[
https://issues.apache.org/jira/browse/SOLR-16735?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17708340#comment-17708340
]
Jan Høydahl commented on SOLR-16735:
------------------------------------
Makes sense to me to stick with the 9.0 and 9.1 behavior and if we want to flip
the default, introuce it in 10.0 and document it as a major change.
> "Invalid SNI" error when request server name doesn't match host certificate
> ---------------------------------------------------------------------------
>
> Key: SOLR-16735
> URL: https://issues.apache.org/jira/browse/SOLR-16735
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 9.2
> Reporter: Tomas Eduardo Fernandez Lobbe
> Assignee: Tomas Eduardo Fernandez Lobbe
> Priority: Major
>
> Jetty 10 slightly changed the behavior for handling SNI validation. See
> [Jetty9.4|https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L262]
> vs [Jetty
> 10|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L242].
> In Jetty 9, by default (which Solr uses up to version 9.1), SNI extension
> was not validated if not present, but in Jetty 10, by default, the host name
> is validated against the host certificate, and {{400: Invalid SNI}} is thrown
> if they don't match.
> I think the right approach for Solr is to set {{sniHostCheck}} to {{false}},
> and at the most be the option to configure using jetty internal sysprops like
> [here|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/config/etc/jetty-ssl.xml#L56-L61]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
