Re: Question regarding TLS version for solr
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Anchal, On 5/24/18 6:02 AM, Anchal Sharma2 wrote: > Thanks a lot for sharing the steps . I tried few of them .Actually > we already have been using solr in our application since an year or > so .We just want to encrypt it to use secure solr now .So ,I > followed the steps where you have created the certificates ,etc > .But when I go to start the solr back ,it doesnt start . We are > using zookeeper .Following is the error I get ,on running solr > start command. > > Command:./solr -c -m 1g -p 8984 -z :2181 -s folder containing data> > > Error: > > lsof 4.55 (latest revision at > ftp://vic.cc.purdue.edu/pub/tools/unix/lsof) usage: > [-?abhlnNoOPRstUvVX] [-c c] [+|-d s] [+|-D D] [+|-f[cfgGn]] [-F > [f]] [-g [s]] [-i [i]] [+|-L [l]] [-m m] [+|-M] [-o [o]] [-p s] > [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [--] [names] Use the > ``-h'' option to get more help information. Still not seeing Solr > listening on 8984 after 30 seconds! at > java.security.KeyStore.load(KeyStore.java:1456) at > org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(Certifica teUtils.java:55) > > at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFact ory.java:871) > at > org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory .java:273) > > at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc le.java:68) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLif eCycle.java:132) > > at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLif eCycle.java:114) > at > org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFac tory.java:64) > > at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc le.java:68) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLif eCycle.java:132) > > at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLif eCycle.java:114) > at > org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.j ava:256) > > at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetwor kConnector.java:81) > at > org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java: 236) > > at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCyc le.java:68) > at org.eclipse.jetty.server.Server.doStart(Server.java:366) at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeC ycle.java:68) > > at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:12 55) > at > java.security.AccessController.doPrivileged(AccessController.java:594) > > at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:117 4) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j ava:90) > > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:55) > at java.lang.reflect.Method.invoke(Method.java:508) at > org.eclipse.jetty.start.Main.invokeMain(Main.java:321) at > org.eclipse.jetty.start.Main.start(Main.java:817) at > org.eclipse.jetty.start.Main.main(Main.java:112) 2018-05-24 > 09:05:16.714 INFO > (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ] > o.a.s.c.c.ZkStateReader A cluster state change: WatchedEvent > state:SyncConnected type:NodeDataChanged path:/clusterstate.json, > has occurred - updating... (live nodes size: 1) 2018-05-24 > 09:05:17.018 INFO > (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ] > o.a.s.c.c.ZkStateReader Updated cluster state version to 9702 > 2018-05-24 09:05:17.153 INFO > (coreLoadExecutor-7-thread-2-processing-n:9.109.122.113:8984_solr) > [c:document r:core_node1 x:document] o.a.s.u.SolrIndexConfig > IndexWriter infoStream solr logging is enabled [\] sleep: bad > character in argument What does the solr.log file say? The above stack trace isn't terribly helpful, and it's incomplete. - -chris > -----Christopher Schultz <ch...@christopherschultz.net> wrote: > - To: solr-user@lucene.apache.org From: Christopher Schultz > <ch...@christopherschultz.net> Date: 05/23/2018 07:29PM Subject: > Re: Question regarding TLS version for solr > > Anchal, > > On 5/23/18 2:38 AM, Anchal Sharma2 wrote: >> Thank you for replying .But ,I checked the java version solr >> using ,and it is already version 1.8. > >> @Christopher ,can you let me know what steps you followed for >> TLS authentication on solr version 7.3.0. > > Sure. Here are my deployment notes. You may have to adjust them > slightly for your environment. Note that we are using standalone
