Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-16735

"Invalid SNI" error when request server name doesn't match host certificate

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 9.2
    • main (10.0), 9.3, 9.2.1
    • None
    • None

    Description

      Jetty 10 slightly changed the behavior for handling SNI validation. See Jetty9.4 vs Jetty 10. In Jetty 9, by default (which Solr uses up to version 9.1), SNI extension was not validated if not present, but in Jetty 10, by default, the host name is validated against the host certificate, and 400: Invalid SNI is thrown if they don't match.

      I think the right approach for Solr is to set sniHostCheck to false, and at the most be the option to configure using jetty internal sysprops like here

      Attachments

        Issue Links

          Activity

            githubbot ASF GitHub Bot logged work - 06/Apr/23 17:57
            • Time Spent:
              10m
               
              tflobbe opened a new pull request, #1547:
              URL: https://github.com/apache/solr/pull/1547

                 This PR doesn't change any defaults, just adds a way to configure via system properties


            githubbot ASF GitHub Bot logged work - 07/Apr/23 00:30

            People

              tflobbe Tomas Eduardo Fernandez Lobbe
              tflobbe Tomas Eduardo Fernandez Lobbe
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m