[jira] [Commented] (SOLR-16735) "Invalid SNI" error when request server name doesn't match host certificate

Thu, 06 Apr 2023 22:04:05 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-16735?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17709586#comment-17709586
 ] 

ASF subversion and git services commented on SOLR-16735:
--------------------------------------------------------

Commit d9d86fb22a561dfccfe9c06ec5235c84dc3d34a6 in solr's branch 
refs/heads/branch_9_2 from Tomas Eduardo Fernandez Lobbe
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=d9d86fb22a5 ]

SOLR-16735: Allow custom configuration of Jetty's SecureRequestCustomizer 
(#1547)

This change allows users that use TLS to configure Jetty's 
SecureRequestCustomizer using System properties on startup


> "Invalid SNI" error when request server name doesn't match host certificate
> ---------------------------------------------------------------------------
>
>                 Key: SOLR-16735
>                 URL: https://issues.apache.org/jira/browse/SOLR-16735
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 9.2
>            Reporter: Tomas Eduardo Fernandez Lobbe
>            Assignee: Tomas Eduardo Fernandez Lobbe
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Jetty 10 slightly changed the behavior for handling SNI validation. See 
> [Jetty9.4|https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L262]
>  vs [Jetty 
> 10|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L242].
>  In Jetty 9, by default (which Solr uses up to version 9.1), SNI extension 
> was not validated if not present, but in Jetty 10, by default, the host name 
> is validated against the host certificate, and {{400: Invalid SNI}} is thrown 
> if they don't match.
> I think the right approach for Solr is to set {{sniHostCheck}} to {{false}}, 
> and at the most be the option to configure using jetty internal sysprops like 
> [here|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/config/etc/jetty-ssl.xml#L56-L61]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to