Re: Question regarding TLS version for solr
Hi Chris, Thanks a lot for sharing the steps . I tried few of them .Actually we already have been using solr in our application since an year or so .We just want to encrypt it to use secure solr now .So ,I followed the steps where you have created the certificates ,etc .But when I go to start the solr back ,it doesnt start . We are using zookeeper .Following is the error I get ,on running solr start command. Command:./solr -c -m 1g -p 8984 -z :2181 -s Error: lsof 4.55 (latest revision at ftp://vic.cc.purdue.edu/pub/tools/unix/lsof) usage: [-?abhlnNoOPRstUvVX] [-c c] [+|-d s] [+|-D D] [+|-f[cfgGn]] [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [-m m] [+|-M] [-o [o]] [-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [--] [names] Use the ``-h'' option to get more help information. Still not seeing Solr listening on 8984 after 30 seconds! at java.security.KeyStore.load(KeyStore.java:1456) at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:55) at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:871) at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:273) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114) at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:256) at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:236) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.server.Server.doStart(Server.java:366) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1255) at java.security.AccessController.doPrivileged(AccessController.java:594) at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1174) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) at java.lang.reflect.Method.invoke(Method.java:508) at org.eclipse.jetty.start.Main.invokeMain(Main.java:321) at org.eclipse.jetty.start.Main.start(Main.java:817) at org.eclipse.jetty.start.Main.main(Main.java:112) 2018-05-24 09:05:16.714 INFO (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ] o.a.s.c.c.ZkStateReader A cluster state change: WatchedEvent state:SyncConnected type:NodeDataChanged path:/clusterstate.json, has occurred - updating... (live nodes size: 1) 2018-05-24 09:05:17.018 INFO (zkCallback-3-thread-1-processing-n:9.109.122.113:8984_solr) [ ] o.a.s.c.c.ZkStateReader Updated cluster state version to 9702 2018-05-24 09:05:17.153 INFO (coreLoadExecutor-7-thread-2-processing-n:9.109.122.113:8984_solr) [c:document r:core_node1 x:document] o.a.s.u.SolrIndexConfig IndexWriter infoStream solr logging is enabled [\] sleep: bad character in argument Thanks & Regards, - Anchal Sharma e-Pricer Development ES Team Mobile: +9871290248 -Christopher Schultz <ch...@christopherschultz.net> wrote: - To: solr-user@lucene.apache.org From: Christopher Schultz <ch...@christopherschultz.net> Date: 05/23/2018 07:29PM Subject: Re: Question regarding TLS version for solr -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Anchal, On 5/23/18 2:38 AM, Anchal Sharma2 wrote: > Thank you for replying .But ,I checked the java version solr using > ,and it is already version 1.8. > > @Christopher ,can you let me know what steps you followed for TLS > authentication on solr version 7.3.0. Sure. Here are my deployment notes. You may have to adjust them slightly for your environment. Note that we are using standalone Solr without any Zookeeper, clustering, etc. This is just about configuring a single instance. Also, this guide says 7.3.0, but 7.3.1 would be better as it contains a fix for a CVE. === CUT === ===
Re: Question regarding TLS version for solr
