You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Tomas Eduardo Fernandez Lobbe (Jira)" <ji...@apache.org> on 2023/04/03 19:32:00 UTC

[jira] [Created] (SOLR-16735) "Invalid SNI" error when request server name doesn't match host certificate

Tomas Eduardo Fernandez Lobbe created SOLR-16735:
----------------------------------------------------

             Summary: "Invalid SNI" error when request server name doesn't match host certificate
                 Key: SOLR-16735
                 URL: https://issues.apache.org/jira/browse/SOLR-16735
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
    Affects Versions: 9.2
            Reporter: Tomas Eduardo Fernandez Lobbe


Jetty 10 slightly changed the behavior for handling SNI validation. See [Jetty9.4|https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L262] vs [Jetty 10|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java#L242]. In Jetty 9, by default (which Solr uses up to version 9.1), SNI extension was not validated if not present, but in Jetty 10, by default, the host name is validated against the host certificate, and {{400: Invalid SNI}} is thrown if they don't match.

I think the right approach for Solr is to set {{sniHostCheck}} to {{false}}, and at the most be the option to configure using jetty internal sysprops like [here|https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-server/src/main/config/etc/jetty-ssl.xml#L56-L61] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org