lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bram Van Dam <>
Subject Solr TLS/SSL key alias configuration (with patch to come)
Date Wed, 31 Oct 2018 14:40:59 GMT
Hey folks,

There's a jetty-ssl.xml config file which configures Jetty's
SslContextFactory using properties set in, but it's
incomplete for some purposes.

I've noticed that no "certAlias" property is present. This means that
when Jetty starts, it will pick an arbitrary (based on some internal
order, I guess?) key from the keystore to use. This is fine when you're
only using your keystore for Solr and it only contains one key, but it
makes life a lot more complicated in environments where keystores are
managed and distributed to servers automagically.

When you add a key to the keystore, you can assign an alias. Jetty can
then use the key with that alias by means of its certAlias config property.

The Solr documentation [1] confusingly assigns the alias "solr-ssl" to
the key, but as far as I can tell this alias isn't actually used or
referenced anywhere else.

I'm currently dealing with a slightly more complicated TLS setup, so I
propose I patch jetty-ssl.xml,|cmd and enabling-ssl.adoc to
(optionally) use the alias? Unless someone can think of a reason why I
shouldn't do this?

I'm a bit worried that adding certAlias to jetty-ssl.xml might break
existing setups which don't use an alias, but I'm guessing that only
keystores with more than one key will be affected?

 - Bram


View raw message