Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-9713

TLS-SSL Mutual-Auth doesn't work, Unable to load keyStore with given password

    XMLWordPrintableJSON

    Details

      Description

      Official manual 6.2 says that for enabling HTTPS you have to create keystore with keypair having "secret" as password (example), assume that i have done everything else needed to enable HTTPS correctly.
      When i want to create keystore and keypair with another password it works only on Linux OS but on Windows only with "secret" as a password.

      solr.in.cmd properties aren't used by server properly on Windows:
      CASE1:
      keystore password: secret
      kepair password: secret
      SOLR_SSL_KEY_STORE_PASSWORD=secret
      SOLR_SSL_TRUST_STORE_PASSWORD=secret
      Everything works

      CASE2:
      keystore password: secret
      kepair password: secret
      SOLR_SSL_KEY_STORE_PASSWORD=changeit
      SOLR_SSL_TRUST_STORE_PASSWORD=changeit
      No "Keystore was tampered with, or password was incorrect" -> which means it uses "secret" as password when it shouldn't
      Multiple repeating Errors:
      INFO - 2016-11-02 07:52:00.657; org.apache.http.impl.client.DefaultRequestDirector; I/O exception (java.net.SocketException) caught when connecting to

      {s}->https://localhost:8983: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
      INFO - 2016-11-02 07:52:00.657; org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to {s}

      ->https://localhost:8983

      CASE3:
      keystore password: changeit
      kepair password: changeit
      SOLR_SSL_KEY_STORE_PASSWORD=changeit
      SOLR_SSL_TRUST_STORE_PASSWORD=changeit

      Errors:
      java.lang.reflect.InvocationTargetException
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
      at org.eclipse.jetty.start.Main.start(Main.java:457)
      at org.eclipse.jetty.start.Main.main(Main.java:75)
      Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
      at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
      at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
      at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
      at java.security.KeyStore.load(KeyStore.java:1445)
      at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:52)
      at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1016)
      at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:332)
      at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
      at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
      at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
      at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64)
      at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
      at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
      at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
      at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:260)
      at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
      at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:244)
      at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
      at org.eclipse.jetty.server.Server.doStart(Server.java:384)
      at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
      at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1510)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1435)
      ... 7 more
      Caused by: java.security.UnrecoverableKeyException: Password verification failed
      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
      ... 30 more

      Usage: java -jar start.jar [options] [properties] [configs]
      java -jar start.jar --help # for more information
      INFO - 2016-11-02 07:53:55.221; org.apache.http.impl.client.DefaultRequestDirector; I/O exception (java.net.SocketException) caught when connecting to

      {s}->https://localhost:8983: Connection reset
      INFO - 2016-11-02 07:53:55.225; org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to {s}

      ->https://localhost:8983

      Another issue:
      I want for the server to require Client Authentification by certificate but the properties aren't passed to the server or used by the server. Doens't work on Windows, works on Linux.

      CASE1:
      set SOLR_SSL_NEED_CLIENT_AUTH=true
      set SOLR_SSL_WANT_CLIENT_AUTH=false
      server doesn't require client certificate for authentification

      CASE2:
      set SOLR_SSL_NEED_CLIENT_AUTH=false
      set SOLR_SSL_WANT_CLIENT_AUTH=true
      server doesn't want client certificate for authentification

      I found that i can set the properties defaults in jetty-ssl.xml
      which somehow helps a bit but the server still won't start and throws errors:
      INFO - 2016-11-02 09:29:05.036; org.apache.http.impl.client.DefaultRequestDirector; I/O exception (java.net.SocketException) caught when connecting to

      {s}->https://localhost:8983: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
      INFO - 2016-11-02 09:29:05.036; org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to {s}

      ->https://localhost:8983

      I know that most of the solr projects probably runs on Linux but we use also Windows environment for testing, because we have to ensure that our solution is platform independent.

      Would be cool if someone would lay an eye on that.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              SpiRe MiloŇ° Havr√°nek
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: