Re: solr is using TLS1.0
Hmm, perhaps our bin/solr start scripts could set the com.ibm.jsse2.overrideDefaultTLS property automatically in case of IBM JVM? Or alternatively document this in the SSL section of the reference Guide? Anchal, feel free to open a JIRA and submit a patch. -- Jan Høydahl, search solution architect Cominvent AS - www.cominvent.com > 30. nov. 2018 kl. 06:59 skrev Anchal Sharma2 : > > Hi Hendrick > > This did the trick .Overriding default TLS version for IBM Java enabled TLS > 1.2 for solr . > > Thank you Hendrick /Shawn for your help and suggestions. > > Thanks & Regards, > - > Anchal Sharma > > > Hendrik Haddorp ---22-11-2018 12:53:06---Hi Anchal, the IBM JVM behaves > differently in the TLS setup then the Oracle JVM. If > > From: Hendrik Haddorp > To: solr-user@lucene.apache.org > Date: 22-11-2018 12:53 > Subject: Re: solr is using TLS1.0 > > > > > Hi Anchal, > > the IBM JVM behaves differently in the TLS setup then the Oracle JVM. If > you search for IBM Java TLS 1.2 you find tons of reports of problems > with that. In most cases you can get around that using the system > property "com.ibm.jsse2.overrideDefaultTLS" as documented here: > https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html > > <https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html> > > regards, > Hendrik > > On 22.11.2018 07:25, Anchal Sharma2 wrote: > > > > Hi Shawn , > > > > Thanks for your reply . > > > > Here are the details abut java we are using : > > java version "1.8.0_151" > > IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References > > 20171102_369060 (JIT enabled, AOT enabled) > > I have already patched the policy jars . > > > > And I tried to comment out the ciphers ,protocol entries in > > jetty-ssl.xml ,but it did not work for me .I also tried to use an > > "IncludeCipherSuites" entry to include a cipher I wanted to include > > ,but it did not work either .I started getting > > SSL_ERROR_INTERNAL_ERROR_ALERT and ssl_error_no_cypher_overlap errors > > on my console URL.I tried this in solr 7.3.1 version ,so jetty version > > must also be relatively new. > > > > Do you think java might not be letting me enable TLS1.2? > > > > Thanks & Regards, > > - > > Anchal Sharma > > > > > > Inactive hide details for Shawn Heisey ---21-11-2018 05:28:50---On > > 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > I have enabled Shawn > > Heisey ---21-11-2018 05:28:50---On 11/20/2018 3:02 AM, Anchal Sharma2 > > wrote: > I have enabled SSL for solr using steps mentioned o > > > > From: Shawn Heisey > > To: solr-user@lucene.apache.org > > Date: 21-11-2018 05:28 > > Subject: Re: solr is using TLS1.0 > > > > > > > > > > > > On 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > > > I have enabled SSL for solr using steps mentioned over Lucene > > > website .And though solr console URL is now secure(https) ,it is still > > > using TLS v1.0. > > > I have tried few things to force SSL to use TLS1.2 protocol ,but > > they > > > have not worked for me . > > > > > > While trying to do same ,I have observed solr itself does not offer any > > > solr property to specify cipher ,algorithm or TLS version . > > > > > > Following things have been tried : > > > 1.key store /trust store for solr to enable SSL with different key > > > algorithm ,etc combinations for the certificates > > > 2.different solr versions for step 1(solr 5.x,6.x,7.x-we are using solr > > > 5.3 currently) > > > 3.using java version 1.8 and adding solr certificate in java keystore to > > > enforce TLS1.2 > > > > Solr lets Java and Jetty handle TLS. Solr itself doesn't get involved > > except to provide information to other software. > > > > There are a whole lot of versions of Java 8, and at least three vendors > > for it. The big names are Oracle, IBM, and OpenJDK. What vendor and > > exact version of Java are you running? What OS is it on? Do you have > > the "unlimited JCE" addition installed in your Java and enabled? If > > your Java version is new enou
Re: solr is using TLS1.0
