From 4e0e8e979b66abdf0778fc0ea86ae5ef5d8f2f91 Mon Sep 17 00:00:00 2001 From: Chris Hostetter Date: Sun, 22 Apr 2018 13:38:37 -0700 Subject: [PATCH] SOLR-9304: Fix Solr's HTTP handling to respect '-Dsolr.ssl.checkPeerName=false' aka SOLR_SSL_CHECK_PEER_NAME --- solr/CHANGES.txt | 5 +- solr/bin/solr | 4 + solr/bin/solr.cmd | 3 + solr/bin/solr.in.cmd | 12 +- solr/bin/solr.in.sh | 16 ++- .../cloud/TestMiniSolrCloudClusterSSL.java | 59 ++++++++++ solr/solr-ref-guide/src/enabling-ssl.adoc | 21 +++- .../client/solrj/impl/HttpClientUtil.java | 59 +++++++++- .../client/solrj/impl/HttpClientUtilTest.java | 108 ++++++++++++++++++ .../org/apache/solr/util/SSLTestConfig.java | 91 +++++++++------ ...tConfig.hostname-and-ip-missmatch.keystore | Bin 0 -> 2246 bytes .../resources/SSLTestConfig.testing.keystore | Bin 2208 -> 2207 bytes .../src/resources/create-keystores.sh | 37 ++++++ 13 files changed, 363 insertions(+), 52 deletions(-) create mode 100644 solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java create mode 100644 solr/test-framework/src/resources/SSLTestConfig.hostname-and-ip-missmatch.keystore create mode 100755 solr/test-framework/src/resources/create-keystores.sh diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt index efa60002a10..a9e63f3d143 100644 --- a/solr/CHANGES.txt +++ b/solr/CHANGES.txt @@ -176,7 +176,10 @@ Bug Fixes * SOLR-6286: TestReplicationHandler.doTestReplicateAfterCoreReload(): stop checking for identical commits before/after master core reload; and make non-nightly mode test 10 docs instead of 0. (shalin, hossman, Mark Miller, Steve Rowe) - + +* SOLR-9304: Fix Solr's HTTP handling to respect '-Dsolr.ssl.checkPeerName=false' aka SOLR_SSL_CHECK_PEER_NAME + (Shawn Heisey, Carlton Findley, Robby Pond, hossman) + Optimizations ---------------------- diff --git a/solr/bin/solr b/solr/bin/solr index 3cda7825933..68d1140df6b 100755 --- a/solr/bin/solr +++ b/solr/bin/solr @@ -224,6 +224,10 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then fi fi + if [ -n "$SOLR_SSL_CHECK_PEER_NAME" ]; then + SOLR_SSL_OPTS+=" -Dsolr.ssl.checkPeerName=$SOLR_SSL_CHECK_PEER_NAME" + fi + if [ -n "$SOLR_SSL_CLIENT_TRUST_STORE" ]; then SOLR_SSL_OPTS+=" -Djavax.net.ssl.trustStore=$SOLR_SSL_CLIENT_TRUST_STORE" diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd index e9f6c45e3f2..7235a4c3ef6 100644 --- a/solr/bin/solr.cmd +++ b/solr/bin/solr.cmd @@ -111,6 +111,9 @@ IF "%SOLR_SSL_ENABLED%"=="true" ( set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Djavax.net.ssl.trustStoreType=%SOLR_SSL_TRUST_STORE_TYPE%" ) ) + IF DEFINED SOLR_SSL_CHECK_PEER_NAME ( + set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.checkPeerName=%SOLR_SSL_CHECK_PEER_NAME%" + ) ) ELSE ( set SOLR_SSL_OPTS= ) diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd index a1771ad2458..86ad7084f10 100644 --- a/solr/bin/solr.in.cmd +++ b/solr/bin/solr.in.cmd @@ -103,20 +103,26 @@ REM Uncomment to set SSL-related system properties REM Be sure to update the paths to the correct keystore for your environment REM set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks REM set SOLR_SSL_KEY_STORE_PASSWORD=secret -REM set SOLR_SSL_KEY_STORE_TYPE=JKS REM set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks REM set SOLR_SSL_TRUST_STORE_PASSWORD=secret -REM set SOLR_SSL_TRUST_STORE_TYPE=JKS +REM Require clients to authenticate REM set SOLR_SSL_NEED_CLIENT_AUTH=false +REM Enable clients to authenticate (but not require) REM set SOLR_SSL_WANT_CLIENT_AUTH=false +REM SSL Certificates contain host/ip "peer name" information that is validated by default. Setting +REM this to false can be useful to disable these checks when re-using a certificate on many hosts +REM set SOLR_SSL_CHECK_PEER_NAME=true +REM Override Key/Trust Store types if necessary +REM set SOLR_SSL_KEY_STORE_TYPE=JKS +REM set SOLR_SSL_TRUST_STORE_TYPE=JKS REM Uncomment if you want to override previously defined SSL values for HTTP client REM otherwise keep them commented and the above values will automatically be set for HTTP clients REM set SOLR_SSL_CLIENT_KEY_STORE= REM set SOLR_SSL_CLIENT_KEY_STORE_PASSWORD= -REM set SOLR_SSL_CLIENT_KEY_STORE_TYPE= REM set SOLR_SSL_CLIENT_TRUST_STORE= REM set SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD= +REM set SOLR_SSL_CLIENT_KEY_STORE_TYPE= REM set SOLR_SSL_CLIENT_TRUST_STORE_TYPE= REM Sets path