lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cao Manh Dat (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-12988) TestMiniSolrCloudClusterSSL.testSslWithCheckPeerName fails reliably on java11: "SSLPeerUnverifiedException: peer not authenticated"
Date Tue, 18 Jun 2019 09:42:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-12988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16866425#comment-16866425
] 

Cao Manh Dat commented on SOLR-12988:
-------------------------------------

Hi guys, this is a problem belongs to HttpClient + Java 11 (TLSv1.3) (HTTPCLIENT-1967).

To summary the problem: this only happens on HttpClient + TLSv1.3 which is supported since
Java 11. 
The usecase:
* a ssl connection gets resumed
* the server will assume that the client already has the server's certificate -> server
won't try to send certificate to client 
* org.apache.http.conn.ssl.DefaultHostnameVerifier in all case (resume or new connection)
always check the host of the server to ensure that it match with the certificate
* since certificate does not get resent to client therefore at the point of time org.apache.http.conn.ssl.DefaultHostnameVerifier
tried to get server's certificate it received this error {{throw new SSLPeerUnverifiedException("peer
not authenticated")}}

I took a look at how Jetty client deals with this problem, it seem that the proper way to
handle the problem here is let Java SSLEngine handling endpoint verification by using {{SSLParameters}}
rather than verify hostname manually like  org.apache.http.conn.ssl.DefaultHostnameVerifier.
-> If we completely remove usage of HttpClient in Solr, this problem will be solved.

The patch fixed the problem by enforcing HttpClient to uses TLSv1.2 or lower versions. 

It seems that the problems affect anyone who uses Solr on Java 11 + SSL. Should we backport
the fixes to branch_8_1? So it can be released with 8.1.2 bug fixes?

[~hossman] [~ctargett] What do you thinks?

> TestMiniSolrCloudClusterSSL.testSslWithCheckPeerName fails reliably on java11: "SSLPeerUnverifiedException:
peer not authenticated"
> -----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-12988
>                 URL: https://issues.apache.org/jira/browse/SOLR-12988
>             Project: Solr
>          Issue Type: Test
>            Reporter: Hoss Man
>            Assignee: Cao Manh Dat
>            Priority: Major
>              Labels: Java11, Java12
>         Attachments: SOLR-13413.patch
>
>
> TestMiniSolrCloudClusterSSL.testSslWithCheckPeerName seems to fail 100% of the time when
run with java11 (or java12), regardless of seed, on both master & 7x.
> The nature of the problem and the way our htp stack works suggests it *may* ultimately
be a jetty bug (perhaps related to [jetty issue#2711|https://github.com/eclipse/jetty.project/issues/2711]?)
> *HOWEVER* ... as far as i can tell, whatever the root cause is, seems to have been fixed
on the {{jira/http2}} branch (as of 52bc163dc1804c31af09c1fba99647005da415ad) which should
hopefully be getting merged to master soon.
> Filing this issue largely for tracking purpose, although we may also want to use it for
discussions/considerations of other backports/fixes to 7x



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message