Hi Hendrick This did the trick .Overriding default TLS version for IBM Java enabled TLS 1.2 for solr . Thank you Hendrick /Shawn for your help and suggestions. Thanks & Regards, - Anchal Sharma From: Hendrik Haddorp To: solr-user@lucene.apache.org Date: 22-11-2018 12:53 Subject: Re: solr is using TLS1.0 Hi Anchal, the IBM JVM behaves differently in the TLS setup then the Oracle JVM. If you search for IBM Java TLS 1.2 you find tons of reports of problems with that. In most cases you can get around that using the system property "com.ibm.jsse2.overrideDefaultTLS" as documented here: https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html regards, Hendrik On 22.11.2018 07:25, Anchal Sharma2 wrote: > > Hi Shawn , > > Thanks for your reply . > > Here are the details abut java we are using : > java version "1.8.0_151" > IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References > 20171102_369060 (JIT enabled, AOT enabled) > I have already patched the policy jars . > > And I tried to comment out the ciphers ,protocol entries in > jetty-ssl.xml ,but it did not work for me .I also tried to use an > "IncludeCipherSuites" entry to include a cipher I wanted to include > ,but it did not work either .I started getting > SSL_ERROR_INTERNAL_ERROR_ALERT and ssl_error_no_cypher_overlap errors > on my console URL.I tried this in solr 7.3.1 version ,so jetty version > must also be relatively new. > > Do you think java might not be letting me enable TLS1.2? > > Thanks & Regards, > - > Anchal Sharma > > > Inactive hide details for Shawn Heisey ---21-11-2018 05:28:50---On > 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > I have enabled Shawn > Heisey ---21-11-2018 05:28:50---On 11/20/2018 3:02 AM, Anchal Sharma2 > wrote: > I have enabled SSL for solr using steps mentioned o > > From: Shawn Heisey > To: solr-user@lucene.apache.org > Date: 21-11-2018 05:28 > Subject: Re: solr is using TLS1.0 > > > > > > On 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > > I have enabled SSL for solr using steps mentioned over Lucene > > website .And though solr console URL is now secure(https) ,it is still > > using TLS v1.0. > > I have tried few things to force SSL to use TLS1.2 protocol ,but > they > > have not worked for me . > > > > While trying to do same ,I have observed solr itself does not offer any > > solr property to specify cipher ,algorithm or TLS version . > > > > Following things have been tried : > > 1.key store /trust store for solr to enable SSL with different key > > algorithm ,etc combinations for the certificates > > 2.different solr versions for step 1(solr 5.x,6.x,7.x-we are using solr > > 5.3 currently) > > 3.using java version 1.8 and adding solr certificate in java keystore to > > enforce TLS1.2 > > Solr lets Java and Jetty handle TLS. Solr itself doesn't get involved > except to provide information to other software. > > There are a whole lot of versions of Java 8, and at least three vendors > for it. The big names are Oracle, IBM, and OpenJDK. What vendor and > exact version of Java are you running? What OS is it on? Do you have > the "unlimited JCE" addition installed in your Java and enabled? If > your Java version is new enough, you won't need to mess with JCE. See > this page: > > https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html > > Solr 5.3 ships with Jetty 9.2.11, which is considered very outdated by > the Jetty project -- released well over three years ago. From the > perspective of the Solr project, version 5.3 is also very old -- two > major versions behind what's current, and also released three years ago. > > Jetty 9.2 is up to 9.2.26. The current version is Jetty 9.4.14. The > latest version of Solr (7.5.0) is shipping with Jetty 9.4.11. I think > Jetty will likely be upgraded to the latest release for Solr 7.6.0. > > Have you made any changes to the Jetty config, particularly > jetty-ssl.xml? One thing you might try, although I'll warn you that it > may make no difference at all, is to remove the parts of that config > file that exclude certain protocols and ciphers, letting Jetty decide > for itself what it should use. Recent versions of Jetty and Java have > very good defaults. I do not know whether Jetty 9.2.11 (included with > Solr 5.3, as mentioned) has good defaults or not. > > Thanks, > Shawn > > > > >
Re: solr is using TLS1.0
