You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Miloš Havránek (JIRA)" <ji...@apache.org> on 2016/11/07 07:32:58 UTC

[jira] [Updated] (SOLR-9713) TLS-SSL Mutual-Auth doesn't work, Unable to load keyStore with given password

     [ https://issues.apache.org/jira/browse/SOLR-9713?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Miloš Havránek updated SOLR-9713:
---------------------------------
    Security: Public  (was: Private (Security Issue))

> TLS-SSL Mutual-Auth doesn't work, Unable to load keyStore with given password
> -----------------------------------------------------------------------------
>
>                 Key: SOLR-9713
>                 URL: https://issues.apache.org/jira/browse/SOLR-9713
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication, config-api, scripts and tools, security
>    Affects Versions: 6.2.1
>         Environment: Windows only
>            Reporter: Miloš Havránek
>              Labels: security, windows
>
> Official manual 6.2 says that for enabling HTTPS you have to create keystore with keypair having "secret" as password (example), assume that i have done everything else needed to enable HTTPS correctly.
> When i want to create keystore and keypair with another password it works only on Linux OS but on Windows only with "secret" as a password.
> solr.in.cmd properties aren't used by server properly on Windows:
> CASE1:
> keystore password: secret
> kepair password: secret
> SOLR_SSL_KEY_STORE_PASSWORD=secret
> SOLR_SSL_TRUST_STORE_PASSWORD=secret
> Everything works
> CASE2:
> keystore password: secret
> kepair password: secret
> SOLR_SSL_KEY_STORE_PASSWORD=changeit
> SOLR_SSL_TRUST_STORE_PASSWORD=changeit
> No "Keystore was tampered with, or password was incorrect" -> which means it uses "secret" as password when it shouldn't
> Multiple repeating Errors:
> INFO  - 2016-11-02 07:52:00.657; org.apache.http.impl.client.DefaultRequestDirector; I/O exception (java.net.SocketException) caught when connecting to {s}->https://localhost:8983: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
> INFO  - 2016-11-02 07:52:00.657; org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to {s}->https://localhost:8983
> CASE3:
> keystore password: changeit
> kepair password: changeit
> SOLR_SSL_KEY_STORE_PASSWORD=changeit
> SOLR_SSL_TRUST_STORE_PASSWORD=changeit
> Errors:
> java.lang.reflect.InvocationTargetException
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
>         at org.eclipse.jetty.start.Main.start(Main.java:457)
>         at org.eclipse.jetty.start.Main.main(Main.java:75)
> Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
>         at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
>         at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
>         at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
>         at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
>         at java.security.KeyStore.load(KeyStore.java:1445)
>         at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:52)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1016)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:332)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
>         at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
>         at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:260)
>         at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
>         at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:244)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>         at org.eclipse.jetty.server.Server.doStart(Server.java:384)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
>         at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1510)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1435)
>         ... 7 more
> Caused by: java.security.UnrecoverableKeyException: Password verification failed
>         at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
>         ... 30 more
> Usage: java -jar start.jar [options] [properties] [configs]
>        java -jar start.jar --help  # for more information
> INFO  - 2016-11-02 07:53:55.221; org.apache.http.impl.client.DefaultRequestDirector; I/O exception (java.net.SocketException) caught when connecting to {s}->https://localhost:8983: Connection reset
> INFO  - 2016-11-02 07:53:55.225; org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to {s}->https://localhost:8983
> Another issue:
> I want for the server to require Client Authentification by certificate but the properties aren't passed to the server or used by the server. Doens't work on Windows, works on Linux.
> CASE1:
> set SOLR_SSL_NEED_CLIENT_AUTH=true
> set SOLR_SSL_WANT_CLIENT_AUTH=false
> server doesn't require client certificate for authentification
> CASE2:
> set SOLR_SSL_NEED_CLIENT_AUTH=false
> set SOLR_SSL_WANT_CLIENT_AUTH=true
> server doesn't want client certificate for authentification
> I found that i can set the properties defaults in jetty-ssl.xml
> which somehow helps a bit but the server still won't start and throws errors:
> INFO  - 2016-11-02 09:29:05.036; org.apache.http.impl.client.DefaultRequestDirector; I/O exception (java.net.SocketException) caught when connecting to {s}->https://localhost:8983: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
> INFO  - 2016-11-02 09:29:05.036; org.apache.http.impl.client.DefaultRequestDirector; Retrying connect to {s}->https://localhost:8983
> I know that most of the solr projects probably runs on Linux but we use also Windows environment for testing, because we have to ensure that our solution is platform independent.
> Would be cool if someone would lay an eye on that.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org