lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erick Erickson <erickerick...@gmail.com>
Subject Re: Solr TLS/SSL key alias configuration (with patch to come)
Date Wed, 31 Oct 2018 14:51:29 GMT
There's no reason I can imagine not to open a JIRA,
basically anyone willing to create a patch has my vote!

bq. I'm a bit worried that adding certAlias to jetty-ssl.xml might break
existing setups which don't use an alias.

Probably just add a note to the upgrade section of CHANGES.txt,
unless others disagree. I confess knowing very little about the
mechanics here.

BTW, don't know if you're familiar with asciidoc but in case not I
wanted to mention that there's an IntelliJ (and, I assume Eclipse)
plugin showing you the rendering, and you can also use Atom.

Best,
Erick
On Wed, Oct 31, 2018 at 7:41 AM Bram Van Dam <bram.vandam@intix.eu> wrote:
>
> Hey folks,
>
> Context:
> There's a jetty-ssl.xml config file which configures Jetty's
> SslContextFactory using properties set in solr.in.sh, but it's
> incomplete for some purposes.
>
> Problem:
> I've noticed that no "certAlias" property is present. This means that
> when Jetty starts, it will pick an arbitrary (based on some internal
> order, I guess?) key from the keystore to use. This is fine when you're
> only using your keystore for Solr and it only contains one key, but it
> makes life a lot more complicated in environments where keystores are
> managed and distributed to servers automagically.
>
> When you add a key to the keystore, you can assign an alias. Jetty can
> then use the key with that alias by means of its certAlias config property.
>
> The Solr documentation [1] confusingly assigns the alias "solr-ssl" to
> the key, but as far as I can tell this alias isn't actually used or
> referenced anywhere else.
>
> Solution:
> I'm currently dealing with a slightly more complicated TLS setup, so I
> propose I patch jetty-ssl.xml, solr.in.sh|cmd and enabling-ssl.adoc to
> (optionally) use the alias? Unless someone can think of a reason why I
> shouldn't do this?
>
> I'm a bit worried that adding certAlias to jetty-ssl.xml might break
> existing setups which don't use an alias, but I'm guessing that only
> keystores with more than one key will be affected?
>
>  - Bram
>
> [1] https://lucene.apache.org/solr/guide/7_5/enabling-ssl.html
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message