lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bram Van Dam (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SOLR-12953) Support for TLS/SSL key alias configuration
Date Fri, 02 Nov 2018 07:53:00 GMT

     [ https://issues.apache.org/jira/browse/SOLR-12953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Bram Van Dam updated SOLR-12953:
--------------------------------
    Attachment: SOLR-12953.patch

> Support for TLS/SSL key alias configuration
> -------------------------------------------
>
>                 Key: SOLR-12953
>                 URL: https://issues.apache.org/jira/browse/SOLR-12953
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.5
>            Reporter: Bram Van Dam
>            Priority: Major
>              Labels: patch
>             Fix For: 7.5.1
>
>         Attachments: SOLR-12953.patch, SOLR-12953.patch
>
>
> As discussed on the mailing list:
> *Context:*
> There's a jetty-ssl.xml config file which configures Jetty's SslContextFactory using
properties set in solr.in.sh, but it's incomplete for some purposes.
> *Problem:*
> I've noticed that no "certAlias" property is present. This means that when Jetty starts,
it will pick an arbitrary (based on some internal order, apparently the newest?) key from
the keystore to use. This is fine when you're only using your keystore for Solr and it only
contains one key, but it makes life a lot more complicated in environments where keystores
are managed and distributed to servers automagically.
> When you add a key to the keystore, you can assign an alias. Jetty can then use the key
with that alias by means of its certAlias config property.
> The Solr documentation [1] confusingly assigns the alias "solr-ssl" to the key, but as
far as I can tell this alias isn't actually used or referenced anywhere else. 
> *Solution:*
> I'm currently dealing with a slightly more complicated TLS setup, so I'm attaching a
patch which adds an extra config property in order to (optionally) specify the key alias.
When the option is omitted, the old behaviour remains unchanged. Patch modifies the configuration
and includes updates to the enabling-ssl documentation.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message