What does -Dsolr.ssl.checkPeerName=false actually do?

[Joel Bernstein <jo...@gmail.com>]

I'm looking for how SSL hostname verification can turned off and on in
Solr and I have been confused by the startup parameter:

-Dsolr.ssl.checkPeerName=false.


From what I can see this parameter sets the value for: HttpClientUtil.
SYS_PROP_CHECK_PEER_NAME.

This property appears to only be used in the test framework though,
specifically in the: SSLTestConfig

So it appears that -Dsolr.ssl.checkPeerName=false has no effect on a
running Solr instance.

But the documentation says the following:

"If you created your SSL key without all DNS names/IP addresses on which
Solr nodes will run, you can tell Solr to skip hostname verification for
inter-Solr-node communications by setting the solr.ssl.checkPeerName system
property to false"



So the documentation appears to be incorrect.


This brings up two questions:


Does anyone know if there is a way to turn off and on SSL hostname
verification in Solr?


Does anyone know what the default behavior for SSL hostname verification is
in Solr?


Joel Bernstein
http://joelsolr.blogspot.com/

Re: What does -Dsolr.ssl.checkPeerName=false actually do?

[Joel Bernstein <jo...@gmail.com>]

Ok, after more digging around I found this:
https://issues.apache.org/jira/browse/SOLR-9304

This answers my first question. Currently (7x) there is no way to turn
on/off SSL hostname verification. That may be good or it may be bad
depending on how you view hostname verification.

The answer to question two, I believe is that it's always on in 7x.



Joel Bernstein
http://joelsolr.blogspot.com/

On Wed, Dec 13, 2017 at 1:57 PM, Joel Bernstein <jo...@gmail.com> wrote:

> I'm looking for how SSL hostname verification can turned off and on in
> Solr and I have been confused by the startup parameter:
>
> -Dsolr.ssl.checkPeerName=false.
>
>
> From what I can see this parameter sets the value for: HttpClientUtil.
> SYS_PROP_CHECK_PEER_NAME.
>
> This property appears to only be used in the test framework though,
> specifically in the: SSLTestConfig
>
> So it appears that -Dsolr.ssl.checkPeerName=false has no effect on a
> running Solr instance.
>
> But the documentation says the following:
>
> "If you created your SSL key without all DNS names/IP addresses on which
> Solr nodes will run, you can tell Solr to skip hostname verification for
> inter-Solr-node communications by setting the solr.ssl.checkPeerName system
> property to false"
>
>
>
> So the documentation appears to be incorrect.
>
>
> This brings up two questions:
>
>
> Does anyone know if there is a way to turn off and on SSL hostname
> verification in Solr?
>
>
> Does anyone know what the default behavior for SSL hostname verification
> is in Solr?
>
>
> Joel Bernstein
> http://joelsolr.blogspot.com/
>

Re: What does -Dsolr.ssl.checkPeerName=false actually do?

[Shawn Heisey <ap...@elyograg.org>]

On 12/13/2017 11:57 AM, Joel Bernstein wrote:
> I'm looking for how SSL hostname verification can turned off and on in
> Solr and I have been confused by the startup parameter: 
>
> -Dsolr.ssl.checkPeerName=false.
>
> From what I can see this parameter sets the value for:
> HttpClientUtil.SYS_PROP_CHECK_PEER_NAME.
>
> This property appears to only be used in the test framework though,
> specifically in the: SSLTestConfig
>
> So it appears that -Dsolr.ssl.checkPeerName=false has no effect on a
> running Solr instance.

See SOLR-9304.  Yesterday, a user on IRC discovered that the property
wasn't being honored, found that issue, and asked about it.  They said
that everything works in 6.6, but doesn't in 7.x.

https://issues.apache.org/jira/browse/SOLR-9304

Hoss did not really recall much, but said that it is likely that he
noticed the dead code while working on something else, opened the issue,
and never got back to it.

I built a patch for the issue, but haven't done anything to test the
patch.  I'd like to have a test included with Solr so future regressions
can be detected, but don't know how to write it.

Regarding SSLTestConnfig, I'm a little suspicious about the test
handling a property that Solr itself *should* be handling.  In fact,
looking at that test, I suspect that it is doing a LOT of things
manually that other code should be handling.

For the patch, I just resurrected code removed by SOLR-4509 and updated
it to remove HttpClient deprecations.  I would appreciate a review to
see if it could be improved.  The boolean handling could likely be done
better.  I couldn't make any sense out of the deprecation notes in
HttpClient for the "old" way of setting the verification, so there might
be a better way of handling it.  It's also possible that I have
overlooked something that needs attention.

Thanks,
Shawn


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org