lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erick Erickson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-9609) Change hard-coded keysize from 512 to 1024
Date Mon, 31 Oct 2016 17:17:58 GMT

    [ https://issues.apache.org/jira/browse/SOLR-9609?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15622770#comment-15622770
] 

Erick Erickson commented on SOLR-9609:
--------------------------------------

[~janhoy] As a sysprop every solr.in.sh file (or whatever) would have to be modified, leaving
the chance of one of your N nodes not getting the update. Putting it up on Zookeeper in security.json
makes that much less likely.

Hmmm, but what about sequencing here? In order to pull it from security.json, we need to be
able to connect to Zookeeper. I'm assuming that this is irrelevant for fetching the security.json
file from Zookeeper? You see where this is going, if we have to have this value correctly
set in order to get data from Zookeeper, then it must go in solr.in.sh......

That said, I don't have a strong opinion here although I slightly lean towards putting this
in the security.json file unless that'd be a problem.

NOTE: SOLR-9481 appears to have been committed to 6x, so if we choose to put this in security.json
we can go forward with this ticket.

I've assigned it to myself to not lose track of it, but anyone else who wants to pick it up
please feel free.

Erick

> Change hard-coded keysize from 512 to 1024
> ------------------------------------------
>
>                 Key: SOLR-9609
>                 URL: https://issues.apache.org/jira/browse/SOLR-9609
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Jeremy Martini
>            Assignee: Erick Erickson
>         Attachments: SOLR-9609.patch, SOLR-9609.patch, solr.log
>
>
> In order to configure our dataSource without requiring a plaintext password in the configuration
file, we extended JdbcDataSource to create our own custom implementation. Our dataSource config
now looks something like this:
> {code:xml}
> <dataSource type="com.foo.FooDataSource" driver="oracle.jdbc.OracleDriver" url="jdbc:oracle:thin:@db-host-machine:1521:tst1"
user="testuser" password="{ENC}{1.1}1ePOfWcbOIU056gKiLTrLw=="/>
> {code}
> We are using the RSA JSAFE Crypto-J libraries for encrypting/decrypting the password.
However, this seems to cause an issue when we try use Solr in a Cloud Configuration (using
Zookeeper). The error is "Strong key gen and multiprime gen require at least 1024-bit keysize."
Full log attached.
> This seems to be due to the hard-coded value of 512 in the org.apache.solr.util.CryptoKeys$RSAKeyPair
class:
> {code:java}
> public RSAKeyPair() {
>   KeyPairGenerator keyGen = null;
>   try {
>     keyGen = KeyPairGenerator.getInstance("RSA");
>   } catch (NoSuchAlgorithmException e) {
>     throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
>   }
>   keyGen.initialize(512);
> {code}
> I pulled down the Solr code, changed the hard-coded value to 1024, rebuilt it, and now
everything seems to work great.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message