You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Cao Manh Dat (Jira)" <ji...@apache.org> on 2019/09/30 15:32:00 UTC
[jira] [Resolved] (SOLR-13798) SSL: Adding Enabling/Disabling
client's hostname verification config
[ https://issues.apache.org/jira/browse/SOLR-13798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Cao Manh Dat resolved SOLR-13798.
---------------------------------
Fix Version/s: 8.3
Resolution: Fixed
> SSL: Adding Enabling/Disabling client's hostname verification config
> --------------------------------------------------------------------
>
> Key: SOLR-13798
> URL: https://issues.apache.org/jira/browse/SOLR-13798
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.2
> Reporter: Cao Manh Dat
> Assignee: Cao Manh Dat
> Priority: Major
> Fix For: 8.3
>
> Attachments: SOLR-13709.patch, SOLR-13709.patch
>
>
> The problem for this after upgrading to Jetty 9.4.19 (SOLR-13541). {{endpointIdentificationAlgorithm}} changed from null → HTTPS. As a result of this client's hostname (identity) is always get verified on connecting Solr.
> This change improved the security level of Solr, since it requires 2 ways identity verifications (client verify server's identity and vice versa). It leads to a problem when only certificate verification is enough (client's hostname is not known ahead) for users.
> We should introduce a flag in {{solr.in.sh}} to disable client's hostname verification when needed then.
> More about this at :
> * https://tools.ietf.org/html/rfc2818#section-3
> * https://github.com/eclipse/jetty.project/issues/3454
> * https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org