[
https://issues.apache.org/jira/browse/SOLR-16735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tomas Eduardo Fernandez Lobbe resolved SOLR-16735.
--------------------------------------------------
Fix Version/s: main (10.0)
9.3
9.2.1
Resolution: Fixed
> "Invalid SNI" error when request server name doesn't match host certificate
> ---------------------------------------------------------------------------
>
> Key: SOLR-16735
> URL: https://issues.apache.org/jira/browse/SOLR-16735
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 9.2
> Reporter: Tomas Eduardo Fernandez Lobbe
> Assignee: Tomas Eduardo Fernandez Lobbe
> Priority: Major
> Fix For: main (10.0), 9.3, 9.2.1
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Jetty 10 slightly changed the behavior for handling SNI validation. See
> [Jetty9.4|https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L262]
> vs [Jetty
> 10|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L242].
> In Jetty 9, by default (which Solr uses up to version 9.1), SNI extension
> was not validated if not present, but in Jetty 10, by default, the host name
> is validated against the host certificate, and {{400: Invalid SNI}} is thrown
> if they don't match.
> I think the right approach for Solr is to set {{sniHostCheck}} to {{false}},
> and at the most be the option to configure using jetty internal sysprops like
> [here|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/config/etc/jetty-ssl.xml#L56-L61]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
