Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-16679

Fix solr.jetty.ssl.verifyClientHostName logging

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Task
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • None
    • main (10.0), 9.2
    • None
    • None

    Description

      In SOLR-16669, Houston Putman found in https://github.com/apache/solr/pull/1367

      Main with #1366 included:

      2023-02-22 09:28:49.232 WARN  (main) [] o.e.j.u.s.S.config Trusting all certificates configured for Client@1d901f20[provider=null,keyStore=null,trustStore=null]
      2023-02-22 09:28:49.233 WARN  (main) [] o.e.j.u.s.S.config No Client EndPointIdentificationAlgorithm configured for Client@1d901f20[provider=null,keyStore=null,trustStore=null]
      2023-02-22 09:28:49.339 WARN  (main) [] o.e.j.u.s.S.config Trusting all certificates configured for Client@760487aa[provider=null,keyStore=null,trustStore=null]
      2023-02-22 09:28:49.339 WARN  (main) [] o.e.j.u.s.S.config No Client EndPointIdentificationAlgorithm configured for Client@760487aa[provider=null,keyStore=null,trustStore=null]
      

      Then with this change:

      2023-02-22 09:31:12.602 WARN  (main) [] o.e.j.u.s.S.config No Client EndPointIdentificationAlgorithm configured for Client@2c9a6717[provider=null,keyStore=null,trustStore=null]
      2023-02-22 09:31:12.690 WARN  (main) [] o.e.j.u.s.S.config No Client EndPointIdentificationAlgorithm configured for Client@760487aa[provider=null,keyStore=null,trustStore=null]
      

      That is due to this line:

      sslContextFactory.setEndpointIdentificationAlgorithm(
              System.getProperty("solr.jetty.ssl.verifyClientHostName"));
      

      It seems like this stems from https://issues.apache.org/jira/browse/SOLR-14163, so we have the perfect people to discuss this @janhoy & @risdenk ! I'll leave it to y'all if we want to use "HTTPS" as the default. That will make the last 2 warnings go away. We can also deal with this in a different PR/issue if y'all want to, it's pretty unrelated. (I will say the SolrJ tests work with HTTPS as the default for this sysProp, so it will work for users using HTTP)

      We should default to HTTPS if TLS is not enabled. It looks like we disable client hostname verification by default and the setting solr.jetty.ssl.verifyClientHostName only applies if TLS is enabled.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            krisden Kevin Risden
            krisden Kevin Risden
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 40m
                40m

                Slack

                  Issue deployment