You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2023/09/13 16:00:43 UTC
[solr] branch main updated: SOLR-16963: Fix usage of clientHostnameVerification (#1916)
This is an automated email from the ASF dual-hosted git repository.
houston pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/main by this push:
new 901e0debc38 SOLR-16963: Fix usage of clientHostnameVerification (#1916)
901e0debc38 is described below
commit 901e0debc381f988373a6d9c09ca47341dda05fb
Author: Houston Putman <ho...@apache.org>
AuthorDate: Wed Sep 13 12:00:36 2023 -0400
SOLR-16963: Fix usage of clientHostnameVerification (#1916)
- It no longer overrides the checkPeerName option
- It once again acts as a server setting to check the client
hostname against the client certificate
---
solr/CHANGES.txt | 3 +
solr/bin/solr | 4 +-
solr/bin/solr.cmd | 4 +-
solr/packaging/test/test_ssl.bats | 90 ++++++++++++++--------
solr/server/etc/jetty-ssl.xml | 1 +
.../deployment-guide/pages/enabling-ssl.adoc | 2 +-
.../pages/major-changes-in-solr-9.adoc | 5 ++
.../solr/client/solrj/impl/Http2SolrClient.java | 6 --
.../client/solrj/impl/Http2SolrClientTest.java | 8 +-
9 files changed, 77 insertions(+), 46 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index c608bf4f314..40aead39789 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -179,6 +179,9 @@ Bug Fixes
* SOLR-16899: CoreAdminOp are statically registered in CoreAdminHandler, preventing more than one Solr instance in the same JVM (Vincent Primault via Alex Deparvu)
+* SOLR-16963: The "solr.jetty.ssl.verifyClientHostName" sysProp and "SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION" envVar have been fixed,
+ and the setting once again tells the server to check the originating client hostname against the client certificate when doing mTLS. (Houston Putman, Tomás Fernández Löbbe)
+
Dependency Upgrades
---------------------
diff --git a/solr/bin/solr b/solr/bin/solr
index 32a2465eccb..cc72f621094 100644
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -229,8 +229,8 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
SOLR_SSL_OPTS+=" -Dsolr.jetty.truststore.type=$SOLR_SSL_TRUST_STORE_TYPE"
fi
- if [ "${SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION:-true}" == "false" ]; then
- SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.verifyClientHostName=false"
+ if [ "${SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION:true}" == "true" ] ; then
+ SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.verifyClientHostName=HTTPS"
fi
if [ -n "$SOLR_SSL_NEED_CLIENT_AUTH" ]; then
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index bb297a64d62..d10ac598057 100755
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -105,8 +105,8 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
IF NOT DEFINED SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION (
set SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
)
- IF "%SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION%"=="false" (
- set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.verifyClientHostName=false"
+ IF "%SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION%"=="true" (
+ set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.verifyClientHostName=HTTPS"
)
IF DEFINED SOLR_SSL_NEED_CLIENT_AUTH (
diff --git a/solr/packaging/test/test_ssl.bats b/solr/packaging/test/test_ssl.bats
index 9fdcbd43a59..85e0e32cc2a 100644
--- a/solr/packaging/test/test_ssl.bats
+++ b/solr/packaging/test/test_ssl.bats
@@ -48,7 +48,6 @@ teardown() {
export SOLR_SSL_TRUST_STORE_PASSWORD=secret
export SOLR_SSL_NEED_CLIENT_AUTH=false
export SOLR_SSL_WANT_CLIENT_AUTH=false
- export SOLR_SSL_CHECK_PEER_NAME=true
export SOLR_HOST=localhost
solr start -c
@@ -57,7 +56,7 @@ teardown() {
run solr create -c test -s 2
assert_output --partial "Created collection 'test'"
- run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" 'https://127.0.0.1:8983/solr/test/select?q=*:*'