of Hadoop credential provider (hadoop.security.credential.provider.path property) and diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh index 7cf6a8438cd..9b15beaa2db 100644 --- a/solr/bin/solr.in.sh +++ b/solr/bin/solr.in.sh @@ -118,22 +118,28 @@ #SOLR_SSL_ENABLED=true # Uncomment to set SSL-related system properties # Be sure to update the paths to the correct keystore for your environment -#SOLR_SSL_KEY_STORE=/home/shalin/work/oss/shalin-lusolr/solr/server/etc/solr-ssl.keystore.jks +#SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks #SOLR_SSL_KEY_STORE_PASSWORD=secret -#SOLR_SSL_KEY_STORE_TYPE=JKS -#SOLR_SSL_TRUST_STORE=/home/shalin/work/oss/shalin-lusolr/solr/server/etc/solr-ssl.keystore.jks +#SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks #SOLR_SSL_TRUST_STORE_PASSWORD=secret -#SOLR_SSL_TRUST_STORE_TYPE=JKS +# Require clients to authenticate #SOLR_SSL_NEED_CLIENT_AUTH=false +# Enable clients to authenticate (but not require) #SOLR_SSL_WANT_CLIENT_AUTH=false +# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting +# this to false can be useful to disable these checks when re-using a certificate on many hosts +#SOLR_SSL_CHECK_PEER_NAME=true +# Override Key/Trust Store types if necessary +#SOLR_SSL_KEY_STORE_TYPE=JKS +#SOLR_SSL_TRUST_STORE_TYPE=JKS # Uncomment if you want to override previously defined SSL values for HTTP client # otherwise keep them commented and the above values will automatically be set for HTTP clients #SOLR_SSL_CLIENT_KEY_STORE= #SOLR_SSL_CLIENT_KEY_STORE_PASSWORD= -#SOLR_SSL_CLIENT_KEY_STORE_TYPE= #SOLR_SSL_CLIENT_TRUST_STORE= #SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD= +#SOLR_SSL_CLIENT_KEY_STORE_TYPE= #SOLR_SSL_CLIENT_TRUST_STORE_TYPE= # Sets path of Hadoop credential provider (hadoop.security.credential.provider.path property) and diff --git a/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java b/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java index 98f952a50b0..7a6606ac8f7 100644 --- a/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java +++ b/solr/core/src/test/org/apache/solr/cloud/TestMiniSolrCloudClusterSSL.java @@ -17,6 +17,7 @@ package org.apache.solr.cloud; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLException; import java.io.IOException; import java.lang.invoke.MethodHandles; import java.util.List; @@ -32,6 +33,8 @@ import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; import org.apache.lucene.util.Constants; +import org.apache.lucene.util.TestRuleRestoreSystemProperties; + import org.apache.solr.SolrTestCaseJ4; import org.apache.solr.client.solrj.SolrServerException; import org.apache.solr.client.solrj.embedded.JettyConfig; @@ -46,6 +49,9 @@ import org.apache.solr.common.params.CoreAdminParams.CoreAdminAction; import org.apache.solr.util.SSLTestConfig; import org.junit.After; import org.junit.Before; +import org.junit.Rule; +import org.junit.rules.TestRule; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -72,6 +78,10 @@ public class TestMiniSolrCloudClusterSSL extends SolrTestCaseJ4 { public static final int NUM_SERVERS = 3; public static final String CONF_NAME = MethodHandles.lookup().lookupClass().getName(); + @Rule + public TestRule syspropRestore = new TestRuleRestoreSystemProperties + (HttpClientUtil.SYS_PROP_CHECK_PEER_NAME); + @Before public void before() { // undo the randomization of our super class @@ -120,6 +130,13 @@ public class TestMiniSolrCloudClusterSSL extends SolrTestCaseJ4 { checkClusterWithNodeReplacement(sslConfig); } + public void testSslWithCheckPeerName() throws Exception { + final SSLTestConfig sslConfig = new SSLTestConfig(true, false, true); + HttpClientUtil.setSchemaRegistryProvider(sslConfig.buildClientSchemaRegistryProvider()); + System.setProperty(ZkStateReader.URL_SCHEME, "https"); + checkClusterWithNodeReplacement(sslConfig); + } + /** * Constructs a cluster with the specified sslConfigs, runs {@link #checkClusterWithCollectionCreations}, * then verifies that if we modify the default SSLContext (mimicing javax.net.ssl.