You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2023/09/22 15:51:26 UTC
[solr] branch branch_9x updated: Small TLS integration test improvements
This is an automated email from the ASF dual-hosted git repository.
houston pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9x by this push:
new fcf3b7992cf Small TLS integration test improvements
fcf3b7992cf is described below
commit fcf3b7992cf4ace565005568425c98f3797cb701
Author: Houston Putman <ho...@apache.org>
AuthorDate: Tue Sep 19 11:21:35 2023 -0400
Small TLS integration test improvements
(cherry picked from commits ec8f236, 26777cb)
---
solr/packaging/test/test_ssl.bats | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/solr/packaging/test/test_ssl.bats b/solr/packaging/test/test_ssl.bats
index 2e9b01e263d..10266768b7e 100644
--- a/solr/packaging/test/test_ssl.bats
+++ b/solr/packaging/test/test_ssl.bats
@@ -58,6 +58,11 @@ teardown() {
run solr api -get "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
assert_output --partial '"numFound":0'
+
+ run curl --cacert "$ssl_dir/solr-ssl.pem" "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
+ assert_output --partial '"numFound":0'
+
+ run ! curl "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
}
@test "use different hostname when not checking peer-name" {
@@ -81,7 +86,7 @@ teardown() {
export SOLR_SSL_NEED_CLIENT_AUTH=false
export SOLR_SSL_WANT_CLIENT_AUTH=false
export SOLR_SSL_CHECK_PEER_NAME=false
- export SOLR_HOST=localhost
+ export SOLR_HOST=127.0.0.1
solr start -c
solr assert --started https://localhost:${SOLR_PORT}/solr --timeout 5000
@@ -89,11 +94,18 @@ teardown() {
run solr create -c test -s 2
assert_output --partial "Created collection 'test'"
+ run solr api -get "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
+ assert_output --partial '"numFound":0'
+
+ # Just test that curl can connect via insecure or via a custom host header
+ run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
+ assert_output --partial 'no alternative certificate subject name matches target host name'
+
# Just test that curl can connect via insecure or via a custom host header
run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" -k "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
assert_output --partial '"numFound":0'
- run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" -H "Host: test.solr.apache.org" "https://127.0.0.1:${SOLR_PORT}/solr/test/select?q=*:*"
+ run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" --resolve "test.solr.apache.org:${SOLR_PORT}:127.0.0.1" "https://test.solr.apache.org:${SOLR_PORT}/solr/test/select?q=*:*"
assert_output --partial '"numFound":0'
# This is a client setting, so we don't need to restart Solr to make sure that it fails
@@ -102,6 +114,18 @@ teardown() {
# This should fail the peername check
run ! solr api -get "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
assert_output --partial 'Server refused connection'
+
+ # Restart the server enabling the SNI hostcheck
+ export SOLR_SSL_CHECK_PEER_NAME=false
+ export SOLR_OPTS="${SOLR_OPTS} -Dsolr.jetty.ssl.sniHostCheck=true"
+ solr restart -c
+ # This should fail the SNI Hostname check
+ run ! solr api -verbose -get "https://localhost:${SOLR_PORT}/solr/admin/collections?action=CLUSTERSTATUS"
+ assert_output --partial 'Invalid SNI'
+
+ # Using the right hostname should not fail the SNI Hostname check
+ run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" --resolve "test.solr.apache.org:${SOLR_PORT}:127.0.0.1" "https://test.solr.apache.org:${SOLR_PORT}/solr/admin/collections?action=CLUSTERSTATUS"
+ assert_output --partial '"urlScheme":"https"'
}
@test "start solr with ssl and auth" {