Bram Van Dam created SOLR-12953:
-----------------------------------
Summary: Support for TLS/SSL key alias configuration
Key: SOLR-12953
URL: https://issues.apache.org/jira/browse/SOLR-12953
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Affects Versions: 7.5
Reporter: Bram Van Dam
Fix For: 7.5.1
As discussed on the mailing list:
*Context:*
There's a jetty-ssl.xml config file which configures Jetty's SslContextFactory
using properties set in solr.in.sh, but it's incomplete for some purposes.
*Problem:*
I've noticed that no "certAlias" property is present. This means that when
Jetty starts, it will pick an arbitrary (based on some internal order,
apparently the newest?) key from the keystore to use. This is fine when you're
only using your keystore for Solr and it only contains one key, but it makes
life a lot more complicated in environments where keystores are managed and
distributed to servers automagically.
When you add a key to the keystore, you can assign an alias. Jetty can then use
the key with that alias by means of its certAlias config property.
The Solr documentation [1] confusingly assigns the alias "solr-ssl" to the key,
but as far as I can tell this alias isn't actually used or referenced anywhere
else.
*Solution:*
I'm currently dealing with a slightly more complicated TLS setup, so I'm
attaching a patch which adds an extra config property in order to (optionally)
specify the key alias. When the option is omitted, the old behaviour remains
unchanged.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
