[
https://issues.apache.org/jira/browse/SOLR-16963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Houston Putman updated SOLR-16963:
----------------------------------
Description:
Since SOLR-14163, the {{solr.jetty.ssl.verifyClientHostName}} and
{{solr.ssl.checkPeerName}} options have done the exact same thing in the
{{{}Http2SolrClient{}}}, which is control the
{{{}EndpointIdentificationAlgorithm{}}}.
Since {{solr.jetty.ssl.verifyClientHostName}} is checked second, that is
actually the setting that is used to determine the
{{{}EndpointIdentificationAlgorithm{}}}, so {{solr.ssl.checkPeerName}} is
actually ignored.
Going forward I suggest that we stop our use of
{{{}solr.jetty.ssl.verifyClientHostname{}}}, because it was added after
{{solr.ssl.checkPeerName}} and its name is less correct. The
endpointIdentificationAlgorithm doesn't do any verification of the client's
hostname. That's a mTLS option, and is server-side.
was:
Since [SOLR-14163|https://github.com/apache/lucene-solr/pull/1147/files#top],
the {{solr.jetty.ssl.verifyClientHostName}} and {{solr.ssl.checkPeerName}}
options have done the exact same thing in the {{{}Http2SolrClient{}}}, which is
control the {{{}EndpointIdentificationAlgorithm{}}}.
Since {{solr.jetty.ssl.verifyClientHostName}} is checked second, that is
actually the setting that is used to determine the
{{{}EndpointIdentificationAlgorithm{}}}, so {{solr.ssl.checkPeerName}} is
actually ignored.
Going forward I suggest that we stop our use of
{{{}solr.jetty.ssl.verifyClientHostname{}}}, because it was added after
{{solr.ssl.checkPeerName}} and its name is less correct. The
endpointIdentificationAlgorithm doesn't do any verification of the client's
hostname. That's a mTLS option, and is server-side.
> Conflicting SSL options for Http2SolrClient TLS
> -----------------------------------------------
>
> Key: SOLR-16963
> URL: https://issues.apache.org/jira/browse/SOLR-16963
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: http2, SolrJ
> Affects Versions: 8.4.1
> Reporter: Houston Putman
> Priority: Major
>
> Since SOLR-14163, the {{solr.jetty.ssl.verifyClientHostName}} and
> {{solr.ssl.checkPeerName}} options have done the exact same thing in the
> {{{}Http2SolrClient{}}}, which is control the
> {{{}EndpointIdentificationAlgorithm{}}}.
> Since {{solr.jetty.ssl.verifyClientHostName}} is checked second, that is
> actually the setting that is used to determine the
> {{{}EndpointIdentificationAlgorithm{}}}, so {{solr.ssl.checkPeerName}} is
> actually ignored.
> Going forward I suggest that we stop our use of
> {{{}solr.jetty.ssl.verifyClientHostname{}}}, because it was added after
> {{solr.ssl.checkPeerName}} and its name is less correct. The
> endpointIdentificationAlgorithm doesn't do any verification of the client's
> hostname. That's a mTLS option, and is server-side.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