* @@ -142,6 +159,8 @@ public class TestMiniSolrCloudClusterSSL extends SolrTestCaseJ4 { // our test config doesn't use SSL, and reset HttpClientUtil to it's defaults so it picks up our // SSLContext that way. SSLContext.setDefault( sslConfig.isSSLMode() ? sslConfig.buildClientSSLContext() : DEFAULT_SSL_CONTEXT); + System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, + Boolean.toString(sslConfig.getCheckPeerName())); HttpClientUtil.resetHttpClientBuilder(); // recheck that we can communicate with all the jetty instances in our cluster @@ -151,6 +170,46 @@ public class TestMiniSolrCloudClusterSSL extends SolrTestCaseJ4 { } } + /** Sanity check that our test scaffolding for validating SSL peer names fails when it should */ + public void testSslWithInvalidPeerName() throws Exception { + // NOTE: first initialize the cluster w/o peer name checks, which means our server will use + // certs with a bogus hostname/ip and clients shouldn't care... + final SSLTestConfig sslConfig = new SSLTestConfig(true, false, false); + HttpClientUtil.setSchemaRegistryProvider(sslConfig.buildClientSchemaRegistryProvider()); + System.setProperty(ZkStateReader.URL_SCHEME, "https"); + final JettyConfig config = JettyConfig.builder().withSSLConfig(sslConfig).build(); + final MiniSolrCloudCluster cluster = new MiniSolrCloudCluster(NUM_SERVERS, createTempDir(), config); + try { + checkClusterWithCollectionCreations(cluster, sslConfig); + + // now initialize a client that still uses the existing SSLContext/Provider, so it will accept + // our existing certificate, but *does* care about validating the peer name + System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, "true"); + HttpClientUtil.resetHttpClientBuilder(); + + // and validate we get failures when trying to talk to our cluster... + final List jettys = cluster.getJettySolrRunners(); + for (JettySolrRunner jetty : jettys) { + final String baseURL = jetty.getBaseUrl().toString(); + // verify new solr clients validate peer name and can't talk to this server + Exception ex = expectThrows(SolrServerException.class, () -> { + try (HttpSolrClient client = getRandomizedHttpSolrClient(baseURL)) { + CoreAdminRequest req = new CoreAdminRequest(); + req.setAction( CoreAdminAction.STATUS ); + client.request(req); + } + }); + assertTrue("Expected an root cause SSL Exception, got: " + ex.toString(), + ex.getCause() instanceof SSLException); + } + } finally { + cluster.shutdown(); + } + + + + } + /** * General purpose cluster sanity check... *
    diff --git a/solr/solr-ref-guide/src/enabling-ssl.adoc b/solr/solr-ref-guide/src/enabling-ssl.adoc index b641bfd6807..35bc1d807f7 100644 --- a/solr/solr-ref-guide/src/enabling-ssl.adoc +++ b/solr/solr-ref-guide/src/enabling-ssl.adoc @@ -77,6 +77,11 @@ NOTE: If you setup Solr as a service on Linux using the steps outlined in < + * This property will have no effect if {@link #setSchemaRegistryProvider} is used to override + * the default {@link SchemaRegistryProvider} + *

    + */ public static final String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.checkPeerName"; // * NOTE* The following params configure the default request config and this @@ -181,6 +192,9 @@ public class HttpClientUtil { httpClientBuilder = newHttpClientBuilder; } + /** + * @see #SYS_PROP_CHECK_PEER_NAME + */ public static void setSchemaRegistryProvider(SchemaRegistryProvider newRegistryProvider) { schemaRegistryProvider = newRegistryProvider; } @@ -188,7 +202,10 @@ public class HttpClientUtil { public static SolrHttpClientBuilder getHttpClientBuilder() { return httpClientBuilder; } - + + /** + * @see #SYS_PROP_CHECK_PEER_NAME + */ public static SchemaRegistryProvider getSchemaRegisteryProvider() { return schemaRegistryProvider; } @@ -205,9 +222,22 @@ public class HttpClientUtil { // except that we explicitly use SSLConnectionSocketFactory.getSystemSocketFactory() // to pick up the system level default SSLContext (where javax.net.ssl.* properties // related to keystore & truststore are specified) - RegistryBuilder builder = RegistryBuilder.create(); + RegistryBuilder builder = RegistryBuilder. create(); builder.register("http", PlainConnectionSocketFactory.getSocketFactory()); - builder.register("https", SSLConnectionSocketFactory.getSystemSocketFactory()); + + // logic to turn off peer host check + SSLConnectionSocketFactory sslConnectionSocketFactory = null; + boolean sslCheckPeerName = toBooleanDefaultIfNull( + toBooleanObject(System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME)), true); + if (sslCheckPeerName) { + sslConnectionSocketFactory = SSLConnectionSocketFactory.getSystemSocketFactory(); + } else { + sslConnectionSocketFactory = new