Hi Anchal, the IBM JVM behaves differently in the TLS setup then the Oracle JVM. If you search for IBM Java TLS 1.2 you find tons of reports of problems with that. In most cases you can get around that using the system property "com.ibm.jsse2.overrideDefaultTLS" as documented here: https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html regards, Hendrik On 22.11.2018 07:25, Anchal Sharma2 wrote: Hi Shawn , Thanks for your reply . Here are the details abut java we are using : java version "1.8.0_151" IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References 20171102_369060 (JIT enabled, AOT enabled) I have already patched the policy jars . And I tried to comment out the ciphers ,protocol entries in jetty-ssl.xml ,but it did not work for me .I also tried to use an "IncludeCipherSuites" entry to include a cipher I wanted to include ,but it did not work either .I started getting SSL_ERROR_INTERNAL_ERROR_ALERT and ssl_error_no_cypher_overlap errors on my console URL.I tried this in solr 7.3.1 version ,so jetty version must also be relatively new. Do you think java might not be letting me enable TLS1.2? Thanks & Regards, - Anchal Sharma Inactive hide details for Shawn Heisey ---21-11-2018 05:28:50---On 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > I have enabled Shawn Heisey ---21-11-2018 05:28:50---On 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > I have enabled SSL for solr using steps mentioned o From: Shawn Heisey To: solr-user@lucene.apache.org Date: 21-11-2018 05:28 Subject: Re: solr is using TLS1.0 On 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > I have enabled SSL for solr using steps mentioned over Lucene > website .And though solr console URL is now secure(https) ,it is still > using TLS v1.0. > I have tried few things to force SSL to use TLS1.2 protocol ,but they > have not worked for me . > > While trying to do same ,I have observed solr itself does not offer any > solr property to specify cipher ,algorithm or TLS version . > > Following things have been tried : > 1.key store /trust store for solr to enable SSL with different key > algorithm ,etc combinations for the certificates > 2.different solr versions for step 1(solr 5.x,6.x,7.x-we are using solr > 5.3 currently) > 3.using java version 1.8 and adding solr certificate in java keystore to > enforce TLS1.2 Solr lets Java and Jetty handle TLS. Solr itself doesn't get involved except to provide information to other software. There are a whole lot of versions of Java 8, and at least three vendors for it. The big names are Oracle, IBM, and OpenJDK. What vendor and exact version of Java are you running? What OS is it on? Do you have the "unlimited JCE" addition installed in your Java and enabled? If your Java version is new enough, you won't need to mess with JCE. See this page: https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html Solr 5.3 ships with Jetty 9.2.11, which is considered very outdated by the Jetty project -- released well over three years ago. From the perspective of the Solr project, version 5.3 is also very old -- two major versions behind what's current, and also released three years ago. Jetty 9.2 is up to 9.2.26. The current version is Jetty 9.4.14. The latest version of Solr (7.5.0) is shipping with Jetty 9.4.11. I think Jetty will likely be upgraded to the latest release for Solr 7.6.0. Have you made any changes to the Jetty config, particularly jetty-ssl.xml? One thing you might try, although I'll warn you that it may make no difference at all, is to remove the parts of that config file that exclude certain protocols and ciphers, letting Jetty decide for itself what it should use. Recent versions of Jetty and Java have very good defaults. I do not know whether Jetty 9.2.11 (included with Solr 5.3, as mentioned) has good defaults or not. Thanks, Shawn
Re: solr is using TLS1.0
Hi Shawn , Thanks for your reply . Here are the details abut java we are using : java version "1.8.0_151" IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64 Compressed References 20171102_369060 (JIT enabled, AOT enabled) I have already patched the policy jars . And I tried to comment out the ciphers ,protocol entries in jetty-ssl.xml ,but it did not work for me .I also tried to use an "IncludeCipherSuites" entry to include a cipher I wanted to include ,but it did not work either .I started getting SSL_ERROR_INTERNAL_ERROR_ALERT and ssl_error_no_cypher_overlap errors on my console URL.I tried this in solr 7.3.1 version ,so jetty version must also be relatively new. Do you think java might not be letting me enable TLS1.2? Thanks & Regards, - Anchal Sharma From: Shawn Heisey To: solr-user@lucene.apache.org Date: 21-11-2018 05:28 Subject: Re: solr is using TLS1.0 On 11/20/2018 3:02 AM, Anchal Sharma2 wrote: > I have enabled SSL for solr using steps mentioned over Lucene > website .And though