+ run solr api -get 'https://localhost:8983/solr/test/select?q=*:*'
assert_output --partial '"numFound":0'
}
@@ -82,8 +81,6 @@ teardown() {
export SOLR_SSL_NEED_CLIENT_AUTH=false
export SOLR_SSL_WANT_CLIENT_AUTH=false
export SOLR_SSL_CHECK_PEER_NAME=false
- # Remove later when SOLR-16963 is resolved
- export SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
export SOLR_HOST=localhost
solr start -c
@@ -92,12 +89,15 @@ teardown() {
run solr create -c test -s 2
assert_output --partial "Created collection 'test'"
+ # Just test that curl can connect via insecure or via a custom host header
run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" -k 'https://localhost:8983/solr/test/select?q=*:*'
assert_output --partial '"numFound":0'
+ run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" -H "Host: test.solr.apache.org" 'https://127.0.0.1:8983/solr/test/select?q=*:*'
+ assert_output --partial '"numFound":0'
+
+ # This is a client setting, so we don't need to restart Solr to make sure that it fails
export SOLR_SSL_CHECK_PEER_NAME=true
- # Remove later when SOLR-16963 is resolved
- export SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
# This should fail the peername check
run ! solr api -get 'https://localhost:8983/solr/test/select?q=*:*'
@@ -207,6 +207,7 @@ teardown() {
export SOLR_SECURITY_MANAGER_ENABLED=true
export SOLR_OPTS="-Djava.io.tmpdir=${test_tmp_dir}"
+ export SOLR_LOG_LEVEL="DEBUG"
export SOLR_TOOL_OPTS="-Djava.io.tmpdir=${test_tmp_dir} -Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake"
export ssl_dir="${BATS_TEST_TMPDIR}/ssl"
@@ -243,7 +244,7 @@ teardown() {
# Trust the keystore cert with the CA
keytool -storepass server-key -keystore solr-server.keystore.p12 -storetype PKCS12 -certreq -alias server | \
keytool -storepass secret -keystore "$ssl_dir/ca.p12" -storetype PKCS12 -gencert -alias ca \
- -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=serverAuth -rfc > server.pem
+ -ext "SAN=DNS:localhost,IP:127.0.0.1" -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=serverAuth -rfc > server.pem
keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias server -file server.pem
@@ -253,18 +254,19 @@ teardown() {
keytool -keystore solr-server.truststore.p12 -storetype PKCS12 -keypass server-trust -storepass server-trust -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
)
# Create a client keystore & truststore
+ # The client cert will have a bogus DNS name and IP address, as we want the clientHostnameVerification to fail
mkdir -p "$client_ssl_dir"
(
cd "$client_ssl_dir"
rm -f solr-client.keystore.p12 client.pem solr-client.truststore.p12
# Create a keystore and certificate
- keytool -genkeypair -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -alias client -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+ keytool -genkeypair -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -alias client -ext SAN=DNS:test.solr.apache.org,IP:127.0.0.2 -dname "CN=test.solr.apache.org, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
# Trust the keystore cert with the CA
keytool -storepass client-key -keystore solr-client.keystore.p12 -storetype PKCS12 -certreq -alias client | \
keytool -storepass secret -keystore "$ssl_dir/ca.p12" -storetype PKCS12 -gencert -alias ca \
- -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=clientAuth -rfc > client.pem
+ -ext "SAN=DNS:test.solr.apache.org,IP:127.0.0.2" -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=clientAuth -rfc > client.pem
keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias client -file client.pem
@@ -291,33 +293,51 @@ teardown() {
export SOLR_SSL_NEED_CLIENT_AUTH=true
export SOLR_SSL_WANT_CLIENT_AUTH=false
export SOLR_SSL_CHECK_PEER_NAME=true
- export SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
+ # Cannot set this to true, because the client certificate does not have the right hostname ("localhost") or IP
+ export SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=false
export SOLR_HOST=localhost
