[
https://issues.apache.org/jira/browse/SOLR-16963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17763791#comment-17763791
]
Houston Putman commented on SOLR-16963:
---------------------------------------
We should backport this to 8.11.3
> Conflicting SSL options for Http2SolrClient TLS
> -----------------------------------------------
>
> Key: SOLR-16963
> URL: https://issues.apache.org/jira/browse/SOLR-16963
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: http2, SolrJ
> Affects Versions: 8.4.1
> Reporter: Houston Putman
> Priority: Major
>
> Since SOLR-14163, the {{solr.jetty.ssl.verifyClientHostName}} and
> {{solr.ssl.checkPeerName}} options have done the exact same thing in the
> {{{}Http2SolrClient{}}}, which is control the
> {{{}EndpointIdentificationAlgorithm{}}}.
> Since {{solr.jetty.ssl.verifyClientHostName}} is checked second, that is
> actually the setting that is used to determine the
> {{{}EndpointIdentificationAlgorithm{}}}, so {{solr.ssl.checkPeerName}} is
> actually ignored.
> Going forward I suggest that we stop our use of
> {{{}solr.jetty.ssl.verifyClientHostname{}}}, because it was added after
> {{solr.ssl.checkPeerName}} and its name is less correct. The
> endpointIdentificationAlgorithm doesn't do any verification of the client's
> hostname. That's a mTLS option, and is server-side.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
