You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Tomas Eduardo Fernandez Lobbe (Jira)" <ji...@apache.org> on 2023/04/03 19:52:00 UTC

[jira] [Assigned] (SOLR-16735) "Invalid SNI" error when request server name doesn't match host certificate

     [ https://issues.apache.org/jira/browse/SOLR-16735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tomas Eduardo Fernandez Lobbe reassigned SOLR-16735:
----------------------------------------------------

    Assignee: Tomas Eduardo Fernandez Lobbe

> "Invalid SNI" error when request server name doesn't match host certificate
> ---------------------------------------------------------------------------
>
>                 Key: SOLR-16735
>                 URL: https://issues.apache.org/jira/browse/SOLR-16735
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 9.2
>            Reporter: Tomas Eduardo Fernandez Lobbe
>            Assignee: Tomas Eduardo Fernandez Lobbe
>            Priority: Major
>
> Jetty 10 slightly changed the behavior for handling SNI validation. See [Jetty9.4|https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L262] vs [Jetty 10|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L242]. In Jetty 9, by default (which Solr uses up to version 9.1), SNI extension was not validated if not present, but in Jetty 10, by default, the host name is validated against the host certificate, and {{400: Invalid SNI}} is thrown if they don't match.
> I think the right approach for Solr is to set {{sniHostCheck}} to {{false}}, and at the most be the option to configure using jetty internal sysprops like [here|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/config/etc/jetty-ssl.xml#L56-L61] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org