You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by "Marcus Eagan (Jira)" <ji...@apache.org> on 2020/03/27 03:00:00 UTC

[jira] [Commented] (SOLR-14357) solrj: using insecure namedCurves

    [ https://issues.apache.org/jira/browse/SOLR-14357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17068230#comment-17068230 ] 

Marcus Eagan commented on SOLR-14357:
-------------------------------------

Can you share a more complete stack trace for the the exception you observed? There have been some fixes to easily disable all the weak EC implementations in later Javas but it hasn't made it to [Java 8 or 11|https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8235540], the recommended versions for Solr. However, before I sink my teeth into the rabbit at the bottom of this hole, I want to understand where the exception originated from. We may be able to safely disable all the weak algorithms by default, but without knowing where it lives, I don't know what that action will break. 

> solrj: using insecure namedCurves
> ---------------------------------
>
>                 Key: SOLR-14357
>                 URL: https://issues.apache.org/jira/browse/SOLR-14357
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Bernd Wahlen
>            Priority: Major
>
> i tried to run our our backend with solrj 8.4.1 on jdk14 and get the following error:
> Caused by: java.lang.IllegalArgumentException: Error in security property. Constraint unknown: c2tnb191v1
> after i removed all the X9.62 algoriths from the property jdk.disabled.namedCurves in
> /usr/lib/jvm/java-14-openjdk-14.0.0.36-1.rolling.el7.x86_64/conf/security/java.security
> everything is running.
> This does not happend on staging (i think because of only 1 solr node - not using lb client).
> We do not set or change any ssl settings in solr.in.sh.
> I don't know how to fix that (default config?, apache client settings?), but i think using insecure algorithms may be  a security risk and not only a jdk14 issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org