SSLConnectionSocketFactory(SSLContexts.createSystemDefault(), + NoopHostnameVerifier.INSTANCE); + logger.debug(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME + "is false, hostname checks disabled."); + } + builder.register("https", sslConnectionSocketFactory); + return builder.build(); } } @@ -459,5 +489,26 @@ public class HttpClientUtil { cookiePolicy = policyName; } + /** + * @lucene.internal + */ + static boolean toBooleanDefaultIfNull(Boolean bool, boolean valueIfNull) { + if (bool == null) { + return valueIfNull; + } + return bool.booleanValue() ? true : false; + } + /** + * @lucene.internal + */ + static Boolean toBooleanObject(String str) { + if ("true".equalsIgnoreCase(str)) { + return Boolean.TRUE; + } else if ("false".equalsIgnoreCase(str)) { + return Boolean.FALSE; + } + // no match + return null; + } } diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java new file mode 100644 index 00000000000..ce2f8b7875d --- /dev/null +++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpClientUtilTest.java @@ -0,0 +1,108 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.solr.client.solrj.impl; + +import javax.net.ssl.HostnameVerifier; +import java.io.IOException; + +import org.apache.solr.client.solrj.impl.HttpClientUtil.SchemaRegistryProvider; + +import org.apache.commons.lang.reflect.FieldUtils; +import org.apache.http.conn.socket.ConnectionSocketFactory; +import org.apache.http.conn.ssl.DefaultHostnameVerifier; +import org.apache.http.conn.ssl.NoopHostnameVerifier; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.lucene.util.LuceneTestCase; +import org.apache.lucene.util.TestRuleRestoreSystemProperties; + +import org.junit.After; +import org.junit.Rule; +import org.junit.rules.TestRule; +import org.junit.Test; + +public class HttpClientUtilTest extends LuceneTestCase { + + @Rule + public TestRule syspropRestore = new TestRuleRestoreSystemProperties + (HttpClientUtil.SYS_PROP_CHECK_PEER_NAME); + + @After + public void resetHttpClientBuilder() { + HttpClientUtil.resetHttpClientBuilder(); + } + + public void testSSLSystemProperties() throws IOException { + + assertNotNull("HTTPS scheme could not be created using system defaults", + HttpClientUtil.getSchemaRegisteryProvider().getSchemaRegistry().lookup("https")); + + assertSSLHostnameVerifier(DefaultHostnameVerifier.class, HttpClientUtil.getSchemaRegisteryProvider()); + + System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, "true"); + resetHttpClientBuilder(); + assertSSLHostnameVerifier(DefaultHostnameVerifier.class, HttpClientUtil.getSchemaRegisteryProvider()); + + System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, ""); + resetHttpClientBuilder(); + assertSSLHostnameVerifier(DefaultHostnameVerifier.class, HttpClientUtil.getSchemaRegisteryProvider()); + + System.setProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME, "false"); + resetHttpClientBuilder(); + assertSSLHostnameVerifier(NoopHostnameVerifier.class, HttpClientUtil.getSchemaRegisteryProvider()); + } + + private void assertSSLHostnameVerifier(Class expected, + SchemaRegistryProvider provider) { + ConnectionSocketFactory socketFactory = provider.getSchemaRegistry().lookup("https"); + assertNotNull("unable to lookup https", socketFactory); + assertTrue("socketFactory is not an SSLConnectionSocketFactory: " + socketFactory.getClass(), + socketFactory instanceof SSLConnectionSocketFactory); + SSLConnectionSocketFactory sslSocketFactory = (SSLConnectionSocketFactory) socketFactory; + try { + Object hostnameVerifier = FieldUtils.readField(sslSocketFactory, "hostnameVerifier", true); + assertNotNull("sslSocketFactory has null hostnameVerifier", hostnameVerifier); + assertEquals("sslSocketFactory does not have expected hostnameVerifier impl", + expected, hostnameVerifier.getClass()); + } catch (IllegalAccessException e) { + throw new AssertionError("Unexpected access error reading hostnameVerifier field", e); + } + } + + @Test + public void testToBooleanDefaultIfNull() throws Exception { + assertFalse(HttpClientUtil.toBooleanDefaultIfNull(Boolean.FALSE, true)); + assertTrue(HttpClientUtil.toBooleanDefaultIfNull(Boolean.TRUE, false)); + assertFalse(HttpClientUtil.toBooleanDefaultIfNull(null, false)); + assertTrue(HttpClientUtil.toBooleanDefaultIfNull(null, true)); + } + + @Test + public void testToBooleanObject() throws Exception { + assertEquals(Boolean.TRUE, HttpClientUtil.toBooleanObject("true")); + assertEquals(Boolean.TRUE, HttpClientUtil.toBooleanObject("TRUE")); + assertEquals(Boolean.TRUE, HttpClientUtil.toBooleanObject("tRuE")); + + assertEquals(Boolean.FALSE, HttpClientUtil.toBooleanObject("false")); + assertEquals(Boolean.FALSE, HttpClientUtil.toBooleanObject("FALSE")); + assertEquals(Boolean.FALSE, HttpClientUtil.toBooleanObject("fALSE")); + + assertEquals(null, HttpClientUtil.toBooleanObject("t")); + assertEquals(null, HttpClientUtil.toBooleanObject("f")); + assertEquals(null, HttpClientUtil.toBooleanObject("foo")); + assertEquals(null, HttpClientUtil.toBooleanObject(null)); + } +} diff --git a/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java b/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java index 8268fcdcc11..3b03f6e1711 100644 --- a/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java +++ b/solr/test-framework/src/java/org/apache/solr/util/SSLTestConfig.java @@ -16,8 +16,6 @@ */ package org.apache.solr.util; -import javax.net.ssl.SSLContext; -import java.io.IOException; import java.security.KeyManagementException; import java.security.KeyStore; import java.security.KeyStoreException; @@ -27,15 +25,17 @@ import java.security.SecureRandomSpi; import java.security.UnrecoverableKeyException; import java.util.Random; +import javax.net.ssl.SSLContext; + import org.apache.http.config.Registry; import org.apache.http.config.RegistryBuilder; import org.apache.http.conn.socket.ConnectionSocketFactory; import org.apache.http.conn.socket.PlainConnectionSocketFactory; +import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; -import org.apache.http.conn.ssl.SSLContextBuilder; -import org.apache.http.conn.ssl.SSLContexts; -import org.apache.http.conn.ssl.SSLSocketFactory; import org.apache.http.conn.ssl.TrustSelfSignedStrategy; +import org.apache.http.ssl.SSLContextBuilder; +import org.apache.http.ssl.SSLContexts; import org.apache.solr.client.solrj.embedded.SSLConfig; import org.apache.solr.client.solrj.impl.HttpClientUtil; import org.apache.solr.client.solrj.impl.HttpClientUtil.SchemaRegistryProvider; @@ -49,9 +49,11 @@ import org.eclipse.jetty.util.ssl.SslContextFactory; */ public class SSLTestConfig extends SSLConfig { - private static final String TEST_KEYSTORE_RESOURCE = "SSLTestConfig.testing.keystore"; + private static final String TEST_KEYSTORE_BOGUSHOST_RESOURCE = "SSLTestConfig.hostname-and-ip-missmatch.keystore"; + private static final String TEST_KEYSTORE_LOCALHOST_RESOURCE = "SSLTestConfig.testing.keystore"; private static final String TEST_KEYSTORE_PASSWORD = "secret"; + private final boolean checkPeerName; private final Resource keyStore; private final Resource trustStore; @@ -59,44 +61,59 @@ public class SSLTestConfig extends SSLConfig { public SSLTestConfig() { this(false, false); } - - /** - * Create an SSLTestConfig based on a few caller specified options. As needed, - * keystore/truststore information will be pulled from a hardocded resource file provided - * by the solr test-framework. + + /** + * Create an SSLTestConfig based on a few caller specified options, + * implicitly assuming checkPeerName=false. + *

    + * As needed, keystore/truststore information will be pulled from a hardcoded resource + * file provided by the solr test-framework + *

    * - * @param useSSL - wether SSL should be required. + * @param useSSL - whether SSL should be required. * @param clientAuth - whether client authentication should be required. */ public SSLTestConfig(boolean useSSL, boolean clientAuth) { + this(useSSL, clientAuth, false); + } + + // NOTE: if any javadocs below change, update create-keystores.sh + /** + * Create an SSLTestConfig based on a few caller specified options. As needed, + * keystore/truststore information will be pulled from a hardcoded resource files provided + * by the solr test-framework based on the value of checkPeerName: + *
      + *
    • true - A keystore resource file will be used that specifies + * a CN of localhost and a SAN IP of 127.0.0.1, to + * ensure that all connections should be valid regardless of what machine runs the tests.
    • + *
    • false - A keystore resource file will be used that specifies + * a bogus hostname in the CN and reserved IP as the SAN, since no (valid) tests using this + * SSLTestConfig should care what CN/SAN are.
