.  See
> this page:
>
>
https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html
>
> Solr 5.3 ships with Jetty 9.2.11, which is considered very outdated by
> the Jetty project -- released well over three years ago.  From the
> perspective of the Solr project, version 5.3 is also very old -- two
> major versions behind what's current, and also released three years ago.
>
> Jetty 9.2 is up to 9.2.26.  The current version is Jetty 9.4.14.  The
> latest version of Solr (7.5.0) is shipping with Jetty 9.4.11. I think
> Jetty will likely be upgraded to the latest release for Solr 7.6.0.
>
> Have you made any changes to the Jetty config, particularly
> jetty-ssl.xml?  One thing you might try, although I'll warn you that it
> may make no difference at all, is to remove the parts of that config
> file that exclude certain protocols and ciphers, letting Jetty decide
> for itself what it should use.  Recent versions of Jetty and Java have
> very good defaults.  I do not know whether Jetty 9.2.11 (included with
> Solr 5.3, as mentioned) has good defaults or not.
>
> Thanks,
> Shawn
>
>
>
>
>





Reply | Threaded
Open this post in threaded view
|

Re: solr is using TLS1.0

Jan Høydahl / Cominvent
Hmm, perhaps our bin/solr start scripts could set the com.ibm.jsse2.overrideDefaultTLS property automatically in case of IBM JVM? Or alternatively document this in the SSL section of the reference Guide? Anchal, feel free to open a JIRA and submit a patch.

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 30. nov. 2018 kl. 06:59 skrev Anchal Sharma2 <[hidden email]>:
>
> Hi Hendrick
>
> This did the trick .Overriding default TLS version for IBM Java enabled TLS 1.2 for solr .
>
> Thank you Hendrick /Shawn for your help and suggestions.
>
> Thanks & Regards,
> -------------------------------------------------
> Anchal Sharma
>
>
> Hendrik Haddorp ---22-11-2018 12:53:06---Hi Anchal, the IBM JVM behaves differently in the TLS setup then the Oracle JVM. If
>
> From: Hendrik Haddorp <[hidden email]>
> To: [hidden email]
> Date: 22-11-2018 12:53
> Subject: Re: solr is using TLS1.0
>
>
>
>
> Hi Anchal,
>
> the IBM JVM behaves differently in the TLS setup then the Oracle JVM. If
> you search for IBM Java TLS 1.2 you find tons of reports of problems
> with that. In most cases you can get around that using the system
> property "com.ibm.jsse2.overrideDefaultTLS" as documented here:
> https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html <https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html>
>
> regards,
> Hendrik
>
> On 22.11.2018 07:25, Anchal Sharma2 wrote:
> >
> > Hi Shawn ,
> >
> > Thanks for your reply .
> >
> > Here are the details abut java we are using :
> > java version "1.8.0_151"
> > IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References
> > 20171102_369060 (JIT enabled, AOT enabled)
> > I have already patched the policy jars .
> >
> > And I tried to comment out the ciphers ,protocol entries in
> > jetty-ssl.xml ,but it did not work for me .I also tried to use an
> > "IncludeCipherSuites" entry to include a cipher I wanted to include
> > ,but it did not work either .I started getting
> > SSL_ERROR_INTERNAL_ERROR_ALERT and ssl_error_no_cypher_overlap errors
> > on my console URL.I tried this in solr 7.3.1 version ,so jetty version
> > must also be relatively new.
> >
> > Do you think java might not be letting me enable TLS1.2?
> >
> > Thanks & Regards,
> > -------------------------------------------------
> > Anchal Sharma
> >
> >
> > Inactive hide details for Shawn Heisey ---21-11-2018 05:28:50---On
> > 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > I have enabled Shawn
> > Heisey ---21-11-2018 05:28:50---On 11/20/2018 3:02 AM, Anchal Sharma2
> > wrote: > I have enabled SSL for solr using steps mentioned o
> >
> > From: Shawn Heisey <[hidden email]>
> > To: [hidden email]
> > Date: 21-11-2018 05:28
> > Subject: Re: solr is using TLS1.0
> >
> > ------------------------------------------------------------------------
> >
> >
> >
> > On 11/20/2018 3:02 AM, Anchal Sharma2 wrote:
> > > I have enabled  SSL for solr  using steps mentioned over Lucene
> > > website .And though solr console URL is now secure(https) ,it is still
> > > using TLS v1.0.
> > > I have  tried   few things to force SSL to use  TLS1.2 protocol ,but
> > they
> > > have not worked for me .
> > >
> > > While trying to do same ,I have observed solr itself does not offer any
> > > solr property to specify cipher ,algorithm or TLS version .
> > >
> > > Following things have been tried :
> > > 1.key store /trust store for solr  to enable SSL  with different key
> > > algorithm ,etc combinations for the certificates
> > > 2.different  solr versions for step 1(solr 5.x,6.x,7.x-we are using solr
> > > 5.3 currently)
> > > 3.using java version 1.8 and adding solr certificate in java keystore to
> > > enforce TLS1.2
> >
> > Solr lets Java and Jetty handle TLS.  Solr itself doesn't get involved
> > except to provide information to other software.
> >
> > There are a whole lot of versions of Java 8, and at least three vendors
> > for it.  The big names are Oracle, IBM, and OpenJDK.  What vendor and
> > exact version of Java are you running? What OS is it on?  Do you have
> > the "unlimited JCE" addition installed in your Java and enabled?  If
> > your Java version is new enough, you won't need to mess with JCE.  See
> > this page:
> >
> > https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html <https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html>
> >
> > Solr 5.3 ships with Jetty 9.2.11, which is considered very outdated by
> > the Jetty project -- released well over three years ago.  From the
> > perspective of the Solr project, version 5.3 is also very old -- two
> > major versions behind what's current, and also released three years ago.
> >
> > Jetty 9.2 is up to 9.2.26.  The current version is Jetty 9.4.14.  The
> > latest version of Solr (7.5.0) is shipping with Jetty 9.4.11. I think
> > Jetty will likely be upgraded to the latest release for Solr 7.6.0.
> >
> > Have you made any changes to the Jetty config, particularly
> > jetty-ssl.xml?  One thing you might try, although I'll warn you that it
> > may make no difference at all, is to remove the parts of that config
> > file that exclude certain protocols and ciphers, letting Jetty decide
> > for itself what it should use.  Recent versions of Jetty and Java have
> > very good defaults.  I do not know whether Jetty 9.2.11 (included with
> > Solr 5.3, as mentioned) has good defaults or not.
> >
> > Thanks,
> > Shawn
> >
> >
> >
> >
> >
>
>
>
>
>