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Anchal, On 5/23/18 2:38 AM, Anchal Sharma2 wrote: > Thank you for replying .But ,I checked the java version solr using > ,and it is already version 1.8. > > @Christopher ,can you let me know what steps you followed for TLS > authentication on solr version 7.3.0. Sure. Here are my deployment notes. You may have to adjust them slightly for your environment. Note that we are using standalone Solr without any Zookeeper, clustering, etc. This is just about configuring a single instance. Also, this guide says 7.3.0, but 7.3.1 would be better as it contains a fix for a CVE. === CUT === Instructions for installing Solr and working with Cores Installation - Installing Solr is fairly simple. One can simply untar the distribution tarball and work from that directory, but it is better to install it in a somewhat more centralized place with a separate data directory to facilitate upgrades, etc. 1. Obtain the distribution tarball Go to https://lucene.apache.org/solr/mirrors-solr-latest-redir.html and obtain the latest supported version of Solr. (7.3.0 as of this writing). 2. Untar the archive $ tar xzf solr-x.y.x.tgz 3. Install Solr $ cd solr-x.y.z $ sudo bin/install_solr_service.sh ../solr-x.y.z.tgz \ -i /usr/local \ -d /mnt/securefs/solr \ -n (that last -n says "don't start Solr") 4. Configure Solr Settings Edit the file /etc/default/solr.in.sh Settings you may want to explicitly set: SOLR_JAVA_HOME=(java home) SOLR_HEAP="1024M" 5. Configure Solr for TLS Create a server key and certificate: $ sudo mkdir /etc/solr $ sudo keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize 256 -validity 730 \ -alias 'solr-ssl' -keystore /etc/solr/solr.p12 -storetype PKCS12 \ -ext san=dns:localhost,ip:192.168.10.20 Use the following information for the certificate: First and Last name: 192.168.10.20 (or "localhost", or your IP address) Org unit: [whatever] Everything else should be obvious Now, export the public key from the keystore. $ sudo /usr/local/java-8/bin/keytool -list -rfc -keystore /etc/solr/solr.p12 -storetype PKCS12 -alias solr-ssl Copy that certificate and paste it into this command's stdin: $ sudo keytool -importcert -keystore /etc/solr/solr-server.p12 - -storetype PKCS12 -alias 'solr-ssl' Now, fix the ownership and permissions on these files: $ sudo chown root:solr /etc/solr/solr.p12 /etc/solr/solr-server.p12 $ sudo chmod 0640 /etc/solr/solr.p12 Edit the file /etc/default/solr.in.sh Set the following settings: SOLR_SSL_KEY_STORE=/etc/solr/solr.p12 SOLR_SSL_KEY_STORE_TYPE=PKCS12 SOLR_SSL_KEY_STORE_PASSWORD=whatever # You MUST set the trust store for some reason. SOLR_SSL_TRUST_STORE=/etc/solr/solr-server.p12 SOLR_SSL_TRUST_STORE_TYPE=PKCS12 SOLR_SSL_TRUST_STORE_PASSWORD=whatever Then, patch the file bin/post; you are going to need this, later. - --- bin/post2017-09-03 13:29:15.0 -0400 +++ /usr/local/solr/bin/post2018-04-11 20:08:17.0 -0400 @@ -231,8 +231,8 @@ PROPS+=('-Drecursive=yes') fi - -echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" org.apache.solr.util.SimplePostTool "${PARAMS[@]}" - -"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" org.apache.solr.util.SimplePostTool "${PARAMS[@]}" +echo "$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS} org.apache.solr.util.SimplePostTool "${PARAMS[@]}" +"$JAVA" -classpath "${TOOL_JAR[0]}" "${PROPS[@]}" ${SOLR_POST_OPTS} org.apache.solr.util.SimplePostTool "${PARAMS[@]}" 6. Configure Solr to Require Client TLS Certificates On each client, create a client key and certificate: $ keytool -genkey -keyalg EC -sigalg SHA256withECDSA -keysize 256 \ -validity 730 -alias 'solr-client-ssl' Now dump the certificate for the next step: $ keytool -exportcert -keystore [client-key-store] -storetype PKCS12 \ -alias 'solr-client-ssl' Don't forget that you might want to generate your own client certifica te to use from you own web browser if you want to be able to connect to t he server's dashboard. Use the output of that command on each client to put the cert(s) into this trust store on the server: $ sudo keytool -importcert -keystore /etc/solr/solr-trusted-clients.p12 \ -storetype PKCS12 -alias '[client key alias]' Edit /etc/default/solr.in.sh and add the following entries: SOLR_SSL_NEED_CLIENT_AUTH=true SOLR_SSL_TRUST_STORE=/etc/solr/solr-trusted-clients.p12 SOLR_SSL_TRUST_STORE_TYPE=PKCS12 SOLR_SSL_TRUST_STORE_PASSWORD=whatever Summary of Files in /etc/solr - - solr-client.p12 Client keystore. Contains client key and certificate. Used by clients to
Re: Question regarding TLS version for solr
