[solr] branch branch_9x updated: Small TLS integration test improvements

[ho...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

houston pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git


The following commit(s) were added to refs/heads/branch_9x by this push:
     new fcf3b7992cf Small TLS integration test improvements
fcf3b7992cf is described below

commit fcf3b7992cf4ace565005568425c98f3797cb701
Author: Houston Putman <ho...@apache.org>
AuthorDate: Tue Sep 19 11:21:35 2023 -0400

    Small TLS integration test improvements
    
    (cherry picked from commits ec8f236, 26777cb)
---
 solr/packaging/test/test_ssl.bats | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/solr/packaging/test/test_ssl.bats b/solr/packaging/test/test_ssl.bats
index 2e9b01e263d..10266768b7e 100644
--- a/solr/packaging/test/test_ssl.bats
+++ b/solr/packaging/test/test_ssl.bats
@@ -58,6 +58,11 @@ teardown() {
 
   run solr api -get "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
   assert_output --partial '"numFound":0'
+
+  run curl --cacert "$ssl_dir/solr-ssl.pem" "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
+  assert_output --partial '"numFound":0'
+
+  run ! curl "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
 }
 
 @test "use different hostname when not checking peer-name" {
@@ -81,7 +86,7 @@ teardown() {
   export SOLR_SSL_NEED_CLIENT_AUTH=false
   export SOLR_SSL_WANT_CLIENT_AUTH=false
   export SOLR_SSL_CHECK_PEER_NAME=false
-  export SOLR_HOST=localhost
+  export SOLR_HOST=127.0.0.1
 
   solr start -c
   solr assert --started https://localhost:${SOLR_PORT}/solr --timeout 5000
@@ -89,11 +94,18 @@ teardown() {
   run solr create -c test -s 2
   assert_output --partial "Created collection 'test'"
 
+  run solr api -get "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
+  assert_output --partial '"numFound":0'
+
+  # Just test that curl can connect via insecure or via a custom host header
+  run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
+  assert_output --partial 'no alternative certificate subject name matches target host name'
+
   # Just test that curl can connect via insecure or via a custom host header
   run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" -k "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
   assert_output --partial '"numFound":0'
 
-  run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" -H "Host: test.solr.apache.org" "https://127.0.0.1:${SOLR_PORT}/solr/test/select?q=*:*"
+  run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" --resolve "test.solr.apache.org:${SOLR_PORT}:127.0.0.1" "https://test.solr.apache.org:${SOLR_PORT}/solr/test/select?q=*:*"
   assert_output --partial '"numFound":0'
 
   # This is a client setting, so we don't need to restart Solr to make sure that it fails
@@ -102,6 +114,18 @@ teardown() {
   # This should fail the peername check
   run ! solr api -get "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*"
   assert_output --partial 'Server refused connection'
+
+  # Restart the server enabling the SNI hostcheck
+  export SOLR_SSL_CHECK_PEER_NAME=false
+  export SOLR_OPTS="${SOLR_OPTS} -Dsolr.jetty.ssl.sniHostCheck=true"
+  solr restart -c
+  # This should fail the SNI Hostname check
+  run ! solr api -verbose -get "https://localhost:${SOLR_PORT}/solr/admin/collections?action=CLUSTERSTATUS"
+  assert_output --partial 'Invalid SNI'
+
+  # Using the right hostname should not fail the SNI Hostname check
+  run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" --resolve "test.solr.apache.org:${SOLR_PORT}:127.0.0.1" "https://test.solr.apache.org:${SOLR_PORT}/solr/admin/collections?action=CLUSTERSTATUS"
+  assert_output --partial '"urlScheme":"https"'
 }
 
 @test "start solr with ssl and auth" {