mirror of https://github.com/apache/lucene.git
SOLR-14163: SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION needs to work with Jetty server/client SSL contexts
Closes #1147 Signed-off-by: Kevin Risden <krisden@apache.org>
This commit is contained in:
parent
18a2c25c46
commit
49a06a1a14
|
@ -132,6 +132,8 @@ Bug Fixes
|
|||
|
||||
* SOLR-13089: Fix lsof edge cases in the solr CLI script (Martijn Koster via janhoy)
|
||||
|
||||
* SOLR-14163: SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION needs to work with Jetty server/client SSL contexts (Kevin Risden)
|
||||
|
||||
Other Changes
|
||||
---------------------
|
||||
|
||||
|
|
|
@ -206,14 +206,13 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
|
|||
SOLR_SSL_OPTS+=" -Dsolr.jetty.truststore.type=$SOLR_SSL_TRUST_STORE_TYPE"
|
||||
fi
|
||||
|
||||
if [ -n "$SOLR_SSL_NEED_CLIENT_AUTH" ]; then
|
||||
SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.needClientAuth=$SOLR_SSL_NEED_CLIENT_AUTH"
|
||||
fi
|
||||
|
||||
if [ -z "$SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION" ] ; then
|
||||
SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.verifyClientHostName=HTTPS"
|
||||
fi
|
||||
|
||||
if [ -n "$SOLR_SSL_NEED_CLIENT_AUTH" ]; then
|
||||
SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.needClientAuth=$SOLR_SSL_NEED_CLIENT_AUTH"
|
||||
fi
|
||||
if [ -n "$SOLR_SSL_WANT_CLIENT_AUTH" ]; then
|
||||
SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.wantClientAuth=$SOLR_SSL_WANT_CLIENT_AUTH"
|
||||
fi
|
||||
|
|
|
@ -82,6 +82,10 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
|
|||
set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.truststore.type=%SOLR_SSL_TRUST_STORE_TYPE%"
|
||||
)
|
||||
|
||||
IF NOT DEFINED SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION (
|
||||
set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.verifyClientHostName=HTTPS"
|
||||
)
|
||||
|
||||
IF DEFINED SOLR_SSL_NEED_CLIENT_AUTH (
|
||||
set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.needClientAuth=%SOLR_SSL_NEED_CLIENT_AUTH%"
|
||||
)
|
||||
|
|
|
@ -17,7 +17,6 @@
|
|||
<Set name="TrustStorePassword"><Ref refid="trustStorePassword"/></Set>
|
||||
<Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" default="false"/></Set>
|
||||
<Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set>
|
||||
<Set name="EndpointIdentificationAlgorithm"><Property name="solr.jetty.ssl.verifyClientHostName"/></Set>
|
||||
<Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" default="PKCS12"/></Set>
|
||||
<Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" default="PKCS12"/></Set>
|
||||
|
||||
|
|
|
@ -66,7 +66,7 @@ NOTE: If you setup Solr as a service on Linux using the steps outlined in <<taki
|
|||
.bin/solr.in.sh example SOLR_SSL_* configuration
|
||||
[source,bash]
|
||||
----
|
||||
# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
|
||||
# Enables HTTPS. It is implicitly true if you set SOLR_SSL_KEY_STORE. Use this config
|
||||
# to enable https module with custom jetty configuration.
|
||||
SOLR_SSL_ENABLED=true
|
||||
# Uncomment to set SSL-related system properties
|
||||
|
@ -79,8 +79,6 @@ SOLR_SSL_TRUST_STORE_PASSWORD=secret
|
|||
SOLR_SSL_NEED_CLIENT_AUTH=false
|
||||
# Enable clients to authenticate (but not require)
|
||||
SOLR_SSL_WANT_CLIENT_AUTH=false
|
||||
# Verify client's hostname during SSL handshake
|
||||
SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
|
||||
# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
|
||||
# this to false can be useful to disable these checks when re-using a certificate on many hosts
|
||||
SOLR_SSL_CHECK_PEER_NAME=true
|
||||
|
@ -89,14 +87,14 @@ SOLR_SSL_CHECK_PEER_NAME=true
|
|||
When you start Solr, the `bin/solr` script includes the settings in `bin/solr.in.sh` and will pass these SSL-related system properties to the JVM.
|
||||
|
||||
.Client Authentication Settings
|
||||
WARNING: Enable either SOLR_SSL_NEED_CLIENT_AUTH or SOLR_SSL_WANT_CLIENT_AUTH but not both at the same time. They are mutually exclusive and Jetty will select one of them which may not be what you expect. SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION should be set to true if you only want requests from authenticated host-names to be accepted.
|
||||
WARNING: Enable either SOLR_SSL_NEED_CLIENT_AUTH or SOLR_SSL_WANT_CLIENT_AUTH but not both at the same time. They are mutually exclusive and Jetty will select one of them which may not be what you expect. SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION should be set to false if you want to disable hostname verification.