Hi Christopher /Shawn , Thank you for replying .But ,I checked the java version solr using ,and it is already version 1.8. @Christopher ,can you let me know what steps you followed for TLS authentication on solr version 7.3.0. Thanks & Regards, - Anchal Sharma e-Pricer Development ES Team Mobile: +9871290248 -Christopher Schultz <ch...@christopherschultz.net> wrote: - To: solr-user@lucene.apache.org From: Christopher Schultz <ch...@christopherschultz.net> Date: 05/17/2018 06:29PM Subject: Re: Question regarding TLS version for solr -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shawn, On 5/17/18 4:23 AM, Shawn Heisey wrote: > On 5/17/2018 1:53 AM, Anchal Sharma2 wrote: >> We are using solr version 5.3.0 and have been trying to enable >> security on our solr .We followed steps mentioned on site >> -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But >> by default it picks ,TLS version 1.0,which is causing an issue >> as our application uses TLSv 1.2.We tried using online resources >> ,but could not find anything regarding TLS enablement for solr . >> >> It will be a huge help if anyone can provide some suggestions as >> to how we can enable TLS v 1.2 for solr. > > The choice of ciphers and encryption protocols is mostly made by > Java. The servlet container might influence it as well. The only > servlet container that is supported since Solr 5.0 is the Jetty > that is bundled in the Solr download. > > TLS 1.2 was added in Java 7, and it became default in Java 8. If > you can install the latest version of Java 8 and make sure that it > has the policy files for unlimited crypto strength installed, > support for TLS 1.2 might happen automatically. There is no "default" TLS version for either the client or the server: the two endpoints always negotiate the highest mutual version they both support. The key agreement, authentication, and cipher suites are the items that are negotiated during the handshake. > Solr 5.3.0 is running a fairly old version of Jetty -- 9.2.11. > Information for 9.2.x versions is hard to find, so although I think > it probably CAN do TLS 1.2 if the Java version supports it, I can't > be absolutely sure. You'll need to upgrade Solr to get an upgraded > Jetty. I would be shocked if Jetty ships with its own crypto libraries; it should be using JSSE. Anchal, Java 1.7 or later is an absolute requirement if you want to use TLSv1.2 (and you SHOULD want to use it). I have recently spent a lot of time getting Solr 7.3.0 running with TLS mutual-authentication, but I haven't worked with the 5.3.x line. I can tell you have I've done things for my version, but they may need some adjustments for yours. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlr9fKYACgkQHPApP6U8 pFh8lRAAmmvBMUSk35keW0OG0/SHpUy/ExJK69JGIKGwi96ddbz2yH8MG+OjjE3G GNq/o5+EMT7tP/nW6XuPQou5UQvA2nlA9jsskox3A+CqOH7e6cbSxfxIkTqf9YDl Kxr4J6mYjvTIjJAqLXGF+ghJfswS6RjZezDgo1PdSUox+gUOvmY61tlSjuYTaAYw vH1i1DRzb8PkkR4ULePF48Y4r5+ZYz/4ZwSvnJTTkyl97KCw93rZ/kI5v9p3cCHK Ycuwi/ZirO/VNf/9ruAOtgET3aojNfuNCX/A+vrSbJfiY7mXo05lYKN+eT80elQr X8OKQaqHP6haF2aNPHrqXGtY2YoiGrdyaGtrXkUHFDfXgQeOmlk/eSVWemcSsatk eEHSWW9NALMaalRAM7NuXQtgqq1badJhKysiJwSqFgcdgVKcSt8SsQ/09qTPjaNE Ce1/EHdR6j1hM0Bnv5Hzf85cZjM7PfLmh7P8fnUD5d8eSbBpeWYVBDsS+fXp8WWv FO5axbnSYIScOIz33i0UZyxpJgcsAkABLGghL6WWQSkfBf4ANgdTumS7K9Pn7Thz Uq+lD9QPEPWJ91Fc0gnCWtDAEIRjOyLLbYzgI4ebV5qo41GO1WDDHfQZEcqA0Vod +K8oAMD8nnwU+TprTFkjlQwbDnW1q1efTD6IrpEL5H7h6Xw2cgg= =RpO6 -END PGP SIGNATURE-
Re: Question regarding TLS version for solr
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shawn, On 5/17/18 4:23 AM, Shawn Heisey wrote: > On 5/17/2018 1:53 AM, Anchal Sharma2 wrote: >> We are using solr version 5.3.0 and have been trying to enable >> security on our solr .We followed steps mentioned on site >> -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But >> by default it picks ,TLS version 1.0,which is causing an issue >> as our application uses TLSv 1.2.We tried using online resources >> ,but could not find anything regarding TLS enablement for solr . >> >> It will be a huge help if anyone can provide some suggestions as >> to how we can enable TLS v 1.2 for solr. > > The choice of ciphers