From 4e0e8e979b66abdf0778fc0ea86ae5ef5d8f2f91 Mon Sep 17 00:00:00 2001
From: Chris Hostetter
Date: Sun, 22 Apr 2018 13:38:37 -0700
Subject: [PATCH] SOLR-9304: Fix Solr's HTTP handling to respect
'-Dsolr.ssl.checkPeerName=false' aka SOLR_SSL_CHECK_PEER_NAME
---
solr/CHANGES.txt | 5 +-
solr/bin/solr | 4 +
solr/bin/solr.cmd | 3 +
solr/bin/solr.in.cmd | 12 +-
solr/bin/solr.in.sh | 16 ++-
.../cloud/TestMiniSolrCloudClusterSSL.java | 59 ++++++++++
solr/solr-ref-guide/src/enabling-ssl.adoc | 21 +++-
.../client/solrj/impl/HttpClientUtil.java | 59 +++++++++-
.../client/solrj/impl/HttpClientUtilTest.java | 108 ++++++++++++++++++
.../org/apache/solr/util/SSLTestConfig.java | 91 +++++++++------
...tConfig.hostname-and-ip-missmatch.keystore | Bin 0 -> 2246 bytes
.../resources/SSLTestConfig.testing.keystore | Bin 2208 -> 2207 bytes
.../src/resources/create-keystores.sh | 37 ++++++
13 files changed, 363 insertions(+), 52 deletions(-)
create mode 100644 solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java
create mode 100644 solr/test-framework/src/resources/SSLTestConfig.hostname-and-ip-missmatch.keystore
create mode 100755 solr/test-framework/src/resources/create-keystores.sh
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index efa60002a10..a9e63f3d143 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -176,7 +176,10 @@ Bug Fixes
* SOLR-6286: TestReplicationHandler.doTestReplicateAfterCoreReload(): stop checking for identical
commits before/after master core reload; and make non-nightly mode test 10 docs instead of 0.
(shalin, hossman, Mark Miller, Steve Rowe)
-
+
+* SOLR-9304: Fix Solr's HTTP handling to respect '-Dsolr.ssl.checkPeerName=false' aka SOLR_SSL_CHECK_PEER_NAME
+ (Shawn Heisey, Carlton Findley, Robby Pond, hossman)
+
Optimizations
----------------------
diff --git a/solr/bin/solr b/solr/bin/solr
index 3cda7825933..68d1140df6b 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -224,6 +224,10 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
fi
fi
+ if [ -n "$SOLR_SSL_CHECK_PEER_NAME" ]; then
+ SOLR_SSL_OPTS+=" -Dsolr.ssl.checkPeerName=$SOLR_SSL_CHECK_PEER_NAME"
+ fi
+
if [ -n "$SOLR_SSL_CLIENT_TRUST_STORE" ]; then
SOLR_SSL_OPTS+=" -Djavax.net.ssl.trustStore=$SOLR_SSL_CLIENT_TRUST_STORE"
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index e9f6c45e3f2..7235a4c3ef6 100644
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -111,6 +111,9 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Djavax.net.ssl.trustStoreType=%SOLR_SSL_TRUST_STORE_TYPE%"
)
)
+ IF DEFINED SOLR_SSL_CHECK_PEER_NAME (
+ set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.checkPeerName=%SOLR_SSL_CHECK_PEER_NAME%"
+ )
) ELSE (
set SOLR_SSL_OPTS=
)
diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
index a1771ad2458..86ad7084f10 100644
--- a/solr/bin/solr.in.cmd
+++ b/solr/bin/solr.in.cmd
@@ -103,20 +103,26 @@ REM Uncomment to set SSL-related system properties
REM Be sure to update the paths to the correct keystore for your environment
REM set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
REM set SOLR_SSL_KEY_STORE_PASSWORD=secret
-REM set SOLR_SSL_KEY_STORE_TYPE=JKS
REM set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
REM set SOLR_SSL_TRUST_STORE_PASSWORD=secret
-REM set SOLR_SSL_TRUST_STORE_TYPE=JKS
+REM Require clients to authenticate
REM set SOLR_SSL_NEED_CLIENT_AUTH=false
+REM Enable clients to authenticate (but not require)
REM set SOLR_SSL_WANT_CLIENT_AUTH=false
+REM SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
+REM this to false can be useful to disable these checks when re-using a certificate on many hosts
+REM set SOLR_SSL_CHECK_PEER_NAME=true
+REM Override Key/Trust Store types if necessary
+REM set SOLR_SSL_KEY_STORE_TYPE=JKS
+REM set SOLR_SSL_TRUST_STORE_TYPE=JKS
REM Uncomment if you want to override previously defined SSL values for HTTP client
REM otherwise keep them commented and the above values will automatically be set for HTTP clients
REM set SOLR_SSL_CLIENT_KEY_STORE=
REM set SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=
-REM set SOLR_SSL_CLIENT_KEY_STORE_TYPE=
REM set SOLR_SSL_CLIENT_TRUST_STORE=
REM set SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=
