Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-14106

SSL with SOLR_SSL_NEED_CLIENT_AUTH not working since v8.2.0

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 8.2, 8.3, 8.3.1, 8.4
    • 8.4.1, 8.5
    • Server

    Description

      For a client we use SSL certificate authentication with Solr through the SOLR_SSL_NEED_CLIENT_AUTH=true setting. The client must then prove through a local pem file that it has the correct client certificate.

      This works well until Solr 8.1.1, but fails with Solr 8.2 and also 8.3.1. There has been a Jetty upgrade from from jetty-9.4.14 to jetty-9.4.19 and I see some deprecation warnings in the log of 8.3.1:

      o.e.j.x.XmlConfiguration Deprecated method public void org.eclipse.jetty.util.ssl.SslContextFactory.setWantClientAuth(boolean) in file:///opt/solr-8.3.1/server/etc/jetty-ssl.xml

      I have made a simple reproduction script using Docker to reproduce first the 8.1.1 behaviour that succeeds, then 8.3.1 which fails:

      wget https://www.dropbox.com/s/fkjcez1i5anh42i/tls.tgz
tar -xvzf tls.tgz
cd tls
./repro.sh

      Attachments

        1. SOLR-14106.patch
          11 kB
          Kevin Risden
        2. SOLR-14106.patch
          20 kB
          Kevin Risden
        3. deprecation-warning.patch
          0.6 kB
          Jan Høydahl
        4. SOLR-14106.patch
          3 kB
          Kevin Risden

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. SOLR-14163 SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION needs to work with Jetty server/client SSL contexts

          • Major - Major loss of function.
          • Closed
          contains

          Bug - A problem which impairs or prevents the functions of the product. SOLR-14105 Http2SolrClient SSL not working in branch_8x

          • Major - Major loss of function.
          • Resolved
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. SOLR-14111 Revert SOLR-13541 which breaks SSL client auth

          • Major - Major loss of function.
          • Resolved
          is related to

          Task - A task that needs to be done. SOLR-15999 Update SSL documentation for mutual TLS (mTLS)

          • Major - Major loss of function.
          • Open
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. SOLR-13541 Upgrade Jetty to 9.4.19.v20190610

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #1094

          Activity

            People

              krisden Kevin Risden
              janhoy Jan Høydahl
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 40m
                  40m