diff --git a/solr/bin/solr b/solr/bin/solr index bc2d475e6d2..4d4b4d70bf2 100755 --- a/solr/bin/solr +++ b/solr/bin/solr @@ -213,7 +213,7 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then SOLR_JETTY_CONFIG+=("--module=https" "--lib=$DEFAULT_SERVER_DIR/solr-webapp/webapp/WEB-INF/lib/*") if [ "${SOLR_SSL_RELOAD_ENABLED:-true}" == "true" ]; then SOLR_JETTY_CONFIG+=("--module=ssl-reload") - SOLR_SSL_OPTS+=" -Dsolr.keyStoreReload.enabled=true" + SOLR_SSL_OPTS+=" -Dsolr.keystore.reload.enabled=true" fi SOLR_URL_SCHEME=https if [ -n "$SOLR_SSL_KEY_STORE" ]; then @@ -245,10 +245,10 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then fi if [ -n "$SOLR_SSL_NEED_CLIENT_AUTH" ]; then - SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.needClientAuth=$SOLR_SSL_NEED_CLIENT_AUTH" + SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.need.client.auth.enabled=$SOLR_SSL_NEED_CLIENT_AUTH" fi if [ -n "$SOLR_SSL_WANT_CLIENT_AUTH" ]; then - SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.wantClientAuth=$SOLR_SSL_WANT_CLIENT_AUTH" + SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.want.client.auth.enabled=$SOLR_SSL_WANT_CLIENT_AUTH" fi if [ -n "$SOLR_SSL_CLIENT_KEY_STORE" ]; then @@ -274,7 +274,7 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then fi if [ -n "$SOLR_SSL_CHECK_PEER_NAME" ]; then - SOLR_SSL_OPTS+=" -Dsolr.ssl.checkPeerName=$SOLR_SSL_CHECK_PEER_NAME -Dsolr.jetty.ssl.sniHostCheck=$SOLR_SSL_CHECK_PEER_NAME" + SOLR_SSL_OPTS+=" -Dsolr.ssl.check.peer.name.enabled=$SOLR_SSL_CHECK_PEER_NAME -Dsolr.jetty.ssl.sni.host.check.enabled=$SOLR_SSL_CHECK_PEER_NAME" fi if [ -n "$SOLR_SSL_CLIENT_TRUST_STORE" ]; then diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd index 76bcab0ba83..47296a8dbd0 100755 --- a/solr/bin/solr.cmd +++ b/solr/bin/solr.cmd @@ -103,7 +103,7 @@ IF "%SOLR_SSL_ENABLED%"=="true" ( set SOLR_URL_SCHEME=https IF "%SOLR_SSL_RELOAD_ENABLED%"=="true" ( set "SOLR_JETTY_CONFIG=!SOLR_JETTY_CONFIG! --module=ssl-reload" - set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.keyStoreReload.enabled=true" + set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.keystore.reload.enabled=true" ) IF DEFINED SOLR_SSL_KEY_STORE ( set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.keystore=%SOLR_SSL_KEY_STORE%" @@ -133,10 +133,10 @@ IF "%SOLR_SSL_ENABLED%"=="true" ( ) IF DEFINED SOLR_SSL_NEED_CLIENT_AUTH ( - set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.needClientAuth=%SOLR_SSL_NEED_CLIENT_AUTH%" + set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.need.client.auth.enabled=%SOLR_SSL_NEED_CLIENT_AUTH%" ) IF DEFINED SOLR_SSL_WANT_CLIENT_AUTH ( - set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.wantClientAuth=%SOLR_SSL_WANT_CLIENT_AUTH%" + set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.want.client.auth.enabled=%SOLR_SSL_WANT_CLIENT_AUTH%" ) IF DEFINED SOLR_SSL_CLIENT_KEY_STORE ( @@ -174,7 +174,7 @@ IF "%SOLR_SSL_ENABLED%"=="true" ( ) ) IF DEFINED SOLR_SSL_CHECK_PEER_NAME ( - set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.checkPeerName=%SOLR_SSL_CHECK_PEER_NAME% -Dsolr.jetty.ssl.sniHostCheck=%SOLR_SSL_CHECK_PEER_NAME%" + set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.check.peer.name.enabled=%SOLR_SSL_CHECK_PEER_NAME% -Dsolr.jetty.ssl.sni.host.check.enabled=%SOLR_SSL_CHECK_PEER_NAME%" ) ) ELSE ( set SOLR_SSL_OPTS= diff --git a/solr/packaging/test/test_ssl.bats b/solr/packaging/test/test_ssl.bats index 25615a6fd03..3115b7b619a 100644 --- a/solr/packaging/test/test_ssl.bats +++ b/solr/packaging/test/test_ssl.bats @@ -118,7 +118,7 @@ teardown() { # Restart the server enabling the SNI hostcheck export SOLR_SSL_CHECK_PEER_NAME=false - export SOLR_OPTS="${SOLR_OPTS} -Dsolr.jetty.ssl.sniHostCheck=true" + export