+REM set SOLR_SSL_CLIENT_KEY_STORE_TYPE=
REM set SOLR_SSL_CLIENT_TRUST_STORE_TYPE=
REM Sets path of Hadoop credential provider (hadoop.security.credential.provider.path property) and
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
index 7cf6a8438cd..9b15beaa2db 100644
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@@ -118,22 +118,28 @@
#SOLR_SSL_ENABLED=true
# Uncomment to set SSL-related system properties
# Be sure to update the paths to the correct keystore for your environment
-#SOLR_SSL_KEY_STORE=/home/shalin/work/oss/shalin-lusolr/solr/server/etc/solr-ssl.keystore.jks
+#SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
#SOLR_SSL_KEY_STORE_PASSWORD=secret
-#SOLR_SSL_KEY_STORE_TYPE=JKS
-#SOLR_SSL_TRUST_STORE=/home/shalin/work/oss/shalin-lusolr/solr/server/etc/solr-ssl.keystore.jks
+#SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
#SOLR_SSL_TRUST_STORE_PASSWORD=secret
-#SOLR_SSL_TRUST_STORE_TYPE=JKS
+# Require clients to authenticate
#SOLR_SSL_NEED_CLIENT_AUTH=false
+# Enable clients to authenticate (but not require)
#SOLR_SSL_WANT_CLIENT_AUTH=false
+# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
+# this to false can be useful to disable these checks when re-using a certificate on many hosts
+#SOLR_SSL_CHECK_PEER_NAME=true
+# Override Key/Trust Store types if necessary
+#SOLR_SSL_KEY_STORE_TYPE=JKS
+#SOLR_SSL_TRUST_STORE_TYPE=JKS
# Uncomment if you want to override previously defined SSL values for HTTP client
# otherwise keep them commented and the above values will automatically be set for HTTP clients
#SOLR_SSL_CLIENT_KEY_STORE=
#SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=
-#SOLR_SSL_CLIENT_KEY_STORE_TYPE=
#SOLR_SSL_CLIENT_TRUST_STORE=
#SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=
+#SOLR_SSL_CLIENT_KEY_STORE_TYPE=
#SOLR_SSL_CLIENT_TRUST_STORE_TYPE=
# Sets path of Hadoop credential provider (hadoop.security.credential.provider.path property) and
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java b/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java
index 98f952a50b0..7a6606ac8f7 100644
--- a/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java
+++ b/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java
@@ -17,6 +17,7 @@
package org.apache.solr.cloud;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.util.List;
@@ -32,6 +33,8 @@ import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.lucene.util.Constants;
+import org.apache.lucene.util.TestRuleRestoreSystemProperties;
+
import org.apache.solr.SolrTestCaseJ4;
import org.apache.solr.client.solrj.SolrServerException;
import org.apache.solr.client.solrj.embedded.JettyConfig;
@@ -46,6 +49,9 @@ import org.apache.solr.common.params.CoreAdminParams.CoreAdminAction;
import org.apache.solr.util.SSLTestConfig;
import org.junit.After;
import org.junit.Before;
+import org.junit.Rule;
+import org.junit.rules.TestRule;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -72,6 +78,10 @@ public class TestMiniSolrCloudClusterSSL extends SolrTestCaseJ4 {
public static final int NUM_SERVERS = 3;
public static final String CONF_NAME = MethodHandles.lookup().lookupClass().getName();
+ @Rule
+ public TestRule syspropRestore = new TestRuleRestoreSystemProperties
+ (HttpClientUtil.SYS_PROP_CHECK_PEER_NAME);
+
@Before
public void before() {
// undo the randomization of our super class
@@ -120,6 +130,13 @@ public class TestMiniSolrCloudClusterSSL extends SolrTestCaseJ4 {
checkClusterWithNodeReplacement(sslConfig);
}
+ public void testSslWithCheckPeerName() throws Exception {
+ final SSLTestConfig sslConfig = new SSLTestConfig(true, false, true);
+ HttpClientUtil.setSchemaRegistryProvider(sslConfig.buildClientSchemaRegistryProvider());
+ System.setProperty(ZkStateReader.URL_SCHEME, "https");
+ checkClusterWithNodeReplacement(sslConfig);
+ }
+
/**
* Constructs a cluster with the specified sslConfigs, runs {@link #checkClusterWithCollectionCreations},
* then verifies that if we modify the default SSLContext (mimicing javax.net.ssl.*
@@ -142,6 +159,8 @@ public class TestMiniSolrCloudClusterSSL extends SolrTestCaseJ4 {
// our test config doesn't use SSL, and reset HttpClientUtil to it's defaults so it picks up our
// SSLContext that way.