|
||||
|
||||
Similarly, when you start Solr on Windows, the `bin\solr.cmd` script includes the settings in `bin\solr.in.cmd` - uncomment and update the set of properties beginning with `SOLR_SSL_*` to pass these SSL-related system properties to the JVM:
|
||||
|
||||
.bin\solr.in.cmd example SOLR_SSL_* configuration
|
||||
[source,text]
|
||||
----
|
||||
REM Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
|
||||
REM Enables HTTPS. It is implicitly true if you set SOLR_SSL_KEY_STORE. Use this config
|
||||
REM to enable https module with custom jetty configuration.
|
||||
set SOLR_SSL_ENABLED=true
|
||||
REM Uncomment to set SSL-related system properties
|
||||
|
@ -109,8 +107,6 @@ REM Require clients to authenticate
|
|||
set SOLR_SSL_NEED_CLIENT_AUTH=false
|
||||
REM Enable clients to authenticate (but not require)
|
||||
set SOLR_SSL_WANT_CLIENT_AUTH=false
|
||||
REM Verify client hostname during SSL handshake
|
||||
set SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
|
||||
REM SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
|
||||
REM this to false can be useful to disable these checks when re-using a certificate on many hosts
|
||||
set SOLR_SSL_CHECK_PEER_NAME=true
|
||||
|
|
|
@ -136,7 +136,27 @@ public class SSLConfig {
|
|||
}
|
||||
|
||||
public SslContextFactory.Client createClientContextFactory() {
|
||||
return new SslContextFactory.Client();
|
||||
if (! isSSLMode()) {
|
||||
return null;
|
||||
}
|
||||
// else...
|
||||
|
||||
SslContextFactory.Client factory = new SslContextFactory.Client();
|
||||
if (getKeyStore() != null) {
|
||||
factory.setKeyStorePath(getKeyStore());
|
||||
}
|
||||
if (getKeyStorePassword() != null) {
|
||||
factory.setKeyStorePassword(getKeyStorePassword());
|
||||
}
|
||||
|
||||
if (isClientAuthMode()) {
|
||||
if (getTrustStore() != null)
|
||||
factory.setTrustStorePath(getTrustStore());
|
||||
if (getTrustStorePassword() != null)
|
||||
factory.setTrustStorePassword(getTrustStorePassword());
|
||||
}
|
||||
|
||||
return factory;
|
||||
}
|
||||
|
||||
private static SslContextFactory.Server configureSslFromSysProps() {
|
||||
|
|
|
@ -919,7 +919,8 @@ public class Http2SolrClient extends SolrClient {
|
|||
Http2SolrClient.defaultSSLConfig = null;
|
||||
}
|
||||
|
||||
private static SslContextFactory.Client getDefaultSslContextFactory() {
|
||||
/* package-private for testing */
|
||||
static SslContextFactory.Client getDefaultSslContextFactory() {
|
||||
String checkPeerNameStr = System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME);
|
||||
boolean sslCheckPeerName = true;
|
||||
if (checkPeerNameStr == null || "false".equalsIgnoreCase(checkPeerNameStr)) {
|
||||
|
@ -945,6 +946,8 @@ public class Http2SolrClient extends SolrClient {
|
|||
(System.getProperty("javax.net.ssl.trustStorePassword"));
|
||||
}
|
||||
|
||||
sslContextFactory.setEndpointIdentificationAlgorithm(System.getProperty("solr.jetty.ssl.verifyClientHostName"));
|
||||
|
||||
return sslContextFactory;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -45,6 +45,7 @@ import org.apache.solr.common.SolrInputDocument;
|
|||
import org.apache.solr.common.params.CommonParams;
|
||||
import org.apache.solr.common.util.SuppressForbidden;
|
||||
import org.eclipse.jetty.servlet.ServletHolder;
|
||||
import org.eclipse.jetty.util.ssl.SslContextFactory;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Test;
|
||||
|
||||
|
@ -588,6 +589,16 @@ public class Http2SolrClientTest extends SolrJettyTestBase {
|
|||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGetDefaultSslContextFactory() {
|
||||
assertNull(Http2SolrClient.getDefaultSslContextFactory().getEndpointIdentificationAlgorithm());
|
||||
|
||||
System.setProperty("solr.jetty.ssl.verifyClientHostName", "HTTPS");
|
||||
SslContextFactory.Client sslContextFactory = Http2SolrClient.getDefaultSslContextFactory();
|
||||
assertEquals("HTTPS", sslContextFactory.getEndpointIdentificationAlgorithm());
|
||||
System.clearProperty("solr.jetty.ssl.verifyClientHostName");
|
||||
}
|
||||
|
||||
/**
|
||||
* Missed tests :
|
||||
* - set cookies via interceptor
|
||||
|
|
Loading…
Reference in New Issue