Houston Putman created SOLR-16963:
-------------------------------------
Summary: Conflicting SSL options for Http2SolrClient TLS
Key: SOLR-16963
URL: https://issues.apache.org/jira/browse/SOLR-16963
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: http2, SolrJ
Affects Versions: 8.4.1
Reporter: Houston Putman
Since [SOLR-14163|https://github.com/apache/lucene-solr/pull/1147/files#top],
the {{solr.jetty.ssl.verifyClientHostName}} and {{solr.ssl.checkPeerName}}
options have done the exact same thing in the {{{}Http2SolrClient{}}}, which is
control the {{{}EndpointIdentificationAlgorithm{}}}.
Since {{solr.jetty.ssl.verifyClientHostName}} is checked second, that is
actually the setting that is used to determine the
{{{}EndpointIdentificationAlgorithm{}}}, so {{solr.ssl.checkPeerName}} is
actually ignored.
Going forward I suggest that we stop our use of
{{{}solr.jetty.ssl.verifyClientHostname{}}}, because it was added after
{{solr.ssl.checkPeerName}} and its name is less correct. The
endpointIdentificationAlgorithm doesn't do any verification of the client's
hostname. That's a mTLS option, and is server-side.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