SSLContext.setDefault( sslConfig.isSSLMode() ? sslConfig.buildClientSSLContext() : DEFAULT_SSL_CONTEXT);
+ System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME,
+ Boolean.toString(sslConfig.getCheckPeerName()));
HttpClientUtil.resetHttpClientBuilder();
// recheck that we can communicate with all the jetty instances in our cluster
@@ -151,6 +170,46 @@ public class TestMiniSolrCloudClusterSSL extends SolrTestCaseJ4 {
}
}
+ /** Sanity check that our test scaffolding for validating SSL peer names fails when it should */
+ public void testSslWithInvalidPeerName() throws Exception {
+ // NOTE: first initialize the cluster w/o peer name checks, which means our server will use
+ // certs with a bogus hostname/ip and clients shouldn't care...
+ final SSLTestConfig sslConfig = new SSLTestConfig(true, false, false);
+ HttpClientUtil.setSchemaRegistryProvider(sslConfig.buildClientSchemaRegistryProvider());
+ System.setProperty(ZkStateReader.URL_SCHEME, "https");
+ final JettyConfig config = JettyConfig.builder().withSSLConfig(sslConfig).build();
+ final MiniSolrCloudCluster cluster = new MiniSolrCloudCluster(NUM_SERVERS, createTempDir(), config);
+ try {
+ checkClusterWithCollectionCreations(cluster, sslConfig);
+
+ // now initialize a client that still uses the existing SSLContext/Provider, so it will accept
+ // our existing certificate, but *does* care about validating the peer name
+ System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, "true");
+ HttpClientUtil.resetHttpClientBuilder();
+
+ // and validate we get failures when trying to talk to our cluster...
+ final List jettys = cluster.getJettySolrRunners();
+ for (JettySolrRunner jetty : jettys) {
+ final String baseURL = jetty.getBaseUrl().toString();
+ // verify new solr clients validate peer name and can't talk to this server
+ Exception ex = expectThrows(SolrServerException.class, () -> {
+ try (HttpSolrClient client = getRandomizedHttpSolrClient(baseURL)) {
+ CoreAdminRequest req = new CoreAdminRequest();
+ req.setAction( CoreAdminAction.STATUS );
+ client.request(req);
+ }
+ });
+ assertTrue("Expected an root cause SSL Exception, got: " + ex.toString(),
+ ex.getCause() instanceof SSLException);
+ }
+ } finally {
+ cluster.shutdown();
+ }
+
+
+
+ }
+
/**
* General purpose cluster sanity check...
*
diff --git a/solr/solr-ref-guide/src/enabling-ssl.adoc b/solr/solr-ref-guide/src/enabling-ssl.adoc
index b641bfd6807..35bc1d807f7 100644
--- a/solr/solr-ref-guide/src/enabling-ssl.adoc
+++ b/solr/solr-ref-guide/src/enabling-ssl.adoc
@@ -77,6 +77,11 @@ NOTE: If you setup Solr as a service on Linux using the steps outlined in <
+ * This property will have no effect if {@link #setSchemaRegistryProvider} is used to override
+ * the default {@link SchemaRegistryProvider}
+ *
+ */
public static final String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.checkPeerName";
// * NOTE* The following params configure the default request config and this
@@ -181,6 +192,9 @@ public class HttpClientUtil {
httpClientBuilder = newHttpClientBuilder;
}
+ /**
+ * @see #SYS_PROP_CHECK_PEER_NAME
+ */
public static void setSchemaRegistryProvider(SchemaRegistryProvider newRegistryProvider) {
schemaRegistryProvider = newRegistryProvider;
}
@@ -188,7 +202,10 @@ public class HttpClientUtil {
public static SolrHttpClientBuilder getHttpClientBuilder() {
return httpClientBuilder;
}
-
+
+ /**
+ * @see #SYS_PROP_CHECK_PEER_NAME
+ */
public static SchemaRegistryProvider getSchemaRegisteryProvider() {
return schemaRegistryProvider;
}
@@ -205,9 +222,22 @@ public class HttpClientUtil {
// except that we explicitly use SSLConnectionSocketFactory.getSystemSocketFactory()
// to pick up the system level default SSLContext (where javax.net.ssl.* properties
// related to keystore & truststore are specified)
- RegistryBuilder builder = RegistryBuilder.create();
+ RegistryBuilder builder = RegistryBuilder. create();
builder.register("http", PlainConnectionSocketFactory.getSocketFactory());
- builder.register("https", SSLConnectionSocketFactory.getSystemSocketFactory());
+
+ // logic to turn off peer host check
+ SSLConnectionSocketFactory sslConnectionSocketFactory = null;
+ boolean sslCheckPeerName = toBooleanDefaultIfNull(
+ toBooleanObject(System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME)), true);
+ if (sslCheckPeerName) {
+ sslConnectionSocketFactory = SSLConnectionSocketFactory.getSystemSocketFactory();
+ } else {
+ sslConnectionSocketFactory = new SSLConnectionSocketFactory(SSLContexts.createSystemDefault(),
+ NoopHostnameVerifier.INSTANCE);
+ logger.debug(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME + "is false, hostname checks disabled.");
+ }
+ builder.register("https", sslConnectionSocketFactory);
+
return builder.build();
}
}
@@ -459,5 +489,26 @@ public class HttpClientUtil {
cookiePolicy = policyName;
}
+ /**
+ * @lucene.internal
+ */
+ static boolean toBooleanDefaultIfNull(Boolean bool, boolean valueIfNull) {
+ if (bool == null) {
+ return valueIfNull;
+ }
+ return bool.booleanValue() ? true : false;
+ }
+ /**
+ * @lucene.internal
+ */
+ static Boolean toBooleanObject(String str) {
+ if ("true".equalsIgnoreCase(str)) {
+ return Boolean.TRUE;
+ } else if ("false".equalsIgnoreCase(str)) {
+ return Boolean.FALSE;
+ }
+ // no match
+ return null;
+ }
}
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java
new file mode 100644
index 00000000000..ce2f8b7875d
--- /dev/null
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.client.solrj.impl;
+
+import javax.net.ssl.HostnameVerifier;
+import java.io.IOException;
+
+import org.apache.solr.client.solrj.impl.HttpClientUtil.SchemaRegistryProvider;
+
+import org.apache.commons.lang.reflect.FieldUtils;
+import org.apache.http.conn.socket.ConnectionSocketFactory;
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.lucene.util.LuceneTestCase;
+import org.apache.lucene.util.TestRuleRestoreSystemProperties;
+
+import org.junit.After;
+import org.junit.Rule;
+import org.junit.rules.TestRule;
+import org.junit.Test;
+
+public class HttpClientUtilTest extends LuceneTestCase {
+
+ @Rule
+ public TestRule syspropRestore = new TestRuleRestoreSystemProperties
+ (HttpClientUtil.SYS_PROP_CHECK_PEER_NAME);
+
+ @After
+ public void resetHttpClientBuilder() {
+ HttpClientUtil.resetHttpClientBuilder();
+ }
+
+ public void testSSLSystemProperties() throws IOException {
+
+ assertNotNull("HTTPS scheme could not be created using system defaults",
+ HttpClientUtil.getSchemaRegisteryProvider().getSchemaRegistry().lookup("https"));
+
+ assertSSLHostnameVerifier(DefaultHostnameVerifier.class, HttpClientUtil.getSchemaRegisteryProvider());
+
+ System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, "true");
+ resetHttpClientBuilder();
+ assertSSLHostnameVerifier(DefaultHostnameVerifier.class, HttpClientUtil.getSchemaRegisteryProvider());
+
+ System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, "");
+ resetHttpClientBuilder();
+ assertSSLHostnameVerifier(DefaultHostnameVerifier.class, HttpClientUtil.getSchemaRegisteryProvider());
+
+ System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, "false");
+ resetHttpClientBuilder();
+ assertSSLHostnameVerifier(NoopHostnameVerifier.class, HttpClientUtil.getSchemaRegisteryProvider());
+ }
+
+ private void assertSSLHostnameVerifier(Class extends HostnameVerifier> expected,
+ SchemaRegistryProvider provider) {
+ ConnectionSocketFactory socketFactory = provider.getSchemaRegistry().lookup("https");
+ assertNotNull("unable to lookup https", socketFactory);
+ assertTrue("socketFactory is not an SSLConnectionSocketFactory: " + socketFactory.getClass(),
+ socketFactory instanceof SSLConnectionSocketFactory);
+ SSLConnectionSocketFactory sslSocketFactory = (SSLConnectionSocketFactory) socketFactory;
+ try {
+ Object hostnameVerifier = FieldUtils.readField(sslSocketFactory, "hostnameVerifier", true);
+ assertNotNull("sslSocketFactory has null hostnameVerifier", hostnameVerifier);
+ assertEquals("sslSocketFactory does not have expected hostnameVerifier impl",
+ expected, hostnameVerifier.getClass());
+ } catch (IllegalAccessException e) {
+ throw new AssertionError("Unexpected access error reading hostnameVerifier field", e);
+ }
+ }
+
+ @Test
+ public void testToBooleanDefaultIfNull() throws Exception {
+ assertFalse(HttpClientUtil.toBooleanDefaultIfNull(Boolean.FALSE, true));
+ assertTrue(HttpClientUtil.toBooleanDefaultIfNull(Boolean.TRUE, false));
+ assertFalse(HttpClientUtil.toBooleanDefaultIfNull(null, false));
+ assertTrue(HttpClientUtil.toBooleanDefaultIfNull(null, true));
+ }
+
+ @Test
+ public void testToBooleanObject() throws Exception {
+ assertEquals(Boolean.TRUE, HttpClientUtil.toBooleanObject("true"));
+ assertEquals(Boolean.TRUE, HttpClientUtil.toBooleanObject("TRUE"));
+ assertEquals(Boolean.TRUE, HttpClientUtil.toBooleanObject("tRuE"));
+
+ assertEquals(Boolean.FALSE, HttpClientUtil.toBooleanObject("false"));
+ assertEquals(Boolean.FALSE, HttpClientUtil.toBooleanObject("FALSE"));
+ assertEquals(Boolean.FALSE, HttpClientUtil.toBooleanObject("fALSE"));
+
+ assertEquals(null, HttpClientUtil.toBooleanObject("t"));
+ assertEquals(null, HttpClientUtil.toBooleanObject("f"));
+ assertEquals(null, HttpClientUtil.toBooleanObject("foo"));
