You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Houston Putman (Jira)" <ji...@apache.org> on 2023/09/08 15:19:00 UTC
[jira] [Resolved] (SOLR-16964) sniHostCheck should default to SOLR_SSL_CHECK_PEER_NAME
[ https://issues.apache.org/jira/browse/SOLR-16964?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Houston Putman resolved SOLR-16964.
-----------------------------------
Fix Version/s: 9.4
Assignee: Houston Putman
Resolution: Fixed
> sniHostCheck should default to SOLR_SSL_CHECK_PEER_NAME
> -------------------------------------------------------
>
> Key: SOLR-16964
> URL: https://issues.apache.org/jira/browse/SOLR-16964
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Server
> Affects Versions: 9.2
> Reporter: Houston Putman
> Assignee: Houston Putman
> Priority: Major
> Fix For: 9.4
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When we upgraded Solr to Jetty 10, it started doing SNI checks by default. To combat this, Tomas added an option to skip SNI Host checking in SOLR-16735. I think that this should default to the option already given in SOLR_SSL_CHECK_PEER_NAME, which is practically the same check for clients. (SNI is a server setting).
> So if we start to set {{solr.jetty.ssl.sniHostCheck}} by default to the value that {{SOLR_SSL_CHECK_PEER_NAME}} has, then users will see no issues when using Solr as they had been. If users want to separate their server/client settings. They can always still provide the {{solr.jetty.ssl.sniHostCheck}} option themselves in SOLR_OPTS, which will override the option defaulted by Solr.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org