You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2023/09/08 15:04:58 UTC

[solr] branch branch_9x updated: SOLR-16964: Default the sniHostCheck setting to the checkPeerName envVar (#1897)

This is an automated email from the ASF dual-hosted git repository.

houston pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git


The following commit(s) were added to refs/heads/branch_9x by this push:
     new e551b8fe96d SOLR-16964: Default the sniHostCheck setting to the checkPeerName envVar (#1897)
e551b8fe96d is described below

commit e551b8fe96db49362a9c2ce2cf49f4af911753e6
Author: Houston Putman <ho...@apache.org>
AuthorDate: Fri Sep 8 11:01:52 2023 -0400

    SOLR-16964: Default the sniHostCheck setting to the checkPeerName envVar (#1897)
    
    (cherry picked from commit 7ae613c6c3fcefb9393ef55ca4501e7452cc4ca1)
---
 solr/CHANGES.txt                                                    | 5 +++++
 solr/bin/solr                                                       | 2 +-
 solr/bin/solr.cmd                                                   | 2 +-
 solr/bin/solr.in.cmd                                                | 3 ++-
 solr/bin/solr.in.sh                                                 | 3 ++-
 .../solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc | 6 ++++--
 .../modules/upgrade-notes/pages/major-changes-in-solr-9.adoc        | 4 ++++
 7 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 9bb48def458..80e80ae5965 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -53,6 +53,11 @@ Improvements
   dedicated thread pool. Backup, Restore and Split are expensive operations.
   (Pierre Salagnac, David Smiley)
 
+* SOLR-16964: The solr.jetty.ssl.sniHostCheck option now defaults to the value of SOLR_SSL_CHECK_PEER_NAME, if it is provided.
+  This will enable client and server hostName check settings to be governed by the same environment variable.
+  If users want separate client/server settings, they can manually override the solr.jetty.ssl.sniHostCheck option in SOLR_OPTS. (Houston Putman)
+
+
 Optimizations
 ---------------------
 
diff --git a/solr/bin/solr b/solr/bin/solr
index f83bbd981af..b79bffec501 100644
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -259,7 +259,7 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
   fi
 
   if [ -n "$SOLR_SSL_CHECK_PEER_NAME" ]; then
-    SOLR_SSL_OPTS+=" -Dsolr.ssl.checkPeerName=$SOLR_SSL_CHECK_PEER_NAME"
+    SOLR_SSL_OPTS+=" -Dsolr.ssl.checkPeerName=$SOLR_SSL_CHECK_PEER_NAME -Dsolr.jetty.ssl.sniHostCheck=$SOLR_SSL_CHECK_PEER_NAME"
   fi
 
   if [ -n "$SOLR_SSL_CLIENT_TRUST_STORE" ]; then
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index 5772346efdd..66bf7123be5 100755
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -146,7 +146,7 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
     )
   )
   IF DEFINED SOLR_SSL_CHECK_PEER_NAME (
-   set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.checkPeerName=%SOLR_SSL_CHECK_PEER_NAME%"
+   set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.checkPeerName=%SOLR_SSL_CHECK_PEER_NAME% -Dsolr.jetty.ssl.sniHostCheck=%SOLR_SSL_CHECK_PEER_NAME%"
   )
 ) ELSE (
   set SOLR_SSL_OPTS=
diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
index 5f982cb16b5..f9892d33d66 100755
--- a/solr/bin/solr.in.cmd
+++ b/solr/bin/solr.in.cmd
@@ -159,7 +159,8 @@ REM set SOLR_SSL_WANT_CLIENT_AUTH=false
 REM Verify client hostname during SSL handshake
 REM set SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
 REM SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
-REM this to false can be useful to disable these checks when re-using a certificate on many hosts
+REM this to false can be useful to disable these checks when re-using a certificate on many hosts.
+REM This will also be used for the default value of whether SNI Host checking should be enabled.
 REM set SOLR_SSL_CHECK_PEER_NAME=true
 REM Override Key/Trust Store types if necessary
 REM set SOLR_SSL_KEY_STORE_TYPE=PKCS12
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
index 117ef1761a9..f6da91c2f3b 100644
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@@ -173,7 +173,8 @@
 # Verify client's hostname during SSL handshake
 #SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
 # SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
-# this to false can be useful to disable these checks when re-using a certificate on many hosts
+# this to false can be useful to disable these checks when re-using a certificate on many hosts.
+# This will also be used for the default value of whether SNI Host checking should be enabled.
 #SOLR_SSL_CHECK_PEER_NAME=true
 # Override Key/Trust Store types if necessary
 #SOLR_SSL_KEY_STORE_TYPE=PKCS12
diff --git a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
index 4450d677866..1177f423c62 100644
--- a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
+++ b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
@@ -90,7 +90,8 @@ SOLR_SSL_NEED_CLIENT_AUTH=false
 # Enable clients to authenticate (but not require)
 SOLR_SSL_WANT_CLIENT_AUTH=false
 # SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
-# this to false can be useful to disable these checks when re-using a certificate on many hosts
+# this to false can be useful to disable these checks when re-using a certificate on many hosts.
+# This will also be used for the default value of whether SNI Host checking should be enabled.
 SOLR_SSL_CHECK_PEER_NAME=true
 ----
 ====
@@ -114,7 +115,8 @@ set SOLR_SSL_NEED_CLIENT_AUTH=false
 REM Enable clients to authenticate (but not require)
 set SOLR_SSL_WANT_CLIENT_AUTH=false
 REM SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
-REM this to false can be useful to disable these checks when re-using a certificate on many hosts
+REM this to false can be useful to disable these checks when re-using a certificate on many hosts.
+REM This will also be used for the default value of whether SNI Host checking should be enabled.
 set SOLR_SSL_CHECK_PEER_NAME=true
 ----
 ====
diff --git a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
index 11f1adb1306..8a82b475144 100644
--- a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
+++ b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
@@ -80,6 +80,10 @@ Therefore, when using the default settings, nodes that were previously excluded
 * The Embedded Zookeeper can now be configured to listen to (or bind to) more hosts than just `localhost`,
 see the  xref:deployment-guide:securing-solr.adoc#network-configuration[Network Configuration documentation] for more information.
 
+=== Security
+* The `solr.jetty.ssl.sniHostCheck` option now defaults to the value of `SOLR_SSL_CHECK_PEER_NAME`, if it is provided.
+This will enable client and server hostName check settings to be governed by the same environment variable.
+If users want separate client/server settings, they can manually override the `solr.jetty.ssl.sniHostCheck` option in `SOLR_OPTS`.
 
 == Solr 9.3
 === Binary Releases