SOLR_OPTS="${SOLR_OPTS} -Dsolr.jetty.ssl.sni.host.check.enabled=true" solr restart # This should fail the SNI Hostname check run ! solr api --verbose --solr-url "https://localhost:${SOLR_PORT}/solr/admin/collections?action=CLUSTERSTATUS" @@ -526,14 +526,14 @@ teardown() { # server1 will run on $SOLR_PORT and will use server1.keystore export SOLR_SSL_KEY_STORE=$ssl_dir/server1.keystore.p12 export SOLR_SSL_TRUST_STORE=$ssl_dir/server1.keystore.p12 - solr start --jvm-opts "-Dsolr.jetty.sslContext.reload.scanInterval=1 -DsocketTimeout=5000" + solr start --jvm-opts "-Dsolr.jetty.ssl.context.reload.scan.interval.secs=1 -DsocketTimeout=5000" solr assert --started https://localhost:${SOLR_PORT} --timeout 5000 # server2 will run on $SOLR2_PORT and will use server2.keystore. Initially, this is the same as server1.keystore export SOLR_SSL_KEY_STORE=$ssl_dir/server2.keystore.p12 export SOLR_SSL_TRUST_STORE=$ssl_dir/server2.keystore.p12 - solr start -z localhost:${ZK_PORT} -p ${SOLR2_PORT} --jvm-opts "-Dsolr.jetty.sslContext.reload.scanInterval=1 -DsocketTimeout=5000" + solr start -z localhost:${ZK_PORT} -p ${SOLR2_PORT} --jvm-opts "-Dsolr.jetty.ssl.context.reload.scan.interval.secs=1 -DsocketTimeout=5000" solr assert --started https://localhost:${SOLR2_PORT} --timeout 5000 # "test" collection is two shards, meaning there must be communication between shards for queries (handled by http shard handler factory) diff --git a/solr/server/etc/jetty-ssl-context-reload.xml b/solr/server/etc/jetty-ssl-context-reload.xml index 827d80c3529..d3084fbac54 100644 --- a/solr/server/etc/jetty-ssl-context-reload.xml +++ b/solr/server/etc/jetty-ssl-context-reload.xml @@ -6,7 +6,7 @@ - + diff --git a/solr/server/etc/jetty-ssl.xml b/solr/server/etc/jetty-ssl.xml index 90cbc13c257..b759d8b5524 100644 --- a/solr/server/etc/jetty-ssl.xml +++ b/solr/server/etc/jetty-ssl.xml @@ -18,8 +18,8 @@ - - + + @@ -35,10 +35,10 @@ - - - - + + + + diff --git a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc index 5d49dd99fde..dc7c2341ab2 100644 --- a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc +++ b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc @@ -194,7 +194,7 @@ NOTE: If you have defined `ZK_HOST` in `solr.in.sh`/`solr.in.cmd` (see xref:zook Start each Solr node with the Solr control script as shown in the examples below. Customize the values for the parameters shown as necessary and add any used in your system. -If you created the SSL key without all DNS names or IP addresses on which Solr nodes run, you can tell Solr to skip hostname verification for inter-node communications by setting the `-Dsolr.ssl.checkPeerName=false` system property. +If you created the SSL key without all DNS names or IP addresses on which Solr nodes run, you can tell Solr to skip hostname verification for inter-node communications by setting the `-Dsolr.ssl.check.peer.name.enabled=false` system property. [tabs#cloud] ====== @@ -249,7 +249,7 @@ C:\> bin\solr.cmd -p 8984 Solr can automatically reload KeyStore/TrustStore when certificates are updated without restarting. This is enabled by default when using SSL, but can be disabled by setting the environment variable `SOLR_SSL_RELOAD_ENABLED` to `false`. By default, Solr will check for updates in the KeyStore every 30 seconds, but this interval can be updated by passing the -system property `solr.jetty.sslContext.reload.scanInterval` with the new interval in seconds on startup. +system property `solr.jetty.ssl.context.reload.scan.interval.secs` with the new interval in seconds on startup. Note that the truststore file is not actively monitored, so if you need to apply changes to the truststore, you need to update it and after that touch the keystore to trigger a reload. diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java index 6f7d14c702e..dab3e979517 