[
https://issues.apache.org/jira/browse/SOLR-16735?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17708147#comment-17708147
]
Tomas Eduardo Fernandez Lobbe commented on SOLR-16735:
------------------------------------------------------
The reason I think we should allow sniHostCheck to be false is that the
certificate in the host could have been created for a name that's different
than the one in the request, for example, if you are using a load balancer in
front of the cluster. This is something that would work in Solr 9.1 and before
but not Solr 9.2
The reason I think we should make the default for sniHostCheck is that, if I
understand correctly (and I may not :), so correct me if I'm wrong), the whole
point of SNI validation is to be able to host multiple domains on the same
server (Jetty). We don't support people running their apps in the same Jetty
web server as Solr.
I guess the reason someone may want this set to `true` could be if they are
reusing the same keystore for multiple applications?
> "Invalid SNI" error when request server name doesn't match host certificate
> ---------------------------------------------------------------------------
>
> Key: SOLR-16735
> URL: https://issues.apache.org/jira/browse/SOLR-16735
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 9.2
> Reporter: Tomas Eduardo Fernandez Lobbe
> Assignee: Tomas Eduardo Fernandez Lobbe
> Priority: Major
>
> Jetty 10 slightly changed the behavior for handling SNI validation. See
> [Jetty9.4|https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L262]
> vs [Jetty
> 10|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L242].
> In Jetty 9, by default (which Solr uses up to version 9.1), SNI extension
> was not validated if not present, but in Jetty 10, by default, the host name
> is validated against the host certificate, and {{400: Invalid SNI}} is thrown
> if they don't match.
> I think the right approach for Solr is to set {{sniHostCheck}} to {{false}},
> and at the most be the option to configure using jetty internal sysprops like
> [here|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/config/etc/jetty-ssl.xml#L56-L61]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