solr start -c
solr start -c -z localhost:9983 -p 8984
- export SOLR_SSL_KEY_STORE=
- export SOLR_SSL_KEY_STORE_PASSWORD=
- export SOLR_SSL_TRUST_STORE=
- export SOLR_SSL_TRUST_STORE_PASSWORD=
+ # Test Client connections, which do not need the server keystore/truststore
+ (
+ export SOLR_SSL_KEY_STORE=
+ export SOLR_SSL_KEY_STORE_PASSWORD=
+ export SOLR_SSL_TRUST_STORE=
+ export SOLR_SSL_TRUST_STORE_PASSWORD=
- solr assert --started https://localhost:8983/solr --timeout 5000
- solr assert --started https://localhost:8984/solr --timeout 5000
+ solr assert --started https://localhost:8983/solr --timeout 5000
+ solr assert --started https://localhost:8984/solr --timeout 5000
- run solr create -c test -s 2
- assert_output --partial "Created collection 'test'"
+ run solr create -c test -s 2
+ assert_output --partial "Created collection 'test'"
- run solr api -get 'https://localhost:8983/solr/admin/collections?action=CLUSTERSTATUS'
- assert_output --partial '"urlScheme":"https"'
+ run solr api -get 'https://localhost:8983/solr/admin/collections?action=CLUSTERSTATUS'
+ assert_output --partial '"urlScheme":"https"'
- run solr api -get 'https://localhost:8984/solr/test/select?q=*:*&rows=0'
- assert_output --partial '"numFound":0'
+ run solr api -get 'https://localhost:8984/solr/test/select?q=*:*&rows=0'
+ assert_output --partial '"numFound":0'
- export SOLR_SSL_CLIENT_KEY_STORE=
- export SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=
+ (
+ # Try connecting with just the client truststore, which should fail because mTLS requires a keystore and mTLS is needed
+ export SOLR_SSL_CLIENT_KEY_STORE=
+ export SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=
+
+ run ! solr api -get 'https://localhost:8983/solr/test/select?q=*:*&rows=0'
+ assert_output --partial 'Server refused connection'
+ )
+ )
+
+ # Turn on client hostname verification, and start a new Solr node since the property is a server setting.
+ # Test that it fails because the client cert does not use "localhost"
+ export SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
+ solr start -c -z localhost:9983 -p 8985
- run ! solr api -get 'https://localhost:8983/solr/test/select?q=*:*&rows=0'
+ # We can't check if the server has come up, because we can't connect to it, so just wait
+ sleep 5
+
+ run ! solr api -get 'https://localhost:8985/solr/test/select?q=*:*&rows=0'
assert_output --partial 'Server refused connection'
}
@@ -342,8 +362,8 @@ teardown() {
cd "$ssl_dir"
rm -f root.p12 root.pem ca.p12 ca.pem
- keytool -genkeypair -keystore root.p12 -storetype PKCS12 -keypass secret -storepass secret -alias root -ext bc:c -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
- keytool -genkeypair -keystore ca.p12 -storetype PKCS12 -keypass secret -storepass secret -alias ca -ext bc:c -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+ keytool -genkeypair -keystore root.p12 -storetype PKCS12 -keypass secret -storepass secret -alias root -ext bc:c -ext "SAN=DNS:localhost,IP:127.0.0.1" -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+ keytool -genkeypair -keystore ca.p12 -storetype PKCS12 -keypass secret -storepass secret -alias ca -ext bc:c -ext "SAN=DNS:localhost,IP:127.0.0.1" -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
keytool -keystore root.p12 -storetype PKCS12 -storepass secret -alias root -exportcert -rfc > root.pem
@@ -360,12 +380,12 @@ teardown() {
rm -f solr-server.keystore.p12 server.pem solr-server.truststore.p12
# Create a keystore and certificate
- keytool -genkeypair -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -alias server -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+ keytool -genkeypair -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -alias server -ext "SAN=DNS:localhost,IP:127.0.0.1" -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
# Trust the keystore cert with the CA
keytool -storepass server-key -keystore solr-server.keystore.p12 -storetype PKCS12 -certreq -alias server | \
