[GitHub] [solr] HoustonPutman opened a new pull request, #1542: SOLR-16728: Fix SSL & HTTP2 classloading

["HoustonPutman (via GitHub)" <gi...@apache.org>]

HoustonPutman opened a new pull request, #1542:
URL: https://github.com/apache/solr/pull/1542

   Need to add integration tests with SSL.
   
   Also do we want to remove this security?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] risdenk commented on a diff in pull request #1542: SOLR-16728: Fix SSL & HTTP2 classloading

["risdenk (via GitHub)" <gi...@apache.org>]

risdenk commented on code in PR #1542:
URL: https://github.com/apache/solr/pull/1542#discussion_r1157676372


##########
solr/packaging/test/test_ssl.bats:
##########
@@ -0,0 +1,61 @@
+#!/usr/bin/env bats
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+load bats_helper
+
+setup() {
+  common_clean_setup
+}
+
+teardown() {
+  # save a snapshot of SOLR_HOME for failed tests
+  save_home_on_failure
+
+  solr stop -all >/dev/null 2>&1
+}
+
+@test "start solr with ssl" {
+  # Create a keystore
+  export ssl_dir="${BATS_TEST_TMPDIR}/ssl"
+  mkdir -p "$ssl_dir"
+  (
+    cd "$ssl_dir"
+    rm -f solr-ssl.keystore.p12 solr-ssl.pem
+    keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.p12 -storetype PKCS12 -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
+    openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem -passin pass:secret -passout pass:
+  )
+
+  # Set ENV_VARs so that Solr uses this keystore
+  export SOLR_SSL_ENABLED=true
+  export SOLR_SSL_KEY_STORE=$ssl_dir/solr-ssl.keystore.p12
+  export SOLR_SSL_KEY_STORE_PASSWORD=secret
+  export SOLR_SSL_TRUST_STORE=$ssl_dir/solr-ssl.keystore.p12
+  export SOLR_SSL_TRUST_STORE_PASSWORD=secret
+  export SOLR_SSL_NEED_CLIENT_AUTH=false
+  export SOLR_SSL_WANT_CLIENT_AUTH=false
+  export SOLR_SSL_CHECK_PEER_NAME=true
+  export SOLR_HOST=localhost
+
+  solr start -c
+  solr assert --started https://localhost:8983/solr --timeout 5000
+
+  run curl --cacert "$ssl_dir/solr-ssl.pem" 'https://localhost:8983/solr/admin/collections?action=CREATE&collection.configName=_default&name=test&numShards=2&replicationFactor=1&router.name=compositeId&wt=json'

Review Comment:
   nitL I think this can be done with `curl --cert-type P12 --cert ...` that should remove the need for converting with openssl?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] HoustonPutman commented on pull request #1542: SOLR-16728: Fix SSL & HTTP2 classloading

["HoustonPutman (via GitHub)" <gi...@apache.org>]

HoustonPutman commented on PR #1542:
URL: https://github.com/apache/solr/pull/1542#issuecomment-1497529541

   I'm going to backport this to 9.2. This is a breaking change, so it will likely require a 9.2.1 release (even though users can fix it by updating the jetty context.)
   
   How quickly do y'all think we should get 9.2.1 out there? I'm happy to do the release again since I make the bug.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] HoustonPutman merged pull request #1542: SOLR-16728: Fix SSL & HTTP2 classloading

["HoustonPutman (via GitHub)" <gi...@apache.org>]

HoustonPutman merged PR #1542:
URL: https://github.com/apache/solr/pull/1542


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] HoustonPutman commented on pull request #1542: SOLR-16728: Fix SSL & HTTP2 classloading

["HoustonPutman (via GitHub)" <gi...@apache.org>]

HoustonPutman commented on PR #1542:
URL: https://github.com/apache/solr/pull/1542#issuecomment-1497580739

   I'll send an email to @dev in a bit then.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] HoustonPutman commented on pull request #1542: SOLR-16728: Fix SSL & HTTP2 classloading

["HoustonPutman (via GitHub)" <gi...@apache.org>]

HoustonPutman commented on PR #1542:
URL: https://github.com/apache/solr/pull/1542#issuecomment-1496445221

   I added an SSL integration test, which hangs before this change and passes afterwards.
   
   You can reproduce via:
   
   ```
   ./gradlew integrationTest --tests "test_ssl.bats"
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] HoustonPutman commented on a diff in pull request #1542: SOLR-16728: Fix SSL & HTTP2 classloading

["HoustonPutman (via GitHub)" <gi...@apache.org>]

HoustonPutman commented on code in PR #1542:
URL: https://github.com/apache/solr/pull/1542#discussion_r1157693400


##########
solr/packaging/test/test_ssl.bats:
##########
@@ -0,0 +1,61 @@
+#!/usr/bin/env bats
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+load bats_helper
+
+setup() {
+  common_clean_setup
+}
+
+teardown() {
+  # save a snapshot of SOLR_HOME for failed tests
+  save_home_on_failure
+
+  solr stop -all >/dev/null 2>&1
+}
+
+@test "start solr with ssl" {
+  # Create a keystore
+  export ssl_dir="${BATS_TEST_TMPDIR}/ssl"
+  mkdir -p "$ssl_dir"
+  (
+    cd "$ssl_dir"
+    rm -f solr-ssl.keystore.p12 solr-ssl.pem
+    keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.p12 -storetype PKCS12 -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
+    openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem -passin pass:secret -passout pass:
+  )
+
+  # Set ENV_VARs so that Solr uses this keystore
+  export SOLR_SSL_ENABLED=true
+  export SOLR_SSL_KEY_STORE=$ssl_dir/solr-ssl.keystore.p12
+  export SOLR_SSL_KEY_STORE_PASSWORD=secret
+  export SOLR_SSL_TRUST_STORE=$ssl_dir/solr-ssl.keystore.p12
+  export SOLR_SSL_TRUST_STORE_PASSWORD=secret
+  export SOLR_SSL_NEED_CLIENT_AUTH=false
+  export SOLR_SSL_WANT_CLIENT_AUTH=false
+  export SOLR_SSL_CHECK_PEER_NAME=true
+  export SOLR_HOST=localhost
+
+  solr start -c
+  solr assert --started https://localhost:8983/solr --timeout 5000
+
+  run curl --cacert "$ssl_dir/solr-ssl.pem" 'https://localhost:8983/solr/admin/collections?action=CREATE&collection.configName=_default&name=test&numShards=2&replicationFactor=1&router.name=compositeId&wt=json'

Review Comment:
   So I tried this out a few ways, and since this is a self-signed cert, it doesn't work. 
   
   We have to use `--cacert` for self-signed certs, and that doesn't except a p12 type.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr] janhoy commented on pull request #1542: SOLR-16728: Fix SSL & HTTP2 classloading

["janhoy (via GitHub)" <gi...@apache.org>]

janhoy commented on PR #1542:
URL: https://github.com/apache/solr/pull/1542#issuecomment-1497554636

   Makes sense to start planning for a 9.2.1, and backport all relevant bug fixes, from this list https://issues.apache.org/jira/issues/?jql=project%20%3D%20SOLR%20AND%20issuetype%20%3D%20Bug%20AND%20affectedVersion%20%3D%209.2


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org