Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-14106

SSL with SOLR_SSL_NEED_CLIENT_AUTH not working since v8.2.0

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 8.2, 8.3, 8.3.1, 8.4
    • 8.4.1, 8.5
    • Server

    Description

      For a client we use SSL certificate authentication with Solr through the SOLR_SSL_NEED_CLIENT_AUTH=true setting. The client must then prove through a local pem file that it has the correct client certificate.

      This works well until Solr 8.1.1, but fails with Solr 8.2 and also 8.3.1. There has been a Jetty upgrade from from jetty-9.4.14 to jetty-9.4.19 and I see some deprecation warnings in the log of 8.3.1:

      o.e.j.x.XmlConfiguration Deprecated method public void org.eclipse.jetty.util.ssl.SslContextFactory.setWantClientAuth(boolean) in file:///opt/solr-8.3.1/server/etc/jetty-ssl.xml

      I have made a simple reproduction script using Docker to reproduce first the 8.1.1 behaviour that succeeds, then 8.3.1 which fails:

      wget https://www.dropbox.com/s/fkjcez1i5anh42i/tls.tgz
tar -xvzf tls.tgz
cd tls
./repro.sh

      Attachments

        1. SOLR-14106.patch
          3 kB
          Kevin Risden
        2. SOLR-14106.patch
          20 kB
          Kevin Risden
        3. SOLR-14106.patch
          11 kB
          Kevin Risden
        4. deprecation-warning.patch
          0.6 kB
          Jan Høydahl

        Issue Links

        causes

        Bug - A problem which impairs or prevents the functions of the product. SOLR-14163 SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION needs to work with Jetty server/client SSL contexts

        • Major - Major loss of function.
        • Closed
        contains

        Bug - A problem which impairs or prevents the functions of the product. SOLR-14105 Http2SolrClient SSL not working in branch_8x

        • Major - Major loss of function.
        • Resolved
        is duplicated by

        Bug - A problem which impairs or prevents the functions of the product. SOLR-14111 Revert SOLR-13541 which breaks SSL client auth

        • Major - Major loss of function.
        • Resolved
        is related to

        Task - A task that needs to be done. SOLR-15999 Update SSL documentation for mutual TLS (mTLS)

        • Major - Major loss of function.
        • Open
        relates to

        Improvement - An improvement or enhancement to an existing feature or task. SOLR-13541 Upgrade Jetty to 9.4.19.v20190610

        • Major - Major loss of function.
        • Closed
        links to

        Web Link GitHub Pull Request #1094

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            krisden Kevin Risden
            janhoy Jan Høydahl
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 40m
                40m

                Slack

                  Issue deployment