solr console URL is now secure(https) ,it is still > using TLS v1.0. > I have tried few things to force SSL to use TLS1.2 protocol ,but they > have not worked for me . > > While trying to do same ,I have observed solr itself does not offer any > solr property to specify cipher ,algorithm or TLS version . > > Following things have been tried : > 1.key store /trust store for solr to enable SSL with different key > algorithm ,etc combinations for the certificates > 2.different solr versions for step 1(solr 5.x,6.x,7.x-we are using solr > 5.3 currently) > 3.using java version 1.8 and adding solr certificate in java keystore to > enforce TLS1.2 Solr lets Java and Jetty handle TLS. Solr itself doesn't get involved except to provide information to other software. There are a whole lot of versions of Java 8, and at least three vendors for it. The big names are Oracle, IBM, and OpenJDK. What vendor and exact version of Java are you running? What OS is it on? Do you have the "unlimited JCE" addition installed in your Java and enabled? If your Java version is new enough, you won't need to mess with JCE. See this page: https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html Solr 5.3 ships with Jetty 9.2.11, which is considered very outdated by the Jetty project -- released well over three years ago. From the perspective of the Solr project, version 5.3 is also very old -- two major versions behind what's current, and also released three years ago. Jetty 9.2 is up to 9.2.26. The current version is Jetty 9.4.14. The latest version of Solr (7.5.0) is shipping with Jetty 9.4.11. I think Jetty will likely be upgraded to the latest release for Solr 7.6.0. Have you made any changes to the Jetty config, particularly jetty-ssl.xml? One thing you might try, although I'll warn you that it may make no difference at all, is to remove the parts of that config file that exclude certain protocols and ciphers, letting Jetty decide for itself what it should use. Recent versions of Jetty and Java have very good defaults. I do not know whether Jetty 9.2.11 (included with Solr 5.3, as mentioned) has good defaults or not. Thanks, Shawn
Re: solr is using TLS1.0
On 11/20/2018 3:02 AM, Anchal Sharma2 wrote: I have enabled SSL for solr using steps mentioned over Lucene website .And though solr console URL is now secure(https) ,it is still using TLS v1.0. I have tried few things to force SSL to use TLS1.2 protocol ,but they have not worked for me . While trying to do same ,I have observed solr itself does not offer any solr property to specify cipher ,algorithm or TLS version . Following things have been tried : 1.key store /trust store for solr to enable SSL with different key algorithm ,etc combinations for the certificates 2.different solr versions for step 1(solr 5.x,6.x,7.x-we are using solr 5.3 currently) 3.using java version 1.8 and adding solr certificate in java keystore to enforce TLS1.2 Solr lets Java and Jetty handle TLS. Solr itself doesn't get involved except to provide information to other software. There are a whole lot of versions of Java 8, and at least three vendors for it. The big names are Oracle, IBM, and OpenJDK. What vendor and exact version of Java are you running? What OS is it on? Do you have the "unlimited JCE" addition installed in your Java and enabled? If your Java version is new enough, you won't need to mess with JCE. See this page: https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u152.html Solr 5.3 ships with Jetty 9.2.11, which is considered very outdated by the Jetty project -- released well over three years ago. From the perspective of the Solr project, version 5.3 is also very old -- two major versions behind what's current, and also released three years ago. Jetty 9.2 is up to 9.2.26. The current version is Jetty 9.4.14. The latest version of Solr (7.5.0) is shipping with Jetty 9.4.11. I think Jetty will likely be upgraded to the latest release for Solr 7.6.0. Have you made any changes to the Jetty config, particularly jetty-ssl.xml? One thing you might try, although I'll warn you that it may make no difference at all, is to remove the parts of that config file that exclude certain protocols and ciphers, letting Jetty decide for itself what it should use. Recent versions of Jetty and Java have very good defaults. I do not know whether Jetty 9.2.11 (included with Solr 5.3, as mentioned) has good defaults or not. Thanks, Shawn
