You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Miloš Havránek (JIRA)" <ji...@apache.org> on 2016/11/07 07:32:58 UTC
[jira] [Updated] (SOLR-9713) TLS-SSL Mutual-Auth doesn't work,
Unable to load keyStore with given password
[ https://issues.apache.org/jira/browse/SOLR-9713?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Miloš Havránek updated SOLR-9713:
---------------------------------
Security: Public (was: Private (Security Issue))
> TLS-SSL Mutual-Auth doesn't work, Unable to load keyStore with given password
> -----------------------------------------------------------------------------
>
> Key: SOLR-9713
> URL: https://issues.apache.org/jira/browse/SOLR-9713
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication, config-api, scripts and tools, security
> Affects Versions: 6.2.1
> Environment: Windows only
> Reporter: Miloš Havránek
> Labels: security, windows
>
> Official manual 6.2 says that for enabling HTTPS you have to create keystore with keypair having "secret" as password (example), assume that i have done everything else needed to enable HTTPS correctly.
> When i want to create keystore and keypair with another password it works only on Linux OS but on Windows only with "secret" as a password.
> solr.in.cmd properties aren't used by server properly on Windows:
> CASE1:
> keystore password: secret
> kepair password: secret
> SOLR_SSL_KEY_STORE_PASSWORD=secret
> SOLR_SSL_TRUST_STORE_PASSWORD=secret
> Everything works
> CASE2:
> keystore password: secret
> kepair password: secret
> SOLR_SSL_KEY_STORE_PASSWORD=changeit
> SOLR_SSL_TRUST_STORE_PASSWORD=changeit
> No "Keystore was tampered with, or password was incorrect" -> which means it uses "secret" as password when it shouldn't
> Multiple repeating Errors:
> INFO - 2016-11-02 07:52:00.657; org.apache.http.impl.client.DefaultRequestDirector; I/O exception (java.net.SocketException) caught when connecting to {s}->https://localhost:8983: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
> INFO - 2016-11-02 07:52:00.657; org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to {s}->https://localhost:8983
> CASE3:
> keystore password: changeit
> kepair password: changeit
> SOLR_SSL_KEY_STORE_PASSWORD=changeit
> SOLR_SSL_TRUST_STORE_PASSWORD=changeit
> Errors:
> java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
> at org.eclipse.jetty.start.Main.start(Main.java:457)
> at org.eclipse.jetty.start.Main.main(Main.java:75)
> Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
> at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
> at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
> at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
> at java.security.KeyStore.load(KeyStore.java:1445)
> at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:52)
> at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1016)
> at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:332)
> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64)
> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
> at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
> at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:260)
> at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
> at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:244)
> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at org.eclipse.jetty.server.Server.doStart(Server.java:384)
> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
> at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1510)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1435)
> ... 7 more
> Caused by: java.security.UnrecoverableKeyException: Password verification failed
> at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
> ... 30 more
> Usage: java -jar start.jar [options] [properties] [configs]
> java -jar start.jar --help # for more information
> INFO - 2016-11-02 07:53:55.221; org.apache.http.impl.client.DefaultRequestDirector; I/O exception (java.net.SocketException) caught when connecting to {s}->https://localhost:8983: Connection reset
> INFO - 2016-11-02 07:53:55.225; org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to {s}->https://localhost:8983
> Another issue:
> I want for the server to require Client Authentification by certificate but the properties aren't passed to the server or used by the server. Doens't work on Windows, works on Linux.
> CASE1:
> set SOLR_SSL_NEED_CLIENT_AUTH=true
> set SOLR_SSL_WANT_CLIENT_AUTH=false
> server doesn't require client certificate for authentification
> CASE2:
> set SOLR_SSL_NEED_CLIENT_AUTH=false
> set SOLR_SSL_WANT_CLIENT_AUTH=true
> server doesn't want client certificate for authentification
> I found that i can set the properties defaults in jetty-ssl.xml
> which somehow helps a bit but the server still won't start and throws errors:
> INFO - 2016-11-02 09:29:05.036; org.apache.http.impl.client.DefaultRequestDirector; I/O exception (java.net.SocketException) caught when connecting to {s}->https://localhost:8983: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
> INFO - 2016-11-02 09:29:05.036; org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to {s}->https://localhost:8983
> I know that most of the solr projects probably runs on Linux but we use also Windows environment for testing, because we have to ensure that our solution is platform independent.
> Would be cool if someone would lay an eye on that.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org