You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Houston Putman (Jira)" <ji...@apache.org> on 2020/08/19 21:27:04 UTC
[jira] [Updated] (SOLR-14711) Incorrect insecure settings check in
CoreContainer
[ https://issues.apache.org/jira/browse/SOLR-14711?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Houston Putman updated SOLR-14711:
----------------------------------
Security: (was: Public)
> Incorrect insecure settings check in CoreContainer
> --------------------------------------------------
>
> Key: SOLR-14711
> URL: https://issues.apache.org/jira/browse/SOLR-14711
> Project: Solr
> Issue Type: Bug
> Reporter: Mark Todd
> Priority: Major
>
> I've configured SolrCloud (8.5) with both SSL and Authentication which is working correctly. However, I get the following warning in the logs
>
> "Solr authentication is enabled, but SSL is off. Consider enabling SSL to protect user credentials and data with encryption"
>
> Looking at the source code for SolrCloud there appears to be a bug
> if (authenticationPlugin !=null && StringUtils.isNotEmpty(System.getProperty("solr.jetty.https.port"))) {
> log.warn("Solr authentication is enabled, but SSL is off. Consider enabling SSL to protect user credentials and data with encryption.");
> }
>
> Rather than checking for an empty system property (which would indicate SLL is off) its checking for a populated one which is what you get when SSL is on.
> This is a major issue because administrators are very concerned that Solr has been deployed in an insecure fashion.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org