[
https://issues.apache.org/jira/browse/SOLR-16963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17762796#comment-17762796
]
Houston Putman commented on SOLR-16963:
---------------------------------------
I'm not sure how fixing this would be back-compat, other than removing
{{{}solr.ssl.checkPeerName{}}}, since that hasn't actually been used since 8.4.
> Conflicting SSL options for Http2SolrClient TLS
> -----------------------------------------------
>
> Key: SOLR-16963
> URL: https://issues.apache.org/jira/browse/SOLR-16963
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: http2, SolrJ
> Affects Versions: 8.4.1
> Reporter: Houston Putman
> Priority: Major
>
> Since [SOLR-14163|https://github.com/apache/lucene-solr/pull/1147/files#top],
> the {{solr.jetty.ssl.verifyClientHostName}} and {{solr.ssl.checkPeerName}}
> options have done the exact same thing in the {{{}Http2SolrClient{}}}, which
> is control the {{{}EndpointIdentificationAlgorithm{}}}.
> Since {{solr.jetty.ssl.verifyClientHostName}} is checked second, that is
> actually the setting that is used to determine the
> {{{}EndpointIdentificationAlgorithm{}}}, so {{solr.ssl.checkPeerName}} is
> actually ignored.
> Going forward I suggest that we stop our use of
> {{{}solr.jetty.ssl.verifyClientHostname{}}}, because it was added after
> {{solr.ssl.checkPeerName}} and its name is less correct. The
> endpointIdentificationAlgorithm doesn't do any verification of the client's
> hostname. That's a mTLS option, and is server-side.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