keytool -storepass secret -keystore "$ssl_dir/ca.p12" -storetype PKCS12 -gencert -alias ca \
- -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=serverAuth -rfc > server.pem
+ -ext "SAN=DNS:localhost,IP:127.0.0.1" -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=serverAuth -rfc > server.pem
keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
keytool -keystore solr-server.keystore.p12 -storetype PKCS12 -keypass server-key -storepass server-key -importcert -alias server -file server.pem
@@ -381,12 +401,12 @@ teardown() {
rm -f solr-client.keystore.p12 client.pem solr-client.truststore.p12
# Create a keystore and certificate
- keytool -genkeypair -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -alias client -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
+ keytool -genkeypair -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -alias client -ext "SAN=DNS:localhost,IP:127.0.0.1" -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" -keyalg rsa
# Trust the keystore cert with the CA
keytool -storepass client-key -keystore solr-client.keystore.p12 -storetype PKCS12 -certreq -alias client | \
keytool -storepass secret -keystore "$ssl_dir/ca.p12" -storetype PKCS12 -gencert -alias ca \
- -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=clientAuth -rfc > client.pem
+ -ext "SAN=DNS:localhost,IP:127.0.0.1" -ext "ku:c=nonRepudiation,digitalSignature,keyEncipherment" -ext eku:c=clientAuth -rfc > client.pem
keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias root -file "$ssl_dir/root.pem" -noprompt
keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias ca -file "$ssl_dir/ca.pem" -noprompt
keytool -keystore solr-client.keystore.p12 -storetype PKCS12 -keypass client-key -storepass client-key -importcert -alias client -file client.pem
@@ -439,6 +459,14 @@ teardown() {
export SOLR_SSL_CLIENT_KEY_STORE=
export SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=
+ # mTLS requires a keyStore, so just using the truststore would fail if mTLS was "NEED"ed, however it is only "WANT"ed, so its ok
run solr api -get 'https://localhost:8983/solr/test/select?q=*:*&rows=0'
assert_output --partial '"numFound":0'
+
+ export SOLR_SSL_CLIENT_TRUST_STORE=
+ export SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=
+
+ # TLS cannot work if a truststore and keystore are not provided (either Server or Client)
+ run solr api -get 'https://localhost:8983/solr/test/select?q=*:*&rows=0'
+ assert_output --partial 'Server refused connection'
}
diff --git a/solr/server/etc/jetty-ssl.xml b/solr/server/etc/jetty-ssl.xml
index 878f9386720..90cbc13c257 100644
--- a/solr/server/etc/jetty-ssl.xml
+++ b/solr/server/etc/jetty-ssl.xml
@@ -22,6 +22,7 @@
<Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set>
<Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" default="PKCS12"/></Set>
<Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" default="PKCS12"/></Set>
+ <Set name="EndpointIdentificationAlgorithm"><Property name="solr.jetty.ssl.verifyClientHostName"/></Set>
<!-- =========================================================== -->
<!-- Create a TLS specific HttpConfiguration based on the -->
diff --git a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
index 1177f423c62..685acdb5da4 100644
--- a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
+++ b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
@@ -125,7 +125,7 @@ set SOLR_SSL_CHECK_PEER_NAME=true
.Client Authentication Settings
WARNING: Enable either `SOLR_SSL_NEED_CLIENT_AUTH` or `SOLR_SSL_WANT_CLIENT_AUTH` but not both at the same time.
They are mutually exclusive and Jetty will select one of them which may not be what you expect.
-`SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION` should be set to false if you want to disable hostname verification.
+`SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION` should be set to false if you want to disable hostname verification for client certificates.