100644 --- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java +++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java @@ -55,6 +55,7 @@ import org.apache.solr.common.params.SolrParams; import org.apache.solr.common.params.UpdateParams; import org.apache.solr.common.util.ContentStream; +import org.apache.solr.common.util.EnvUtils; import org.apache.solr.common.util.ExecutorUtil; import org.apache.solr.common.util.NamedList; import org.apache.solr.common.util.ObjectReleaseTracker; @@ -238,8 +239,10 @@ private HttpClient createHttpClient(Builder builder) { : sslConfig.createClientContextFactory(); Long keyStoreReloadIntervalSecs = builder.keyStoreReloadIntervalSecs; - if (keyStoreReloadIntervalSecs == null && Boolean.getBoolean("solr.keyStoreReload.enabled")) { - keyStoreReloadIntervalSecs = Long.getLong("solr.jetty.sslContext.reload.scanInterval", 30); + if (keyStoreReloadIntervalSecs == null + && EnvUtils.getPropertyAsBool("solr.keystore.reload.enabled", false)) { + keyStoreReloadIntervalSecs = + EnvUtils.getPropertyAsLong("solr.jetty.ssl.context.reload.scan.interval.secs", 30l); } if (sslContextFactory != null && sslContextFactory.getKeyStoreResource() != null diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java index 8c207364594..bc2bbaf9712 100644 --- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java +++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java @@ -52,7 +52,7 @@ public interface SolrHttpConstants { * System property consulted to determine if HTTP based SolrClients will require hostname * validation of SSL Certificates. The default behavior is to enforce peer name validation. */ - String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.checkPeerName"; + String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.check.peer.name.enabled"; /** Basic auth username */ String PROP_BASIC_AUTH_USER = "httpBasicAuthUser"; diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java index c66bd436985..92d089f5ad2 100644 --- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java +++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java @@ -440,25 +440,25 @@ public void testGetDefaultSslContextFactory() { System.clearProperty("javax.net.ssl.keyStoreType"); System.clearProperty("javax.net.ssl.trustStoreType"); - System.setProperty("solr.ssl.checkPeerName", "true"); + System.setProperty("solr.ssl.check.peer.name.enabled", "true"); System.setProperty("javax.net.ssl.keyStoreType", "foo"); System.setProperty("javax.net.ssl.trustStoreType", "bar"); SslContextFactory.Client sslContextFactory2 = Http2SolrClient.getDefaultSslContextFactory(); assertEquals("HTTPS", sslContextFactory2.getEndpointIdentificationAlgorithm()); assertEquals("foo", sslContextFactory2.getKeyStoreType()); assertEquals("bar", sslContextFactory2.getTrustStoreType()); - System.clearProperty("solr.ssl.checkPeerName"); + System.clearProperty("solr.ssl.check.peer.name.enabled"); System.clearProperty("javax.net.ssl.keyStoreType"); System.clearProperty("javax.net.ssl.trustStoreType"); - System.setProperty("solr.ssl.checkPeerName", "false"); + System.setProperty("solr.ssl.check.peer.name.enabled", "false"); System.setProperty("javax.net.ssl.keyStoreType", "foo"); System.setProperty("javax.net.ssl.trustStoreType", "bar"); SslContextFactory.Client sslContextFactory3 = Http2SolrClient.getDefaultSslContextFactory(); assertNull(sslContextFactory3.getEndpointIdentificationAlgorithm()); assertEquals("foo", sslContextFactory3.getKeyStoreType()); assertEquals("bar", sslContextFactory3.getTrustStoreType()); - System.clearProperty("solr.ssl.checkPeerName"); + System.clearProperty("solr.ssl.check.peer.name.enabled"); System.clearProperty("javax.net.ssl.keyStoreType"); System.clearProperty("javax.net.ssl.trustStoreType"); }