[
https://issues.apache.org/jira/browse/SOLR-12988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16866425#comment-16866425
]
Cao Manh Dat commented on SOLR-12988:
-------------------------------------
Hi guys, this is a problem belongs to HttpClient + Java 11 (TLSv1.3)
(HTTPCLIENT-1967).
To summary the problem: this only happens on HttpClient + TLSv1.3 which is
supported since Java 11.
The usecase:
* a ssl connection gets resumed
* the server will assume that the client already has the server's certificate
-> server won't try to send certificate to client
* org.apache.http.conn.ssl.DefaultHostnameVerifier in all case (resume or new
connection) always check the host of the server to ensure that it match with
the certificate
* since certificate does not get resent to client therefore at the point of
time org.apache.http.conn.ssl.DefaultHostnameVerifier tried to get server's
certificate it received this error {{throw new SSLPeerUnverifiedException("peer
not authenticated")}}
I took a look at how Jetty client deals with this problem, it seem that the
proper way to handle the problem here is let Java SSLEngine handling endpoint
verification by using {{SSLParameters}} rather than verify hostname manually
like org.apache.http.conn.ssl.DefaultHostnameVerifier.
-> If we completely remove usage of HttpClient in Solr, this problem will be
solved.
The patch fixed the problem by enforcing HttpClient to uses TLSv1.2 or lower
versions.
It seems that the problems affect anyone who uses Solr on Java 11 + SSL. Should
we backport the fixes to branch_8_1? So it can be released with 8.1.2 bug fixes?
[~hossman] [~ctargett] What do you thinks?
> TestMiniSolrCloudClusterSSL.testSslWithCheckPeerName fails reliably on
> java11: "SSLPeerUnverifiedException: peer not authenticated"
> -----------------------------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-12988
> URL: https://issues.apache.org/jira/browse/SOLR-12988
> Project: Solr
> Issue Type: Test
> Reporter: Hoss Man
> Assignee: Cao Manh Dat
> Priority: Major
> Labels: Java11, Java12
> Attachments: SOLR-13413.patch
>
>
> TestMiniSolrCloudClusterSSL.testSslWithCheckPeerName seems to fail 100% of
> the time when run with java11 (or java12), regardless of seed, on both master
> & 7x.
> The nature of the problem and the way our htp stack works suggests it *may*
> ultimately be a jetty bug (perhaps related to [jetty
> issue#2711|https://github.com/eclipse/jetty.project/issues/2711]?)
> *HOWEVER* ... as far as i can tell, whatever the root cause is, seems to have
> been fixed on the {{jira/http2}} branch (as of
> 52bc163dc1804c31af09c1fba99647005da415ad) which should hopefully be getting
> merged to master soon.
> Filing this issue largely for tracking purpose, although we may also want to
> use it for discussions/considerations of other backports/fixes to 7x
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
