[jira] [Commented] (SOLR-16963) verifyClientHostName is used incorrectly

Wed, 13 Sep 2023 09:04:12 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-16963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17764767#comment-17764767
 ] 

ASF subversion and git services commented on SOLR-16963:
--------------------------------------------------------

Commit 3cd7f542a54bf7f76dc1fb6b499f0da04f8e9e2f in solr's branch 
refs/heads/branch_9x from Houston Putman
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=3cd7f542a54 ]

SOLR-16963: Fix usage of clientHostnameVerification (#1916)

- It no longer overrides the checkPeerName option
- It once again acts as a server setting to check the client
  hostname against the client certificate

(cherry picked from commit 901e0debc381f988373a6d9c09ca47341dda05fb)


> verifyClientHostName is used incorrectly
> ----------------------------------------
>
>                 Key: SOLR-16963
>                 URL: https://issues.apache.org/jira/browse/SOLR-16963
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: http2, SolrJ
>    Affects Versions: 8.4.1
>            Reporter: Houston Putman
>            Priority: Major
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Since SOLR-14163, the {{solr.jetty.ssl.verifyClientHostName}} and 
> {{solr.ssl.checkPeerName}} options have done the exact same thing in the 
> {{{}Http2SolrClient{}}}, which is control the 
> {{{}EndpointIdentificationAlgorithm{}}}. 
> Since {{solr.jetty.ssl.verifyClientHostName}} is checked second, that is 
> actually the setting that is used to determine the 
> {{{}EndpointIdentificationAlgorithm{}}}, so {{solr.ssl.checkPeerName}} is 
> actually ignored.
> Going forward I suggest that we stop our use of 
> {{{}solr.jetty.ssl.verifyClientHostname{}}}, because it was added after 
> {{solr.ssl.checkPeerName}} and its name is less correct. The 
> endpointIdentificationAlgorithm doesn't do any verification of the client's 
> hostname. That's a mTLS option, and is server-side.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to