Tomas Eduardo Fernandez Lobbe created SOLR-16735:
----------------------------------------------------
Summary: "Invalid SNI" error when request server name doesn't
match host certificate
Key: SOLR-16735
URL: https://issues.apache.org/jira/browse/SOLR-16735
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Affects Versions: 9.2
Reporter: Tomas Eduardo Fernandez Lobbe
Jetty 10 slightly changed the behavior for handling SNI validation. See
[Jetty9.4|https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L262]
vs [Jetty
10|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L242].
In Jetty 9, by default (which Solr uses up to version 9.1), SNI extension was
not validated if not present, but in Jetty 10, by default, the host name is
validated against the host certificate, and {{400: Invalid SNI}} is thrown if
they don't match.
I think the right approach for Solr is to set {{sniHostCheck}} to {{false}},
and at the most be the option to configure using jetty internal sysprops like
[here|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/config/etc/jetty-ssl.xml#L56-L61]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
