Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-14711

Incorrect insecure settings check in CoreContainer

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • None
    • None
    • None
    • None

    Description

      I've configured SolrCloud (8.5) with both SSL and Authentication which is working correctly. However, I get the following warning in the logs
       
      "Solr authentication is enabled, but SSL is off. Consider enabling SSL to protect user credentials and data with encryption"
       
      Looking at the source code for SolrCloud there appears to be a bug
      if (authenticationPlugin !=null && StringUtils.isNotEmpty(System.getProperty("solr.jetty.https.port")))

      { log.warn("Solr authentication is enabled, but SSL is off.  Consider enabling SSL to protect user credentials and data with encryption."); }

       
      Rather than checking for an empty system property (which would indicate SLL is off) its checking for a populated one which is what you get when SSL is on.

      This is a major issue because administrators are very concerned that Solr has been deployed in an insecure fashion.

      Attachments

        Issue Links

          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. SOLR-14748 Correct SSL/Auth startup warning

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              Unassigned Unassigned
              dunespice Mark Todd
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: