You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2023/09/08 15:04:58 UTC
[solr] branch branch_9x updated: SOLR-16964: Default the sniHostCheck setting to the checkPeerName envVar (#1897)
This is an automated email from the ASF dual-hosted git repository.
houston pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9x by this push:
new e551b8fe96d SOLR-16964: Default the sniHostCheck setting to the checkPeerName envVar (#1897)
e551b8fe96d is described below
commit e551b8fe96db49362a9c2ce2cf49f4af911753e6
Author: Houston Putman <ho...@apache.org>
AuthorDate: Fri Sep 8 11:01:52 2023 -0400
SOLR-16964: Default the sniHostCheck setting to the checkPeerName envVar (#1897)
(cherry picked from commit 7ae613c6c3fcefb9393ef55ca4501e7452cc4ca1)
---
solr/CHANGES.txt | 5 +++++
solr/bin/solr | 2 +-
solr/bin/solr.cmd | 2 +-
solr/bin/solr.in.cmd | 3 ++-
solr/bin/solr.in.sh | 3 ++-
.../solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc | 6 ++++--
.../modules/upgrade-notes/pages/major-changes-in-solr-9.adoc | 4 ++++
7 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 9bb48def458..80e80ae5965 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -53,6 +53,11 @@ Improvements
dedicated thread pool. Backup, Restore and Split are expensive operations.
(Pierre Salagnac, David Smiley)
+* SOLR-16964: The solr.jetty.ssl.sniHostCheck option now defaults to the value of SOLR_SSL_CHECK_PEER_NAME, if it is provided.
+ This will enable client and server hostName check settings to be governed by the same environment variable.
+ If users want separate client/server settings, they can manually override the solr.jetty.ssl.sniHostCheck option in SOLR_OPTS. (Houston Putman)
+
+
Optimizations
---------------------
diff --git a/solr/bin/solr b/solr/bin/solr
index f83bbd981af..b79bffec501 100644
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -259,7 +259,7 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
fi
if [ -n "$SOLR_SSL_CHECK_PEER_NAME" ]; then
- SOLR_SSL_OPTS+=" -Dsolr.ssl.checkPeerName=$SOLR_SSL_CHECK_PEER_NAME"
+ SOLR_SSL_OPTS+=" -Dsolr.ssl.checkPeerName=$SOLR_SSL_CHECK_PEER_NAME -Dsolr.jetty.ssl.sniHostCheck=$SOLR_SSL_CHECK_PEER_NAME"
fi
if [ -n "$SOLR_SSL_CLIENT_TRUST_STORE" ]; then
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index 5772346efdd..66bf7123be5 100755
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -146,7 +146,7 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
)
)
IF DEFINED SOLR_SSL_CHECK_PEER_NAME (
- set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.checkPeerName=%SOLR_SSL_CHECK_PEER_NAME%"
+ set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.checkPeerName=%SOLR_SSL_CHECK_PEER_NAME% -Dsolr.jetty.ssl.sniHostCheck=%SOLR_SSL_CHECK_PEER_NAME%"
)
) ELSE (
set SOLR_SSL_OPTS=
diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
index 5f982cb16b5..f9892d33d66 100755
--- a/solr/bin/solr.in.cmd
+++ b/solr/bin/solr.in.cmd
@@ -159,7 +159,8 @@ REM set SOLR_SSL_WANT_CLIENT_AUTH=false
REM Verify client hostname during SSL handshake
REM set SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
REM SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
-REM this to false can be useful to disable these checks when re-using a certificate on many hosts
+REM this to false can be useful to disable these checks when re-using a certificate on many hosts.
+REM This will also be used for the default value of whether SNI Host checking should be enabled.
REM set SOLR_SSL_CHECK_PEER_NAME=true
REM Override Key/Trust Store types if necessary
REM set SOLR_SSL_KEY_STORE_TYPE=PKCS12
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
index 117ef1761a9..f6da91c2f3b 100644
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@@ -173,7 +173,8 @@
# Verify client's hostname during SSL handshake
#SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
-# this to false can be useful to disable these checks when re-using a certificate on many hosts
+# this to false can be useful to disable these checks when re-using a certificate on many hosts.
+# This will also be used for the default value of whether SNI Host checking should be enabled.
#SOLR_SSL_CHECK_PEER_NAME=true
# Override Key/Trust Store types if necessary
#SOLR_SSL_KEY_STORE_TYPE=PKCS12
diff --git a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
index 4450d677866..1177f423c62 100644
--- a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
+++ b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
@@ -90,7 +90,8 @@ SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH=false
# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
-# this to false can be useful to disable these checks when re-using a certificate on many hosts
+# this to false can be useful to disable these checks when re-using a certificate on many hosts.
+# This will also be used for the default value of whether SNI Host checking should be enabled.
SOLR_SSL_CHECK_PEER_NAME=true
----
====
@@ -114,7 +115,8 @@ set SOLR_SSL_NEED_CLIENT_AUTH=false
REM Enable clients to authenticate (but not require)
set SOLR_SSL_WANT_CLIENT_AUTH=false
REM SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
-REM this to false can be useful to disable these checks when re-using a certificate on many hosts
+REM this to false can be useful to disable these checks when re-using a certificate on many hosts.
+REM This will also be used for the default value of whether SNI Host checking should be enabled.
set SOLR_SSL_CHECK_PEER_NAME=true
----
====
diff --git a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
index 11f1adb1306..8a82b475144 100644
--- a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
+++ b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
@@ -80,6 +80,10 @@ Therefore, when using the default settings, nodes that were previously excluded
* The Embedded Zookeeper can now be configured to listen to (or bind to) more hosts than just `localhost`,
see the xref:deployment-guide:securing-solr.adoc#network-configuration[Network Configuration documentation] for more information.
+=== Security
+* The `solr.jetty.ssl.sniHostCheck` option now defaults to the value of `SOLR_SSL_CHECK_PEER_NAME`, if it is provided.
+This will enable client and server hostName check settings to be governed by the same environment variable.
+If users want separate client/server settings, they can manually override the `solr.jetty.ssl.sniHostCheck` option in `SOLR_OPTS`.
== Solr 9.3
=== Binary Releases