+ assertEquals(null, HttpClientUtil.toBooleanObject(null));
+ }
+}
diff --git a/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java b/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java
index 8268fcdcc11..3b03f6e1711 100644
--- a/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java
+++ b/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java
@@ -16,8 +16,6 @@
*/
package org.apache.solr.util;
-import javax.net.ssl.SSLContext;
-import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
@@ -27,15 +25,17 @@ import java.security.SecureRandomSpi;
import java.security.UnrecoverableKeyException;
import java.util.Random;
+import javax.net.ssl.SSLContext;
+
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.socket.ConnectionSocketFactory;
import org.apache.http.conn.socket.PlainConnectionSocketFactory;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
-import org.apache.http.conn.ssl.SSLContextBuilder;
-import org.apache.http.conn.ssl.SSLContexts;
-import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.http.ssl.SSLContexts;
import org.apache.solr.client.solrj.embedded.SSLConfig;
import org.apache.solr.client.solrj.impl.HttpClientUtil;
import org.apache.solr.client.solrj.impl.HttpClientUtil.SchemaRegistryProvider;
@@ -49,9 +49,11 @@ import org.eclipse.jetty.util.ssl.SslContextFactory;
*/
public class SSLTestConfig extends SSLConfig {
- private static final String TEST_KEYSTORE_RESOURCE = "SSLTestConfig.testing.keystore";
+ private static final String TEST_KEYSTORE_BOGUSHOST_RESOURCE = "SSLTestConfig.hostname-and-ip-missmatch.keystore";
+ private static final String TEST_KEYSTORE_LOCALHOST_RESOURCE = "SSLTestConfig.testing.keystore";
private static final String TEST_KEYSTORE_PASSWORD = "secret";
+ private final boolean checkPeerName;
private final Resource keyStore;
private final Resource trustStore;
@@ -59,44 +61,59 @@ public class SSLTestConfig extends SSLConfig {
public SSLTestConfig() {
this(false, false);
}
-
- /**
- * Create an SSLTestConfig based on a few caller specified options. As needed,
- * keystore/truststore information will be pulled from a hardocded resource file provided
- * by the solr test-framework.
+
+ /**
+ * Create an SSLTestConfig based on a few caller specified options,
+ * implicitly assuming checkPeerName=false
.
+ *
+ * As needed, keystore/truststore information will be pulled from a hardcoded resource
+ * file provided by the solr test-framework
+ *
*
- * @param useSSL - wether SSL should be required.
+ * @param useSSL - whether SSL should be required.
* @param clientAuth - whether client authentication should be required.
*/
public SSLTestConfig(boolean useSSL, boolean clientAuth) {
+ this(useSSL, clientAuth, false);
+ }
+
+ // NOTE: if any javadocs below change, update create-keystores.sh
+ /**
+ * Create an SSLTestConfig based on a few caller specified options. As needed,
+ * keystore/truststore information will be pulled from a hardcoded resource files provided
+ * by the solr test-framework based on the value of checkPeerName
:
+ *
+ * true
- A keystore resource file will be used that specifies
+ * a CN of localhost
and a SAN IP of 127.0.0.1
, to
+ * ensure that all connections should be valid regardless of what machine runs the tests.
+ * false
- A keystore resource file will be used that specifies
+ * a bogus hostname in the CN and reserved IP as the SAN, since no (valid) tests using this
+ * SSLTestConfig should care what CN/SAN are.
+ *
+ *
+ * @param useSSL - whether SSL should be required.
+ * @param clientAuth - whether client authentication should be required.
+ * @param checkPeerName - whether the client should validate the 'peer name' of the SSL Certificate (and which testing Cert should be used)
+ * @see HttpClientUtil#SYS_PROP_CHECK_PEER_NAME
+ */
+ public SSLTestConfig(boolean useSSL, boolean clientAuth, boolean checkPeerName) {
super(useSSL, clientAuth, null, TEST_KEYSTORE_PASSWORD, null, TEST_KEYSTORE_PASSWORD);
- trustStore = keyStore = Resource.newClassPathResource(TEST_KEYSTORE_RESOURCE);
+ this.checkPeerName = checkPeerName;
+
+ final String resourceName = checkPeerName
+ ? TEST_KEYSTORE_LOCALHOST_RESOURCE : TEST_KEYSTORE_BOGUSHOST_RESOURCE;
+ trustStore = keyStore = Resource.newClassPathResource(resourceName);
if (null == keyStore || ! keyStore.exists() ) {
throw new IllegalStateException("Unable to locate keystore resource file in classpath: "
- + TEST_KEYSTORE_RESOURCE);
+ + resourceName);
}
}
- /**
- * Helper utility for building resources from arbitrary user input paths/urls
- * if input is null, returns null; otherwise attempts to build Resource and verifies that Resource exists.
