You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Michael Suzuki (JIRA)" <ji...@apache.org> on 2018/01/26 15:58:00 UTC
***UNCHECKED*** [jira] [Comment Edited] (SOLR-10307) Provide SSL/TLS
keystore password a more secure way
[ https://issues.apache.org/jira/browse/SOLR-10307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16341189#comment-16341189 ]
Michael Suzuki edited comment on SOLR-10307 at 1/26/18 3:57 PM:
----------------------------------------------------------------
[~manokovacs] I noticed the following line of code in SSLConfigurations.java:
{code:java}
if (isEmpty(System.getProperty(SysProps.SSL_TRUST_STORE_PASSWORD))
&& !(isEmpty(clientTruststorePassword) && isEmpty(truststorePassword))) {{code}
Why do we check for SysProps.SSL_TRUST_STORE_PASSWORD, when that is populated the SSL fails to start correctly.
To recreate the issue start solr with ssl and pass the following:
{code} -Djavax.net.ssl.keyStorePassword=yourpassword. {code}
As the System.getProperty(SysProps.SSL_TRUST_STORE_PASSWORD is not empty it will skip the block of code and as a result it is unaware of the password and defaults to secret as per the jetty-ssl.xml
was (Author: michaelsuzuki):
[~manokovacs] I noticed the following line of code in SSLConfigurations.java:
{code:java}
if (isEmpty(System.getProperty(SysProps.SSL_TRUST_STORE_PASSWORD))
&& !(isEmpty(clientTruststorePassword) && isEmpty(truststorePassword))) {{code}
Why do we check for SysProps.SSL_TRUST_STORE_PASSWORD, when that is populated the SSL fails to start correctly.
To recreate the issue start solr with ssl and pass the following:
{code} -Djavax.net.ssl.keyStorePassword=yourpassword. {code}
As the System.getProperty(SysProps.SSL_TRUST_STORE_PASSWORD is not empty it will skip the block of code, as a result it is unaware of the password and defaults to secret as per the jetty-ssl.xml
> Provide SSL/TLS keystore password a more secure way
> ---------------------------------------------------
>
> Key: SOLR-10307
> URL: https://issues.apache.org/jira/browse/SOLR-10307
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Reporter: Mano Kovacs
> Assignee: Mark Miller
> Priority: Major
> Fix For: 6.7, 7.0
>
> Attachments: SOLR-10307.2.patch, SOLR-10307.patch, SOLR-10307.patch, SOLR-10307.patch
>
>
> Currently the only way to pass server and client side SSL keytstore and truststore passwords is to set specific environment variables that will be passed as system properties, through command line parameter.
> First option is to pass passwords through environment variables which gives a better level of protection. Second option would be to use hadoop credential provider interface to access credential store.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org