[jira] [Created] (SOLR-16679) Fix solr.jetty.ssl.verifyClientHostName logging

Wed, 22 Feb 2023 06:42:06 -0800 

Kevin Risden created SOLR-16679:
-----------------------------------

             Summary: Fix solr.jetty.ssl.verifyClientHostName logging
                 Key: SOLR-16679
                 URL: https://issues.apache.org/jira/browse/SOLR-16679
             Project: Solr
          Issue Type: Task
      Security Level: Public (Default Security Level. Issues are Public)
            Reporter: Kevin Risden
            Assignee: Kevin Risden


In  SOLR-16669, [~houston] found in https://github.com/apache/solr/pull/1367

{quote}Main with #1366 included:

{code:java}
2023-02-22 09:28:49.232 WARN  (main) [] o.e.j.u.s.S.config Trusting all 
certificates configured for 
Client@1d901f20[provider=null,keyStore=null,trustStore=null]
2023-02-22 09:28:49.233 WARN  (main) [] o.e.j.u.s.S.config No Client 
EndPointIdentificationAlgorithm configured for 
Client@1d901f20[provider=null,keyStore=null,trustStore=null]
2023-02-22 09:28:49.339 WARN  (main) [] o.e.j.u.s.S.config Trusting all 
certificates configured for 
Client@760487aa[provider=null,keyStore=null,trustStore=null]
2023-02-22 09:28:49.339 WARN  (main) [] o.e.j.u.s.S.config No Client 
EndPointIdentificationAlgorithm configured for 
Client@760487aa[provider=null,keyStore=null,trustStore=null]
{code}

Then with this change:


{code:java}
2023-02-22 09:31:12.602 WARN  (main) [] o.e.j.u.s.S.config No Client 
EndPointIdentificationAlgorithm configured for 
Client@2c9a6717[provider=null,keyStore=null,trustStore=null]
2023-02-22 09:31:12.690 WARN  (main) [] o.e.j.u.s.S.config No Client 
EndPointIdentificationAlgorithm configured for 
Client@760487aa[provider=null,keyStore=null,trustStore=null]
{code}

That is due to this line:


{code:java}
sslContextFactory.setEndpointIdentificationAlgorithm(
        System.getProperty("solr.jetty.ssl.verifyClientHostName"));
{code}


It seems like this stems from https://issues.apache.org/jira/browse/SOLR-14163, 
so we have the perfect people to discuss this @janhoy & @risdenk ! I'll leave 
it to y'all if we want to use "HTTPS" as the default. That will make the last 2 
warnings go away. We can also deal with this in a different PR/issue if y'all 
want to, it's pretty unrelated. (I will say the SolrJ tests work with HTTPS as 
the default for this sysProp, so it will work for users using HTTP){quote}

We should default to HTTPS if TLS is not enabled. It looks like we disable 
client hostname verification by default and the setting 
solr.jetty.ssl.verifyClientHostName only applies if TLS is enabled.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to