    • + *
    + * + * @param useSSL - whether SSL should be required. + * @param clientAuth - whether client authentication should be required. + * @param checkPeerName - whether the client should validate the 'peer name' of the SSL Certificate (and which testing Cert should be used) + * @see HttpClientUtil#SYS_PROP_CHECK_PEER_NAME + */ + public SSLTestConfig(boolean useSSL, boolean clientAuth, boolean checkPeerName) { super(useSSL, clientAuth, null, TEST_KEYSTORE_PASSWORD, null, TEST_KEYSTORE_PASSWORD); - trustStore = keyStore = Resource.newClassPathResource(TEST_KEYSTORE_RESOURCE); + this.checkPeerName = checkPeerName; + + final String resourceName = checkPeerName + ? TEST_KEYSTORE_LOCALHOST_RESOURCE : TEST_KEYSTORE_BOGUSHOST_RESOURCE; + trustStore = keyStore = Resource.newClassPathResource(resourceName); if (null == keyStore || ! keyStore.exists() ) { throw new IllegalStateException("Unable to locate keystore resource file in classpath: " - + TEST_KEYSTORE_RESOURCE); + + resourceName); } } - /** - * Helper utility for building resources from arbitrary user input paths/urls - * if input is null, returns null; otherwise attempts to build Resource and verifies that Resource exists. - */ - private static final Resource tryNewResource(String userInput, String type) { - if (null == userInput) { - return null; - } - Resource result; - try { - result = Resource.newResource(userInput); - } catch (IOException e) { - throw new IllegalArgumentException("Can't build " + type + " Resource: " + e.getMessage(), e); - } - if (! result.exists()) { - throw new IllegalArgumentException(type + " Resource does not exist " + result.getName()); - } - return result; + /** If true, then servers hostname/ip should be validated against the SSL Cert metadata */ + public boolean getCheckPeerName() { + return checkPeerName; } - + /** * NOTE: This method is meaningless in SSLTestConfig. * @return null @@ -175,7 +192,7 @@ public class SSLTestConfig extends SSLConfig { SSLContextBuilder builder = SSLContexts.custom(); builder.setSecureRandom(NotSecurePsuedoRandom.INSTANCE); - + builder.loadKeyMaterial(buildKeyStore(keyStore, getKeyStorePassword()), getKeyStorePassword().toCharArray()); if (isClientAuthMode()) { @@ -229,11 +246,9 @@ public class SSLTestConfig extends SSLConfig { } SSLConnectionSocketFactory sslConnectionFactory; try { - boolean sslCheckPeerName = toBooleanDefaultIfNull(toBooleanObject(System.getProperty(HttpClientUtil.SYS_PROP_CHECK_PEER_NAME)), true); SSLContext sslContext = buildClientSSLContext(); - if (sslCheckPeerName == false) { - sslConnectionFactory = new SSLConnectionSocketFactory - (sslContext, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); + if (checkPeerName == false) { + sslConnectionFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE); } else { sslConnectionFactory = new SSLConnectionSocketFactory(sslContext); } diff --git