-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Shawn,
On 6/1/18 5:25 PM, Shawn Heisey wrote: > On 6/1/2018 2:01 PM, Kelly Rusk wrote: >> We have solr1.com and solr2.com self-signed certs that correspond >> to the two servers. We also have a load balancer with an address >> named solrlb.com. When we hit the load balancer it gives us an >> SSL error, as it is passing us back to either solr1.com or >> solr2.com, but since these two Solr servers only have each >> other's self-signed cert installed in their Keystore, it doesn't >> resolve when it comes in through the load balanced address of >> solrlb.com. >> >> We tried a san certificate that has all 3 addresses, but when we >> do this, we get the following error: >> >> This page can't be displayed Turn on TLS 1.0, TLS 1.1, and TLS >> 1.2 in Advanced settings and try connecting to >> https://b-win-solr-01.azure-dfa.com:8983 again. If this error >> persists, it is possible that this site uses an unsupported >> protocol or cipher suite such as RC4 (link for the details), >> which is not considered secure. Please contact your site >> administrator. > > One really important question is whether the load balancer acts as > a pure TCP proxy, or whether the load balancer is configured with > a certificate and handles HTTPS itself. > > If the load balancer is handling HTTPS, it's very likely that the > load balancer either cannot use modern TLS protocols and/or > ciphers, or that it has the modern protocols/ciphers turned off. > There's probably nothing that we can do to help you in this > situation. You will need to find support for your load balancer. > > If the load balancer is just a TCP proxy and lets the back end > server handle HTTPS, then you may need to ensure that you're > running a very recent version of Java 8. You may also need to > install the JCE policy files for unlimited strength encryption into > your Java. I see from other messages on the list that you're > running Solr 6.6.2, so it would not be a good idea for you to use > Java 9 or Java 10. If you need them, the JCE policy files for Java > 8 can be found here: > > http://www.oracle.com/technetwork/java/javase/downloads/jce8-download- 2133166.html Starting > with Oracle Java 8u151 and later, the "unlimited strength jurisdiction policy files" are included in the default build, so you no longer have to manually-install them. Nice to see that Java finally got out of the 1990s mindset when it comes to cryptography. Unfortunately, Java 8 is close to EOL[2] so it's time to look at newer versions of Java, which likely means newer versions of Solr if you want to be safe and secure. I say "close to EOL" even though it's 7 months away because it can take a looong time to plan and execute an upgrade of both Solr and Java. - -chris [1] https://golb.hplar.ch/2017/10/JCE-policy-changes-in-Java-SE-8u151-and-8u 152.html [2] http://www.oracle.com/technetwork/java/javase/eol-135779.html -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsRwEIACgkQHPApP6U8 pFi+ng/+KhdiGaSN4PHjHvroqcNXKmmvXbMIIHcHCAARGnTS+0LuZGhopWbJA0u+ NhE/fHJTyRFtfCBaY6gL9NsumAQTXA2kCLsKpWv86WaVEWZSH55BC/0aJCNp/xOU /QheBJ255RDBYeLZvGAngAS7mWK1wPh6BhsD0bNwtoU7xGCZQtvLt7CdQLu+F8Dm uJczJOipp8SS/TlTJcP9t02WW3RvjqIZbn4EEr0DZj7hzy1ST8/yzu7cNpo+uQw5 AmoIDik8TmVKmT7h/gW8/frpz7brI+Zw3qm+YELpJK2SQywqhZFdhPjnnAqYKqY0 AuVJlYeC+0ivw/3oHQM/kShzqgXiMTv8bp63BbEYcWt1z9pb2Ltrx/jHsEQYr6k1 bxHAnrXXoQQTq8wm4jqYBSfEB97JyYWqCKJ04HyhxJ9Tzqv5vUwL1xXf4mY0m6dA eDGoKQ3fjHZaMzUhc0c/zv4MwMH+KYzZ05Y5mdT1UHaYGX3sUMGhdSyNlvWZy4Np G7ehzOdsuEO+b5+YBQQpWarei76I5soPttkz5rrvWfksn8jUHo0VoqDVs0/g6uY4 5p85OJPF/C4quLDWHN1swpVQJ2q4R3C4RdGjdb2WT+hkks6c1WkqGfkAH2ONA+DS dxG83u9aDxm+eyoj+GvMlTIAGnqutU2nNQrErb5sGjVHkQaLLaw= =PK53 -----END PGP SIGNATURE-----