[jira] [Commented] (SOLR-11678) SSL not working if store and key passwords are different

Tue, 28 Nov 2017 07:20:15 -0800 

    [ 
https://issues.apache.org/jira/browse/SOLR-11678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16268889#comment-16268889
 ] 

Shawn Heisey commented on SOLR-11678:
-------------------------------------

bq. I don't want to store JKS file with server certificate and especially 
private key unprotected (good practice). Does it make sense to you?

It does make sense to protect the key store, since that has private information 
in it, but the trust store doesn't have anything private, so it doesn't seem 
necessary to encrypt it.

{quote}
SOLR_SSL_KEY_STORE: "solr/solr-ssl.keystore.jks"
SOLR_SSL_KEY_STORE_PASSWORD: "password"
SOLR_SSL_KEY_STORE_TYPE: "JKS"
SOLR_SSL_TRUST_STORE: "solr/solr-ssl.keystore.jks"
SOLR_SSL_TRUST_STORE_PASSWORD: "password"
{quote}

The info I found says that each item in one store file can have its own 
password ... but I wonder if maybe Jetty isn't aware of that fact, and ties 
passwords to filenames, rather than keeping them separate by the store.  You 
have both of the stores set to the same filename ... so if Jetty is using the 
filename to save the password internally, then Jetty would only have one 
password after it has processed its configuration, so one of the stores would 
fail to load.


> SSL not working if store and key passwords are different
> --------------------------------------------------------
>
>                 Key: SOLR-11678
>                 URL: https://issues.apache.org/jira/browse/SOLR-11678
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>    Affects Versions: 6.6.2
>            Reporter: Constantin Bugneac
>
> If I specify different passwords for store and key then Solr fails to read 
> certificate from JKS file with the below error.
> Example:
> SOLR_SSL_KEY_STORE_PASSWORD: "secret1"
> SOLR_SSL_TRUST_STORE_PASSWORD: "secret2"
> If I set the same password for both - it works just fine.
> Tested with the docker image 6.6.2 available here 
> https://hub.docker.com/_/solr/
> I don't know whether this is JAVA nuance or Solr implementation issue but 
> from security point of view there there is no point to have the same password 
> assigned for both the key store and private key bound to specific certificate.
> Expected behaviour: It should allow to specify different passwords.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to