and encryption protocols is mostly made by > Java. The servlet container might influence it as well. The only > servlet container that is supported since Solr 5.0 is the Jetty > that is bundled in the Solr download. > > TLS 1.2 was added in Java 7, and it became default in Java 8. If > you can install the latest version of Java 8 and make sure that it > has the policy files for unlimited crypto strength installed, > support for TLS 1.2 might happen automatically. There is no "default" TLS version for either the client or the server: the two endpoints always negotiate the highest mutual version they both support. The key agreement, authentication, and cipher suites are the items that are negotiated during the handshake. > Solr 5.3.0 is running a fairly old version of Jetty -- 9.2.11. > Information for 9.2.x versions is hard to find, so although I think > it probably CAN do TLS 1.2 if the Java version supports it, I can't > be absolutely sure. You'll need to upgrade Solr to get an upgraded > Jetty. I would be shocked if Jetty ships with its own crypto libraries; it should be using JSSE. Anchal, Java 1.7 or later is an absolute requirement if you want to use TLSv1.2 (and you SHOULD want to use it). I have recently spent a lot of time getting Solr 7.3.0 running with TLS mutual-authentication, but I haven't worked with the 5.3.x line. I can tell you have I've done things for my version, but they may need some adjustments for yours. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlr9fKYACgkQHPApP6U8 pFh8lRAAmmvBMUSk35keW0OG0/SHpUy/ExJK69JGIKGwi96ddbz2yH8MG+OjjE3G GNq/o5+EMT7tP/nW6XuPQou5UQvA2nlA9jsskox3A+CqOH7e6cbSxfxIkTqf9YDl Kxr4J6mYjvTIjJAqLXGF+ghJfswS6RjZezDgo1PdSUox+gUOvmY61tlSjuYTaAYw vH1i1DRzb8PkkR4ULePF48Y4r5+ZYz/4ZwSvnJTTkyl97KCw93rZ/kI5v9p3cCHK Ycuwi/ZirO/VNf/9ruAOtgET3aojNfuNCX/A+vrSbJfiY7mXo05lYKN+eT80elQr X8OKQaqHP6haF2aNPHrqXGtY2YoiGrdyaGtrXkUHFDfXgQeOmlk/eSVWemcSsatk eEHSWW9NALMaalRAM7NuXQtgqq1badJhKysiJwSqFgcdgVKcSt8SsQ/09qTPjaNE Ce1/EHdR6j1hM0Bnv5Hzf85cZjM7PfLmh7P8fnUD5d8eSbBpeWYVBDsS+fXp8WWv FO5axbnSYIScOIz33i0UZyxpJgcsAkABLGghL6WWQSkfBf4ANgdTumS7K9Pn7Thz Uq+lD9QPEPWJ91Fc0gnCWtDAEIRjOyLLbYzgI4ebV5qo41GO1WDDHfQZEcqA0Vod +K8oAMD8nnwU+TprTFkjlQwbDnW1q1efTD6IrpEL5H7h6Xw2cgg= =RpO6 -END PGP SIGNATURE-
Re: Question regarding TLS version for solr
On 5/17/2018 1:53 AM, Anchal Sharma2 wrote: We are using solr version 5.3.0 and have been trying to enable security on our solr .We followed steps mentioned on site -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But by default it picks ,TLS version 1.0,which is causing an issue as our application uses TLSv 1.2.We tried using online resources ,but could not find anything regarding TLS enablement for solr . It will be a huge help if anyone can provide some suggestions as to how we can enable TLS v 1.2 for solr. The choice of ciphers and encryption protocols is mostly made by Java. The servlet container might influence it as well. The only servlet container that is supported since Solr 5.0 is the Jetty that is bundled in the Solr download. TLS 1.2 was added in Java 7, and it became default in Java 8. If you can install the latest version of Java 8 and make sure that it has the policy files for unlimited crypto strength installed, support for TLS 1.2 might happen automatically. Solr 5.3.0 is running a fairly old version of Jetty -- 9.2.11. Information for 9.2.x versions is hard to find, so although I think it probably CAN do TLS 1.2 if the Java version supports it, I can't be absolutely sure. You'll need to upgrade Solr to get an upgraded Jetty. Thanks, Shawn
Question regarding TLS version for solr
Hi All, We are using solr version 5.3.0 and have been trying to enable security on our solr .We followed steps mentioned on site -https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html .But by default it picks ,TLS version 1.0,which is causing an issue as our application uses TLSv 1.2.We tried using online resources ,but could not find anything regarding TLS enablement for solr . It will be a huge help if anyone can provide some suggestions as to how we can enable TLS v 1.2 for solr. Thanks & Regards, - Anchal Sharma