SOLR-14163: SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION needs to work with Jetty server/client SSL contexts

Closes #1147

Signed-off-by: Kevin Risden <krisden@apache.org>

solr/CHANGES.txt

@@ -210,6 +210,8 @@ Bug Fixes
 
 * SOLR-13089: Fix lsof edge cases in the solr CLI script (Martijn Koster via janhoy)
 
+* SOLR-14163: SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION needs to work with Jetty server/client SSL contexts (Kevin Risden)
+
 Other Changes
 ---------------------
 

solr/bin/solr

@@ -206,14 +206,13 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
     SOLR_SSL_OPTS+=" -Dsolr.jetty.truststore.type=$SOLR_SSL_TRUST_STORE_TYPE"
   fi
 
-  if [ -n "$SOLR_SSL_NEED_CLIENT_AUTH" ]; then
-    SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.needClientAuth=$SOLR_SSL_NEED_CLIENT_AUTH"
-  fi
-
   if [ -z "$SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION" ] ; then
     SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.verifyClientHostName=HTTPS"
   fi
 
+  if [ -n "$SOLR_SSL_NEED_CLIENT_AUTH" ]; then
+    SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.needClientAuth=$SOLR_SSL_NEED_CLIENT_AUTH"
+  fi
   if [ -n "$SOLR_SSL_WANT_CLIENT_AUTH" ]; then
     SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.wantClientAuth=$SOLR_SSL_WANT_CLIENT_AUTH"
   fi

solr/bin/solr.cmd

@@ -82,6 +82,10 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
     set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.truststore.type=%SOLR_SSL_TRUST_STORE_TYPE%"
   )
 
+  IF NOT DEFINED SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION (
+    set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.verifyClientHostName=HTTPS"
+  )
+
   IF DEFINED SOLR_SSL_NEED_CLIENT_AUTH (
     set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.needClientAuth=%SOLR_SSL_NEED_CLIENT_AUTH%"
   )

solr/server/etc/jetty-ssl.xml

@@ -17,7 +17,6 @@
   <Set name="TrustStorePassword"><Ref refid="trustStorePassword"/></Set>
   <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" default="false"/></Set>
   <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set>
-  <Set name="EndpointIdentificationAlgorithm"><Property name="solr.jetty.ssl.verifyClientHostName"/></Set>
   <Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" default="PKCS12"/></Set>
   <Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" default="PKCS12"/></Set>
 

solr/solr-ref-guide/src/enabling-ssl.adoc

@@ -66,7 +66,7 @@ NOTE: If you setup Solr as a service on Linux using the steps outlined in <<taki
 .bin/solr.in.sh example SOLR_SSL_* configuration
 [source,bash]
 ----
-# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
+# Enables HTTPS. It is implicitly true if you set SOLR_SSL_KEY_STORE. Use this config
 # to enable https module with custom jetty configuration.
 SOLR_SSL_ENABLED=true
 # Uncomment to set SSL-related system properties
@@ -79,8 +79,6 @@ SOLR_SSL_TRUST_STORE_PASSWORD=secret
 SOLR_SSL_NEED_CLIENT_AUTH=false
 # Enable clients to authenticate (but not require)
 SOLR_SSL_WANT_CLIENT_AUTH=false
-# Verify client's hostname during SSL handshake
-SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
 # SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
 # this to false can be useful to disable these checks when re-using a certificate on many hosts
 SOLR_SSL_CHECK_PEER_NAME=true
@@ -89,14 +87,14 @@ SOLR_SSL_CHECK_PEER_NAME=true
 When you start Solr, the `bin/solr` script includes the settings in `bin/solr.in.sh` and will pass these SSL-related system properties to the JVM.
 
 .Client Authentication Settings
-WARNING: Enable either SOLR_SSL_NEED_CLIENT_AUTH or SOLR_SSL_WANT_CLIENT_AUTH but not both at the same time. They are mutually exclusive and Jetty will select one of them which may not be what you expect. SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION should be set to true if you only want requests from authenticated host-names to be accepted.
+WARNING: Enable either SOLR_SSL_NEED_CLIENT_AUTH or SOLR_SSL_WANT_CLIENT_AUTH but not both at the same time. They are mutually exclusive and Jetty will select one of them which may not be what you expect. SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION should be set to false if you want to disable hostname verification.
 
