Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-16735

"Invalid SNI" error when request server name doesn't match host certificate

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 9.2
    • main (10.0), 9.3, 9.2.1
    • None
    • None

    Description

      Jetty 10 slightly changed the behavior for handling SNI validation. See Jetty9.4 vs Jetty 10. In Jetty 9, by default (which Solr uses up to version 9.1), SNI extension was not validated if not present, but in Jetty 10, by default, the host name is validated against the host certificate, and 400: Invalid SNI is thrown if they don't match.

      I think the right approach for Solr is to set sniHostCheck to false, and at the most be the option to configure using jetty internal sysprops like here

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #1547

          Activity

            People

              tflobbe Tomas Eduardo Fernandez Lobbe
              tflobbe Tomas Eduardo Fernandez Lobbe
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m