a/solr/test-framework/src/resources/SSLTestConfig.hostname-and-ip-missmatch.keystore b/solr/test-framework/src/resources/SSLTestConfig.hostname-and-ip-missmatch.keystore new file mode 100644 index 0000000000000000000000000000000000000000..691a3bee02598ac830ffd457736b7f683b0b47f7 GIT binary patch literal 2246 zcmcIlS5#Ap7R@CgLg+Pgl-|S}iXl=&K|qS32qKDvlA(m&CWr_G1e8IFih?xhU65Xc z41^|Kz(NrWMM71OF7R;H`=2AFjh+a-iRPro96rj7pN4odO^cmlw@`x}3H#xgh*ONu$htp1 z7a5>4g#Yp@$^DR7H64P9FKm6em*Pv!3!%Fm#pQElOA;T@4y05J={h}3ZZMw043=JP zLeeWG1UwvU)!KBKDM#P74%5qnj*u6mt#=*!?dYFxGuE4Z?mw1WDp)tyT*M{W68m5k zEhSa4k+gkiCo=M>`Ehp2&e?nx!q@qZn|E0{?1fe@8))4etlwNCS9--S8&sH6n0gfy z)8hw^`dbhl7gsa5votnUo3eXp0@2sVSZPy*g@?n1T(k%QN(j?TJ-kQND_>To;@Xl< zBF;fv0QZD9?zPXZ;XL!vg`W`SyvUI$a+N)*aSg-j{Gc&nSJ;FICtvY1)A!x8ALR&S z!F5z2ViWnbUkPXDnf<)hEf)5);I67cpvEWx5|0>6_w>}}{+_28BTu@vz5l-R_%M#V z##znI&@UQXzw~nAY@b;(#kGK3X{kt5d$V)~3ZD1F2yIXa_M_>dd?v@#qbFO{BJ#T; zLENH^dD%RIdJU&9zaN%Q3c6S)S?%RmmbE7q&?{&-aBuojTMBbcDz;a?ITJo}W>v?+ z_O(?RcP>l2@#fHg+pqRXiKOorb%abZ1mCCP*=Ijtk1{qoj2@NLXh#|9p_ZS8=O_AX zm%ZwYn8)O%s*TM%5ODc+tjQ z_-OTFl*Mp$l*l2pHY*B-IBEj+CzUw%4I^Eb)Ppo;*W9iTAMcvdh zR_{d_Sm=jS%dgDWjafBkH&u0yomqs7Y#jCr<_RhzOHfQf6tc(oj;&N7(MC4C zzlbolV3GzcKFr@(`kP+Kz41%c#E3aL=t0EOx9`1*DxqGukEOyv#u z-X!>WHfh6fd|&`)d;@dGC?RVE5xW~W^-+A1ogx;9;p<@AWE|%tHYtK%ZVdKr6}Ucc zMP9!b>ZOgRi@E)Alvdv~zT70ENp3RTFHcLu-Kx+e&9`)Z3!C(%@-Opf64|H zuFrnRIkQ@eRZ6uzibhmtKj4jx(s_ABrtWiJ(SdF3cC^G?g8IVHRHjX7m}YahgM`Ny zCy+s3!RLtB&K)U=W423IyfDjIWEZAo^2_MrgQrif_0Ax?h2s(BaQUdimD(60)gHG zNl+q4qQhlD=>R%97@^*q4P=2c%0(GO?XUm<6FmgHiDCj7;ZRE$oQuxV0wnQsevjeH6>+~8tS|aADaqV^*pGIQu#0O|7=bI#Qr_%i4j0a02>4( z0SG!006+>;uSS13MsZ7B7cYKXwNh1rqL=)8*Yx4OwqdzRw~yRW>Q%J~)w2rw;S%}> zqA>*=4r-a=gVklUQ;nyF2`Yp*b%c9oQb2Af?nnKCRnXEa{Q~l!+s9{`bARaXJ30jx zAKQAn|ExX7G4sO#akz~1Tp)B5-LRwC=;uiG^(OFir&%z4oXfB=CLD5)J-U0q!)tI= z%ZNA|p)7yJEqEK&1#h+gLd)NAP1D1Lnd$8=3;f(IZkhhY zB5b=l9Tb27IeMTjD1LH5VGfuOC_wrjSB!>{Ph1xi{$0chn!3ycZ&owM< zz30-uSj|RlL-MUKb9niEqW-Z^DYHJZO3`Xn3-<=lI~#NP?;4Sz@|j<;wJYo0Hs>PZ jCrsbrG_tUR#V>gRfgC2=qjgW1jO-v82j?1Vholb|(Be*$rVJ&H zJ&o57V9C^B>wVY8v3BAf9J!Bjh8MuHy3BLTbJepH3GgcJi9NsC+wu0>(&(8n?IJQybNsKR{W^fKJ2~7+ zr?I{ce;C=g461~Nyxqbsb+CXz;B$y0{eNPZtF0?mb~xch1H6(x*5R}jnP6FFX;uKd zB4*Gp-&3`MrY@^Xj*9+ht<&^7?4%@r`<>#mu>z(jnPa^xR#n=wdu5&Oc!C_T4ade` z`VE=@Kfe)1D&|G29Of)#G?+h0pLBG`?#RO8m;(6jS(F;>!W1~wf~ILyQ=#T?0)KZE zyn@TT)kV1Fo%4k&0aUd3I2$aaeqtA>?gJl1^)Z9D6|wQx#hl~UEs)jRyvbkfC6qFE zI(_W)$=hlbZsXsY0gu+#wKn^@w|Qo}F>z*~Kj&MO&PTADiFfc1G!0!(PdH=j_01uqzowtv^cxz7uqB z;t!hMEoJ0hv|~vkaf`B%s3`NpKlB2O!Ci!j5$x^}#Q5$P=Zo!blquQcQxm+;lkv$6 zeKW+ZUJ5HZU_WG%_p!^h65CRMck!V0-Cg@YAPEj8X z(5ZpX5&H^&xorcD#Ui;?c>bBa1+?z2>Sy}zycy?@d21yJC(#kYWe2TOalzr1C7Q(^KFK1#`rwWf?TY#*j=5~+rK@AE5EUxl@FsRJqsZjtYbF|RGnZKH&P%SQw zW$~4-^$;C(H9e=EF~53O~yew1RD3`%!1&yg@rRbt9L;s{h~bmL)) zCTFzRxOazJXeJ=!)S1k}kD9$X!$o`Yj(G52$GWlerNyApyTEu8;`yYCk~xz16qw%u z`skkmQyGPJ>bU}|~onuo;AyHaxCfX$mo9VOoaha3aj0UfNeaP!