- */
- private static final Resource tryNewResource(String userInput, String type) {
- if (null == userInput) {
- return null;
- }
- Resource result;
- try {
- result = Resource.newResource(userInput);
- } catch (IOException e) {
- throw new IllegalArgumentException("Can't build " + type + " Resource: " + e.getMessage(), e);
- }
- if (! result.exists()) {
- throw new IllegalArgumentException(type + " Resource does not exist " + result.getName());
- }
- return result;
+ /** If true, then servers hostname/ip should be validated against the SSL Cert metadata */
+ public boolean getCheckPeerName() {
+ return checkPeerName;
}
-
+
/**
* NOTE: This method is meaningless in SSLTestConfig.
* @return null
@@ -175,7 +192,7 @@ public class SSLTestConfig extends SSLConfig {
SSLContextBuilder builder = SSLContexts.custom();
builder.setSecureRandom(NotSecurePsuedoRandom.INSTANCE);
-
+
builder.loadKeyMaterial(buildKeyStore(keyStore, getKeyStorePassword()), getKeyStorePassword().toCharArray());
if (isClientAuthMode()) {
@@ -229,11 +246,9 @@ public class SSLTestConfig extends SSLConfig {
}
SSLConnectionSocketFactory sslConnectionFactory;
try {
- boolean sslCheckPeerName = toBooleanDefaultIfNull(toBooleanObject(System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME)), true);
SSLContext sslContext = buildClientSSLContext();
- if (sslCheckPeerName == false) {
- sslConnectionFactory = new SSLConnectionSocketFactory
- (sslContext, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
+ if (checkPeerName == false) {
+ sslConnectionFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
} else {
sslConnectionFactory = new SSLConnectionSocketFactory(sslContext);
}
diff --git a/solr/test-framework/src/resources/SSLTestConfig.hostname-and-ip-missmatch.keystore b/solr/test-framework/src/resources/SSLTestConfig.hostname-and-ip-missmatch.keystore
new file mode 100644
index 0000000000000000000000000000000000000000..691a3bee02598ac830ffd457736b7f683b0b47f7
GIT binary patch
literal 2246
zcmcIlS5#Ap7R@CgLg+Pgl-|S}iXl=&K|qS32qKDvlA(m&CWr_G1e8IFih?xhU65Xc
z41^|Kz(NrWMM71OF7R;H`=2AFjh+a-iRPro96rj7pN4odO^cmlw@`x}3H#xgh*ONu$htp1
z7a5>4g#Yp@$^DR7H64P9FKm6em*Pv!3!%Fm#pQElOA;T@4y05J={h}3ZZMw043=JP
zLeeWG1UwvU)!KBKDM#P74%5qnj*u6mt#=*!?dYFxGuE4Z?mw1WDp)tyT*M{W68m5k
zEhSa4k+gkiCo=M>`Ehp2&e?nx!q@qZn|E0{?1fe@8))4etlwNCS9--S8&sH6n0gfy
z)8hw^`dbhl7gsa5votnUo3eXp0@2sVSZPy*g@?n1T(k%QN(j?TJ-kQND_>To;@Xl<
zBF;fv0QZD9?zPXZ;XL!vg`W`SyvUI$a+N)*aSg-j{Gc&nSJ;FICtvY1)A!x8ALR&S
z!F5z2ViWnbUkPXDnf<)hEf)5);I67cpvEWx5|0>6_w>}}{+_28BTu@vz5l-R_%M#V
z##znI&@UQXzw~nAY@b;(#kGK3X{kt5d$V)~3ZD1F2yIXa_M_>dd?v@#qbFO{BJ#T;
