On 12/13/2017 11:57 AM, Joel Bernstein wrote: > I'm looking for how SSL hostname verification can turned off and on in > Solr and I have been confused by the startup parameter: > > -Dsolr.ssl.checkPeerName=false. > > From what I can see this parameter sets the value for: > HttpClientUtil.SYS_PROP_CHECK_PEER_NAME. > > This property appears to only be used in the test framework though, > specifically in the: SSLTestConfig > > So it appears that -Dsolr.ssl.checkPeerName=false has no effect on a > running Solr instance.
See SOLR-9304. Yesterday, a user on IRC discovered that the property wasn't being honored, found that issue, and asked about it. They said that everything works in 6.6, but doesn't in 7.x. https://issues.apache.org/jira/browse/SOLR-9304 Hoss did not really recall much, but said that it is likely that he noticed the dead code while working on something else, opened the issue, and never got back to it. I built a patch for the issue, but haven't done anything to test the patch. I'd like to have a test included with Solr so future regressions can be detected, but don't know how to write it. Regarding SSLTestConnfig, I'm a little suspicious about the test handling a property that Solr itself *should* be handling. In fact, looking at that test, I suspect that it is doing a LOT of things manually that other code should be handling. For the patch, I just resurrected code removed by SOLR-4509 and updated it to remove HttpClient deprecations. I would appreciate a review to see if it could be improved. The boolean handling could likely be done better. I couldn't make any sense out of the deprecation notes in HttpClient for the "old" way of setting the verification, so there might be a better way of handling it. It's also possible that I have overlooked something that needs attention. Thanks, Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
