lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bram Van Dam (JIRA)" <>
Subject [jira] [Created] (SOLR-12953) Support for TLS/SSL key alias configuration
Date Thu, 01 Nov 2018 14:22:00 GMT
Bram Van Dam created SOLR-12953:

             Summary: Support for TLS/SSL key alias configuration
                 Key: SOLR-12953
             Project: Solr
          Issue Type: Improvement
      Security Level: Public (Default Security Level. Issues are Public)
    Affects Versions: 7.5
            Reporter: Bram Van Dam
             Fix For: 7.5.1

As discussed on the mailing list:

There's a jetty-ssl.xml config file which configures Jetty's SslContextFactory using properties
set in, but it's incomplete for some purposes.

I've noticed that no "certAlias" property is present. This means that when Jetty starts, it
will pick an arbitrary (based on some internal order, apparently the newest?) key from the
keystore to use. This is fine when you're only using your keystore for Solr and it only contains
one key, but it makes life a lot more complicated in environments where keystores are managed
and distributed to servers automagically.

When you add a key to the keystore, you can assign an alias. Jetty can then use the key with
that alias by means of its certAlias config property.

The Solr documentation [1] confusingly assigns the alias "solr-ssl" to the key, but as far
as I can tell this alias isn't actually used or referenced anywhere else. 

I'm currently dealing with a slightly more complicated TLS setup, so I'm attaching a patch
which adds an extra config property in order to (optionally) specify the key alias. When the
option is omitted, the old behaviour remains unchanged.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message