zLENH^dD%RIdJU&9zaN%Q3c6S)S?%RmmbE7q&?{&-aBuojTMBbcDz;a?ITJo}W>v?+
z_O(?RcP>l2@#fHg+pqRXiKOorb%abZ1mCCP*=Ijtk1{qoj2@NLXh#|9p_ZS8=O_AX
zm%ZwYn8)%dR4;OJ72y53`GfZRq*XGZ4zV!s|Y9TY7Wq?kZN>O%s*TM%5ODc+tjQ
z_-OTFl*Mp$l*l2pHY*B-IBEj+CzUw%4I^Eb)Ppo;*W9iTAMcvdh
zR_{d_Sm=jS%dgDWjafBkH&u0yomqs7Y#jCr<_RhzOHfQf6tc(oj;&N7(MC4C
zzlbolV3GzcKFr@(`kP+Kz41%c#E3aL=t0EOx9`1*DxqGukEOyv#u
z-X!>WHfh6fd|&`)d;@dGC?RVE5xW~W^-+A1ogx;9;p<@AWE|%tHYtK%ZVdKr6}Ucc
zMP9!b>ZOgRi@E)Alvdv~zT70ENp3RTFHcLu-Kx+e&9`)Z3!C(%@-Opf64|H
zuFrnRIkQ@eRZ6uzibhmtKj4jx(s_ABrtWiJ(SdF3cC^G?g8IVHRHjX7m}YahgM`Ny
zCy+s3!RLtB&K)U=W423IyfDjIWEZAo^2_MrgQrif_0Ax?h2s(BaQUdimD(60)gHG
zNl+q4qQhlD=>R%97@^*q4P=2c%0(GO?XUm<6FmgHiDCj7;ZRE$oQuxV0wnQsevjeH6>+~8tS|aADaqV^*pGIQu#0O|7=bI#Qr_%i4j0a02>4(
z0SG!006+>;uSS13MsZ7B7cYKXwNh1rqL=)8*Yx4OwqdzRw~yRW>Q%J~)w2rw;S%}>
zqA>*=4r-a=gVklUQ;nyF2`Yp*b%c9oQb2Af?nnKCRnXEa{Q~l!+s9{`bARaXJ30jx
zAKQAn|ExX7G4sO#akz~1Tp)B5-LRwC=;uiG^(OFir&%z4oXfB=CLD5)J-U0q!)tI=
z%ZNA|p)7yJEqEK&1#h+gLd)NAP1D1Lnd$8=3;f(IZkhhY
zB5b=l9Tb27IeMTjD1LH5VGfuOC_wrjSB!>{Ph1xi{$0chn!3ycZ&owM<
zz30-uSj|RlL-MUKb9niEqW-Z^DYHJZO3`Xn3-<=lI~#NP?;4Sz@|j<;wJYo0Hs>PZ
jCrsbrG_tUR#V>gRfgC2=qjgW1jO-v82j?1Vholb|(Be*$rVJ&H
zJ&o57V9C^B>wVY8v3BAf9J!Bjh8MuHy3BLTbJepH3GgcJi9NsC+wu0>(&(8n?IJQybNsKR{W^fKJ2~7+
zr?I{ce;C=g461~Nyxqbsb+CXz;B$y0{eNPZtF0?mb~xch1H6(x*5R}jnP6FFX;uKd
zB4*Gp-&3`MrY@^Xj*9+ht<&^7?4%@r`<>#mu>z(jnPa^xR#n=wdu5&Oc!C_T4ade`
z`VE=@Kfe)1D&|G29Of)#G?+h0pLBG`?#RO8m;(6jS(F;>!W1~wf~ILyQ=#T?0)KZE
zyn@TT)kV1Fo%4k&0aUd3I2$aaeqtA>?gJl1^)Z9D6|wQx#hl~UEs)jRyvbkfC6qFE
zI(_W)$=hlbZsXsY0gu+#wKn^@w|Qo}F>z*~Kj&MO&PTADiFfc1G!0!(PdH=j_01uqzowtv^cxz7uqB
z;t!hMEoJ0hv|~vkaf`B%s3`NpKlB2O!Ci!j5$x^}#Q5$P=Zo!blquQcQxm+;lkv$6
zeKW+ZUJ5HZU_WG%_p!^h65CRMck!V0-Cg@YAPEj8X
z(5ZpX5&H^&xorcD#Ui;?c>bBa1+?z2>Sy}zycy?@d21yJC(#kYWe2TOalzr1C7Q(^KFK1#`rwWf?TY#*j=5~+rK@AE5EUxl@FsRJqsZjtYbF|RGnZKH&P%SQw
zW$~4-^$;C(H9e=EF~53O~yew1RD3`%!1&yg@rRbt9L;s{h~bmL))
zCTFzRxOazJXeJ=!)S1k}kD9$X!$o`Yj(G52$GWlerNyApyTEu8;`yYCk~xz16qw%u
z`skkmQyGPJ>bU}|~onuo;AyHaxCfX$mo9VOoaha3aj0UfNeaP!^jsS
z`R&p+Q|n#BUQ6lm!zgpm)7u~J>-TQvw%}fZaCc;iwB>($>E;AK!B=hI->G!?G`Y%#
zGzWEobMg>VgSgMh-_SL^tr!s>H*?Ub=KV|6&2(Qys13G5Ih@1)4U3UQ+7mE2XG5dd
z$MQ`ZcUCjcWp0|LTHA(UO$h~^dm6T1|FkCqvg|pEFPjz9$z@yY^SsbkLn(o{F=Vi&uUYo$D
U@vWzBnT&>?vJk<1`PAt|2>p6B)BajG{B_4TA^Y?LT`%zS;x{?iua8Wi#NuC6xE
zLSy+Zxg;#%+$AJOcL{bdMw4G5(=8oA#~Hn}U{F4e4qrs>c7LmWMmdbME|mooko}14
zb;kUDrMJ@kH34Qcy(SUiOUi6@yS9q$S%~-J!UMJ^996+xMUM1JC`+*Tl^G+{lfQ-w
zQn70PN|sBcCEC!G-|01l{EFJ3&v0XEs
zrFtkI=Sf0GScrxeRB4rRqwMe8fQMY4dF3N8qb#W3!PnsGl;h$VbfT40gZfP#ZlbOC
zcKoc0oOXlw*n5-Yk|RLtG(CfJM`{!udxJ%9PNG?-F@Ma;Lig)faG=F6Ke#BjZiL!f
z9(TCNnMHomFMwiWK&O8>_x`e|Ge*1Yac|{+H_jVEW{KOCf4-CPEpk|gb(2Dkct3{?