 Similarly, when you start Solr on Windows, the `bin\solr.cmd` script includes the settings in `bin\solr.in.cmd` - uncomment and update the set of properties beginning with `SOLR_SSL_*` to pass these SSL-related system properties to the JVM:
 
 .bin\solr.in.cmd example SOLR_SSL_* configuration
 [source,text]
 ----
-REM Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
+REM Enables HTTPS. It is implicitly true if you set SOLR_SSL_KEY_STORE. Use this config
 REM to enable https module with custom jetty configuration.
 set SOLR_SSL_ENABLED=true
 REM Uncomment to set SSL-related system properties
@@ -109,8 +107,6 @@ REM Require clients to authenticate
 set SOLR_SSL_NEED_CLIENT_AUTH=false
 REM Enable clients to authenticate (but not require)
 set SOLR_SSL_WANT_CLIENT_AUTH=false
-REM Verify client hostname during SSL handshake
-set SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
 REM SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
 REM this to false can be useful to disable these checks when re-using a certificate on many hosts
 set SOLR_SSL_CHECK_PEER_NAME=true

solr/solrj/src/java/org/apache/solr/client/solrj/embedded/SSLConfig.java

@@ -136,7 +136,27 @@ public class SSLConfig {
   }
 
   public SslContextFactory.Client createClientContextFactory() {
-    return new SslContextFactory.Client();
+    if (! isSSLMode()) {
+      return null;
+    }
+    // else...
+
+    SslContextFactory.Client factory = new SslContextFactory.Client();
+    if (getKeyStore() != null) {
+      factory.setKeyStorePath(getKeyStore());
+    }
+    if (getKeyStorePassword() != null) {
+      factory.setKeyStorePassword(getKeyStorePassword());
+    }
+
+    if (isClientAuthMode()) {
+      if (getTrustStore() != null)
+        factory.setTrustStorePath(getTrustStore());
+      if (getTrustStorePassword() != null)
+        factory.setTrustStorePassword(getTrustStorePassword());
+    }
+
+    return factory;
   }
 
   private static SslContextFactory.Server configureSslFromSysProps() {

solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java

@@ -919,7 +919,8 @@ public class Http2SolrClient extends SolrClient {
     Http2SolrClient.defaultSSLConfig = null;
   }
 
-  private static SslContextFactory.Client getDefaultSslContextFactory() {
+  /* package-private for testing */
+  static SslContextFactory.Client getDefaultSslContextFactory() {
     String checkPeerNameStr = System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME);
     boolean sslCheckPeerName = true;
     if (checkPeerNameStr == null || "false".equalsIgnoreCase(checkPeerNameStr)) {
@@ -945,6 +946,8 @@ public class Http2SolrClient extends SolrClient {
           (System.getProperty("javax.net.ssl.trustStorePassword"));
     }
 
+    sslContextFactory.setEndpointIdentificationAlgorithm(System.getProperty("solr.jetty.ssl.verifyClientHostName"));
+
     return sslContextFactory;
   }
 }

solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java

@@ -45,6 +45,7 @@ import org.apache.solr.common.SolrInputDocument;
 import org.apache.solr.common.params.CommonParams;
 import org.apache.solr.common.util.SuppressForbidden;
 import org.eclipse.jetty.servlet.ServletHolder;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
@@ -588,6 +589,16 @@ public class Http2SolrClientTest extends SolrJettyTestBase {
     }
   }
 
+  @Test
+  public void testGetDefaultSslContextFactory() {
+    assertNull(Http2SolrClient.getDefaultSslContextFactory().getEndpointIdentificationAlgorithm());
+
+    System.setProperty("solr.jetty.ssl.verifyClientHostName", "HTTPS");
+    SslContextFactory.Client sslContextFactory = Http2SolrClient.getDefaultSslContextFactory();
+    assertEquals("HTTPS", sslContextFactory.getEndpointIdentificationAlgorithm());
+    System.clearProperty("solr.jetty.ssl.verifyClientHostName");
+  }
+
   /**
    * Missed tests :
    * - set cookies via interceptor