[ https://issues.apache.org/jira/browse/SOLR-12953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bram Van Dam updated SOLR-12953: -------------------------------- Fix Version/s: 7.6 > Support for TLS/SSL key alias configuration > ------------------------------------------- > > Key: SOLR-12953 > URL: https://issues.apache.org/jira/browse/SOLR-12953 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public) > Affects Versions: 7.5 > Reporter: Bram Van Dam > Priority: Major > Labels: patch > Fix For: 7.5.1, 7.6 > > Attachments: SOLR-12953.patch, SOLR-12953.patch > > > As discussed on the mailing list: > *Context:* > There's a jetty-ssl.xml config file which configures Jetty's > SslContextFactory using properties set in solr.in.sh, but it's incomplete for > some purposes. > *Problem:* > I've noticed that no "certAlias" property is present. This means that when > Jetty starts, it will pick an arbitrary (based on some internal order, > apparently the newest?) key from the keystore to use. This is fine when > you're only using your keystore for Solr and it only contains one key, but it > makes life a lot more complicated in environments where keystores are managed > and distributed to servers automagically. > When you add a key to the keystore, you can assign an alias. Jetty can then > use the key with that alias by means of its certAlias config property. > The Solr documentation [1] confusingly assigns the alias "solr-ssl" to the > key, but as far as I can tell this alias isn't actually used or referenced > anywhere else. > *Solution:* > I'm currently dealing with a slightly more complicated TLS setup, so I'm > attaching a patch which adds an extra config property in order to > (optionally) specify the key alias. When the option is omitted, the old > behaviour remains unchanged. Patch modifies the configuration and includes > updates to the enabling-ssl documentation. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org