z6QCaHt;aTFcHs5Q*$XN~f&^U*Rou@^gj=ejUNTm{+1C8%fp^kd@RkZQP0CmNX|_aB
zfeXIx;D7LhX{)$GB?Jew8E=nxi(zNcPJRSHC)(GH-cNHtKj*OrNQ(KKl9
zN{P!VDYMsAq6wpxBqn4c!7QOKyL0N#GZ7&S>hnwQLi}z04yfIA+r20&VKN
zK6SxaJ@>Rc3g&=?_1=7OTn0K6G}~3r{P*AC<$sC9!6@uLht#SVA^602iTfMrZ*OmK
zcl!vrwU<=dP9dU4Yj@kdKKh2dRI7O5a)0qZq7GA&_--W@cHg~&BuA=qdBsi4*j*w*
z+BdYTzKrr@dq2{W3`&!cyO0~Ut4fo^9K4aYjE?_&9
zF3)^d9TKdbc#*+Fb01ahcK;3oX@9Z$zI%Bvo+jRD?$$-(3+)o}EJPG(GBE0^kEl_Abh4;*Z+?_dF5W)9g}4K}|&-~s*Z`8OfEdVjC^bOxY?Oh&+M
z!ocNIIjTcnsyZaBZ%H0BPrqOD!|tXgxyogyV}}idpBq3OLrraf`tCl7>sb#(-4g-p
zbog+80tr=l
z4t;Au%h=k88NZGm>Jn9ZvOPqS)$kqX;*r7Kvm{KkyrbhWvM@HNLz+QOn$+~yaST
zkb4iiYi?VE%7uI=DQ1p7FPAJg#-RPJoydOO5dtJ&Ge8c1uh=bv8oORovbppVctA?I
zH6a`;vmgVa2SDwl6))>_6QOcQaVE%koXeYU<<-hIJg~6rW2D@w6zk6)m3C?qFbXDz
z&Y^=}vj)#{nDBr=C@t0e$*~);9y)bVtntEK7--GlE}oc?7d{}Xm+Qua$a4*m8W}=`
zuE^lmE%XRJF~^N!+x$bV59L~}icr#B5BlDxNE@49UU36_{ou?~>y-R!5Ese@zPOA~
VVeCoH@hk+CM@*V`nq?>`5lJ_MrwRZ7
diff --git a/solr/test-framework/src/resources/create-keystores.sh b/solr/test-framework/src/resources/create-keystores.sh
new file mode 100755
index 00000000000..0b43f288ba6
--- /dev/null
+++ b/solr/test-framework/src/resources/create-keystores.sh
@@ -0,0 +1,37 @@
+#!/bin/bash -ex
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+############
+
+# This script shows how the keystore files used for solr tests were generated.
+#
+# Running this script should only be necessary if the keystore files need to be
+# replaced, which shouldn't be required until sometime around the year 4751.
+
+# NOTE: if anything below changes, sanity check SSLTestConfig constructor javadocs
+
+echo "### remove old keystores"
+rm -f SSLTestConfig.testing.keystore SSLTestConfig.hostname-and-ip-missmatch.keystore
+
+echo "### create 'localhost' keystore and keys"
+keytool -keystore SSLTestConfig.testing.keystore -storepass "secret" -alias solrtest -keypass "secret" -genkey -keyalg RSA -dname "cn=localhost, ou=SolrTest, o=lucene.apache.org, c=US" -ext "san=dns:localhost,ip:127.0.0.1" -validity 999999
+
+# See https://tools.ietf.org/html/rfc5737
+echo "### create 'Bogus Host' keystore and keys"
+keytool -keystore SSLTestConfig.hostname-and-ip-missmatch.keystore -storepass "secret" -alias solrtest -keypass "secret" -genkey -keyalg RSA -dname "cn=bogus.hostname.tld, ou=SolrTest, o=lucene.apache.org, c=US" -ext "san=dns:bogus.hostname.tld,ip:192.0.2.0" -validity 999999
+
+