lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bram Van Dam <bram.van...@intix.eu>
Subject Solr TLS/SSL key alias configuration (with patch to come)
Date Wed, 31 Oct 2018 14:40:59 GMT
Hey folks,

Context:
There's a jetty-ssl.xml config file which configures Jetty's
SslContextFactory using properties set in solr.in.sh, but it's
incomplete for some purposes.

Problem:
I've noticed that no "certAlias" property is present. This means that
when Jetty starts, it will pick an arbitrary (based on some internal
order, I guess?) key from the keystore to use. This is fine when you're
only using your keystore for Solr and it only contains one key, but it
makes life a lot more complicated in environments where keystores are
managed and distributed to servers automagically.

When you add a key to the keystore, you can assign an alias. Jetty can
then use the key with that alias by means of its certAlias config property.

The Solr documentation [1] confusingly assigns the alias "solr-ssl" to
the key, but as far as I can tell this alias isn't actually used or
referenced anywhere else.

Solution:
I'm currently dealing with a slightly more complicated TLS setup, so I
propose I patch jetty-ssl.xml, solr.in.sh|cmd and enabling-ssl.adoc to
(optionally) use the alias? Unless someone can think of a reason why I
shouldn't do this?

I'm a bit worried that adding certAlias to jetty-ssl.xml might break
existing setups which don't use an alias, but I'm guessing that only
keystores with more than one key will be affected?

 - Bram

[1] https://lucene.apache.org/solr/guide/7_5/enabling-ssl.html

Mime
View raw message