[GitHub] [solr] elyograg commented on a diff in pull request #585: SOLR-15955: Update Jetty dependency to 10

[GitBox <gi...@apache.org>]

elyograg commented on code in PR #585:
URL: https://github.com/apache/solr/pull/585#discussion_r1002857084


##########
solr/core/src/java/org/apache/solr/client/solrj/embedded/JettySolrRunner.java:
##########
@@ -304,7 +304,11 @@ private void init(int port) {
       ServerConnector connector;
       if (sslcontext != null) {
         configuration.setSecureScheme("https");
-        configuration.addCustomizer(new SecureRequestCustomizer());
+        SecureRequestCustomizer customizer = new SecureRequestCustomizer(false);
+        sslcontext.setSniRequired(false);
+        customizer.setSniHostCheck(false);

Review Comment:
   It would be extremely unlikely that Solr would ever have more than one certificate chain installed, so I don't think we need to worry about SNI.  We actively discourage running more than one webapp in the same container as Solr, which I think would be about the only time you'd actually want SNI.  If somebody wants to get that fancy, they are on their own for getting Jetty to support what they need.
   
   I'd really like to get to the point where we embed Jetty and manage the whole configuration ourselves.  Maybe have the Jetty configuration in solr.xml.  Then I think we could utilize bouncycastle to allow users to supply PEM files for TLS, to be converted on the fly at startup into what Java wants.  We are already including BC dependencies in Solr.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org