^jsS z`R&p+Q|n#BUQ6lm!zgpm)7u~J>-TQvw%}fZaCc;iwB>($>E;AK!B=hI->G!?G`Y%# zGzWEobMg>VgSgMh-_SL^tr!s>H*?Ub=KV|6&2(Qys13G5Ih@1)4U3UQ+7mE2XG5dd z$MQ`ZcUCjcWp0|LTHA(UO$h~^dm6T1|FkCqvg|pEFPjz9$z@yY^SsbkLn(o{F=Vi&uUYo$D U@vWzBnT&>?vJk<1`PAt|2>p6B)BajG{B_4TA^Y?LT`%zS;x{?iua8Wi#NuC6xE zLSy+Zxg;#%+$AJOcL{bdMw4G5(=8oA#~Hn}U{F4e4qrs>c7LmWMmdbME|mooko}14 zb;kUDrMJ@kH34Qcy(SUiOUi6@yS9q$S%~-J!UMJ^996+xMUM1JC`+*Tl^G+{lfQ-w zQn70PN|sBcCEC!G-|01l{EFJ3&v0XEs zrFtkI=Sf0GScrxeRB4rRqwMe8fQMY4dF3N8qb#W3!PnsGl;h$VbfT40gZfP#ZlbOC zcKoc0oOXlw*n5-Yk|RLtG(CfJM`{!udxJ%9PNG?-F@Ma;Lig)faG=F6Ke#BjZiL!f z9(TCNnMHomFMwiWK&O8>_x`e|Ge*1Yac|{+H_jVEW{KOCf4-CPEpk|gb(2Dkct3{? z6QCaHt;aTFcHs5Q*$XN~f&^U*Rou@^gj=ejUNTm{+1C8%fp^kd@RkZQP0CmNX|_aB zfeXIx;D7LhX{)$GB?Jew8E=nxi(zNcPJRSHC)(GH-cNHtKj*OrNQ(KKl9 zN{P!VDYMsAq6wpxBqn4c!7QOKyL0N#GZ7&S>hnwQLi}z04yfIA+r20&VKN zK6SxaJ@>Rc3g&=?_1=7OTn0K6G}~3r{P*AC<$sC9!6@uLht#SVA^602iTfMrZ*OmK zcl!vrwU<=dP9dU4Yj@kdKKh2dRI7O5a)0qZq7GA&_--W@cHg~&BuA=qdBsi4*j*w* z+BdYTzKrr@dq2{W3`&!cyO0~Ut4fo^9K4aYjE?_&9 zF3)^d9TKdbc#*+Fb01ahcK;3oX@9Z$zI%Bvo+jRD?$$-(3+)o}EJPG(GBE0^kEl_Abh4;*Z+?_dF5W)9g}4K}|&-~s*Z`8OfEdVjC^bOxY?Oh&+M z!ocNIIjTcnsyZaBZ%H0BPrqOD!|tXgxyogyV}}idpBq3OLrraf`tCl7>sb#(-4g-p zbog+80tr=l z4t;Au%h=k88NZGm>Jn9ZvOPqS)$kqX;*r7Kvm{KkyrbhWvM@HNLz+QOn$+~yaST_6QOcQaVE%koXeYU<<-hIJg~6rW2D@w6zk6)m3C?qFbXDz z&Y^=}vj)#{nDBr=C@t0e$*~);9y)bVtntEK7--GlE}oc?7d{}Xm+Qua$a4*m8W}=` zuE^lmE%XRJF~^N!+x$bV59L~}icr#B5BlDxNE@49UU36_{ou?~>y-R!5Ese@zPOA~ VVeCoH@hk+CM@*V`nq?>`5lJ_MrwRZ7 diff --git a/solr/test-framework/src/resources/create-keystores.sh b/solr/test-framework/src/resources/create-keystores.sh new file mode 100755 index 00000000000..0b43f288ba6 --- /dev/null +++ b/solr/test-framework/src/resources/create-keystores.sh @@ -0,0 +1,37 @@ +#!/bin/bash -ex + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +############ + +# This script shows how the keystore files used for solr tests were generated. +# +# Running this script should only be necessary if the keystore files need to be +# replaced, which shouldn't be required until sometime around the year 4751. + +# NOTE: if anything below changes, sanity check SSLTestConfig constructor javadocs + +echo "### remove old keystores" +rm -f SSLTestConfig.testing.keystore SSLTestConfig.hostname-and-ip-missmatch.keystore + +echo "### create 'localhost' keystore and keys" +keytool -keystore SSLTestConfig.testing.keystore -storepass "secret" -alias solrtest -keypass "secret" -genkey -keyalg RSA -dname "cn=localhost, ou=SolrTest, o=lucene.apache.org, c=US" -ext "san=dns:localhost,ip:127.0.0.1" -validity 999999 + +# See https://tools.ietf.org/html/rfc5737 +echo "### create 'Bogus Host' keystore and keys" +keytool -keystore SSLTestConfig.hostname-and-ip-missmatch.keystore -storepass "secret" -alias solrtest -keypass "secret" -genkey -keyalg RSA -dname "cn=bogus.hostname.tld, ou=SolrTest, o=lucene.apache.org, c=US" -ext "san=dns:bogus.hostname.tld,ip:192.0.2.0" -validity 999999 + +