When you start Solr, the `bin/solr` script includes these settings and will pass them as system properties to the JVM.
diff --git a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
index cfe1d8b9b7f..0824107a91f 100644
--- a/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
+++ b/solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc
@@ -81,6 +81,11 @@ Therefore, when using the default settings, nodes that were previously excluded
see the xref:deployment-guide:securing-solr.adoc#network-configuration[Network Configuration documentation] for more information.
=== Security
+* Since Solr 8.4.1/8.5.0, the `solr.jetty.ssl.verifyClientHostName` sysProp and `SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION` envVar have been used incorrectly.
+It has instead been used to override the `solr.ssl.checkPeerName` sysProp in the `HTTP2SolrClient`.
+This has been fixed, and the setting once again tells the server to check the originating client hostname against the client certificate when doing mTLS.
+This option is still enabled by default.
+
* The `solr.jetty.ssl.sniHostCheck` option now defaults to the value of `SOLR_SSL_CHECK_PEER_NAME`, if it is provided.
This will enable client and server hostName check settings to be governed by the same environment variable.
If users want separate client/server settings, they can manually override the `solr.jetty.ssl.sniHostCheck` option in `SOLR_OPTS`.
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
index 73001f7685f..2d6a993be7c 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
@@ -1386,12 +1386,6 @@ public class Http2SolrClient extends SolrClient {
sslContextFactory.setTrustStoreType(System.getProperty("javax.net.ssl.trustStoreType"));
}
- if (Boolean.parseBoolean(System.getProperty("solr.jetty.ssl.verifyClientHostName", "true"))) {
- sslContextFactory.setEndpointIdentificationAlgorithm("HTTPS");
- } else {
- sslContextFactory.setEndpointIdentificationAlgorithm(null);
- }
-
return sslContextFactory;
}
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java
index 263f9aa93e1..3657906ec41 100644
--- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java
@@ -769,25 +769,25 @@ public class Http2SolrClientTest extends SolrJettyTestBase {
System.clearProperty("javax.net.ssl.keyStoreType");
System.clearProperty("javax.net.ssl.trustStoreType");
- System.setProperty("solr.jetty.ssl.verifyClientHostName", "true");
+ System.setProperty("solr.ssl.checkPeerName", "true");
System.setProperty("javax.net.ssl.keyStoreType", "foo");
System.setProperty("javax.net.ssl.trustStoreType", "bar");
SslContextFactory.Client sslContextFactory2 = Http2SolrClient.getDefaultSslContextFactory();
assertEquals("HTTPS", sslContextFactory2.getEndpointIdentificationAlgorithm());
assertEquals("foo", sslContextFactory2.getKeyStoreType());
assertEquals("bar", sslContextFactory2.getTrustStoreType());
- System.clearProperty("solr.jetty.ssl.verifyClientHostName");
+ System.clearProperty("solr.ssl.checkPeerName");
System.clearProperty("javax.net.ssl.keyStoreType");
System.clearProperty("javax.net.ssl.trustStoreType");
- System.setProperty("solr.jetty.ssl.verifyClientHostName", "false");
+ System.setProperty("solr.ssl.checkPeerName", "false");
System.setProperty("javax.net.ssl.keyStoreType", "foo");
System.setProperty("javax.net.ssl.trustStoreType", "bar");
SslContextFactory.Client sslContextFactory3 = Http2SolrClient.getDefaultSslContextFactory();
assertNull(sslContextFactory3.getEndpointIdentificationAlgorithm());
assertEquals("foo", sslContextFactory3.getKeyStoreType());
assertEquals("bar", sslContextFactory3.getTrustStoreType());
- System.clearProperty("solr.jetty.ssl.verifyClientHostName");
+ System.clearProperty("solr.ssl.checkPeerName");
System.clearProperty("javax.net.ssl.keyStoreType");
System.clearProperty("javax.net.ssl.trustStoreType");
}