You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Robert Hume <rh...@gmail.com> on 2016/11/14 21:44:34 UTC

how to tell SolrHttpServer client to accept/ignore all certs?

I'm using HttpSolrServer (in Solr 3.6) to connect to a Solr web service and
perform a query.

The certificate at the other end has expired and so connections now fail.

It will take the IT at the other end too many days to replace the cert
(this is out of my control).

How can I tell the HttpSolrServer to ignore bad certs when it does queries
to the server?

NOTE 1: I noticed that I can pass my own Apache HttpClient (we're currently
using 4.3) into the HttpSolrServer constructor, but internally
HttpSolrServer seems to do a lot of customizing/configuring it's own
default HttpClient, so I didn't want to mess with that.

NOTE: This is an 100% internal application so there is real security
problems with this temporary workaround.

Thanks!!

rh

Re: how to tell SolrHttpServer client to accept/ignore all certs?

Posted by Shawn Heisey <ap...@elyograg.org>.

On 11/14/2016 2:44 PM, Robert Hume wrote:
> I'm using HttpSolrServer (in Solr 3.6) to connect to a Solr web
> service and perform a query.

That's quite old, and if you do find a but, it won't be fixed in that
version.  If your server is running at least version 3.6 and has configs
that originated with a 3.6 or later example, then you should consider
upgrading to HttpSolrClient in SolrJ 6.x.  It should work properly with
SolrJ 6.x.  If its configurations originated with earlier 1.x or 3.x
versions, then it might not work very well with anything newer without
changes on the server side.

> The certificate at the other end has expired and so connections now
> fail. It will take the IT at the other end too many days to replace
> the cert (this is out of my control). How can I tell the
> HttpSolrServer to ignore bad certs when it does queries to the server?
> NOTE 1: I noticed that I can pass my own Apache HttpClient (we're
> currently using 4.3) into the HttpSolrServer constructor, but
> internally HttpSolrServer seems to do a lot of customizing/configuring
> it's own default HttpClient, so I didn't want to mess with that. 

HttpSolrServer and HttpSolrClient do create their own HttpClient if it's
not passed in, but it's pretty much created with defaults, nothing is
really customized.  That would be the correct way to have the Solr
client ignore certificate validation -- create a custom HttpClient that
does what you need and use it to build your Solr client.  If it's
configured to handle enough simultaneous connections, you can even share
one HttpClient between multiple Solr clients.

Thanks,
Shawn