Solr
  1. Solr
  2. SOLR-7449

solr/server/etc/jetty-https-ssl.xml hard codes the key store file and password rather than pulling them from the sysprops defined in solr/bin/solr.in.{sh,bat}

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.1
    • Fix Version/s: 5.2, 6.0
    • Component/s: None
    • Labels:
      None

      Description

      Shalin Shekhar Mangar pointed out this issue out to me.

      The hard-coded values in jetty-https-ssl.xml are the same as the ones in the tutorial, so people creating the keystore as described in the tutorial are able to run Solr in SSL mode.

      Also jetty-https-ssl.xml doesn't configure a trust store (or a password for it), so there's no way currently to have a different trust store from the key store.

        Activity

        Hide
        Steve Rowe added a comment -

        Here's a working patch that uses the SSL sysprops set in bin/solr.in.sh/bin/solr.in.bat:

        Index: solr/server/etc/jetty-https-ssl.xml
        ===================================================================
        --- solr/server/etc/jetty-https-ssl.xml	(revision 1675460)
        +++ solr/server/etc/jetty-https-ssl.xml	(working copy)
        @@ -41,8 +41,10 @@
                 <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
                   <Arg>
                     <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
        -              <Set name="keyStore"><SystemProperty name="jetty.home" default="."/>/etc/solr-ssl.keystore.jks</Set>
        -              <Set name="keyStorePassword">secret</Set>
        +              <Set name="keyStore"><SystemProperty name="javax.net.ssl.keyStore" default="./etc/solr-ssl.keystore.jks"/></Set>
        +              <Set name="keyStorePassword"><SystemProperty name="javax.net.ssl.keyStorePassword" default="secret"/></Set>
        +              <Set name="trustStore"><SystemProperty name="javax.net.ssl.trustStore" default="./etc/solr-ssl.keystore.jks"/></Set>
        +              <Set name="trustStorePassword"><SystemProperty name="javax.net.ssl.trustStorePassword" default="secret"/></Set>
                       <Set name="needClientAuth"><SystemProperty name="jetty.ssl.clientAuth" default="false"/></Set>
                     </New>
                   </Arg>
        
        Show
        Steve Rowe added a comment - Here's a working patch that uses the SSL sysprops set in bin/solr.in.sh / bin/solr.in.bat : Index: solr/server/etc/jetty-https-ssl.xml =================================================================== --- solr/server/etc/jetty-https-ssl.xml (revision 1675460) +++ solr/server/etc/jetty-https-ssl.xml (working copy) @@ -41,8 +41,10 @@ <New class= "org.eclipse.jetty.server.ssl.SslSelectChannelConnector" > <Arg> <New class= "org.eclipse.jetty.http.ssl.SslContextFactory" > - <Set name= "keyStore" ><SystemProperty name= "jetty.home" default = "." />/etc/solr-ssl.keystore.jks</Set> - <Set name= "keyStorePassword" >secret</Set> + <Set name= "keyStore" ><SystemProperty name= "javax.net.ssl.keyStore" default = "./etc/solr-ssl.keystore.jks" /></Set> + <Set name= "keyStorePassword" ><SystemProperty name= "javax.net.ssl.keyStorePassword" default = "secret" /></Set> + <Set name= "trustStore" ><SystemProperty name= "javax.net.ssl.trustStore" default = "./etc/solr-ssl.keystore.jks" /></Set> + <Set name= "trustStorePassword" ><SystemProperty name= "javax.net.ssl.trustStorePassword" default = "secret" /></Set> <Set name= "needClientAuth" ><SystemProperty name= "jetty.ssl.clientAuth" default = " false " /></Set> </New> </Arg>
        Hide
        Steve Rowe added a comment -

        I'm going to hold off on committing the patch because Shalin is working on SOLR-4839 (Jetty 8->9), including fixing SSL support on trunk, and backporting to branch_5x.

        Show
        Steve Rowe added a comment - I'm going to hold off on committing the patch because Shalin is working on SOLR-4839 (Jetty 8->9), including fixing SSL support on trunk, and backporting to branch_5x.
        Hide
        ASF subversion and git services added a comment -

        Commit 1675619 from shalin@apache.org in branch 'dev/trunk'
        [ https://svn.apache.org/r1675619 ]

        SOLR-4839: SSL support with Jetty 9. Also fixes SOLR-7449 on trunk.

        Show
        ASF subversion and git services added a comment - Commit 1675619 from shalin@apache.org in branch 'dev/trunk' [ https://svn.apache.org/r1675619 ] SOLR-4839 : SSL support with Jetty 9. Also fixes SOLR-7449 on trunk.
        Hide
        ASF subversion and git services added a comment -

        Commit 1676113 from shalin@apache.org in branch 'dev/trunk'
        [ https://svn.apache.org/r1676113 ]

        SOLR-4839: Add upgrade notes, move entry to 5.2.0. Added entry for SOLR-7449

        Show
        ASF subversion and git services added a comment - Commit 1676113 from shalin@apache.org in branch 'dev/trunk' [ https://svn.apache.org/r1676113 ] SOLR-4839 : Add upgrade notes, move entry to 5.2.0. Added entry for SOLR-7449
        Hide
        ASF subversion and git services added a comment -

        Commit 1676114 from shalin@apache.org in branch 'dev/branches/branch_5x'
        [ https://svn.apache.org/r1676114 ]

        SOLR-4839: Upgrade Jetty to 9.2.10.v20150310 and restlet-jee to 2.3.0. Also fixes SOLR-7449. Merges commits r1649552,1649571,1649584,1649689,1650169,1657495,1675261,1675337,1675619,1676102,1676113 from trunk.

        Show
        ASF subversion and git services added a comment - Commit 1676114 from shalin@apache.org in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1676114 ] SOLR-4839 : Upgrade Jetty to 9.2.10.v20150310 and restlet-jee to 2.3.0. Also fixes SOLR-7449 . Merges commits r1649552,1649571,1649584,1649689,1650169,1657495,1675261,1675337,1675619,1676102,1676113 from trunk.
        Hide
        Shalin Shekhar Mangar added a comment -

        Fixed as part of SOLR-4839 on trunk and branch_5x. Thanks Steve!

        Show
        Shalin Shekhar Mangar added a comment - Fixed as part of SOLR-4839 on trunk and branch_5x. Thanks Steve!
        Hide
        Anshum Gupta added a comment -

        Bulk close for 5.2.0.

        Show
        Anshum Gupta added a comment - Bulk close for 5.2.0.

          People

          • Assignee:
            Shalin Shekhar Mangar
            Reporter:
            Steve Rowe
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development