From 3c5200348c181596e62b3427160eff1fc86afe9b Mon Sep 17 00:00:00 2001 From: Eric Pugh Date: Thu, 6 Nov 2025 06:49:47 -0500 Subject: [PATCH 1/5] Solr keystore property renames solr.keyStoreReload.enabled -> solr.keystore.reload.enabled solr.jetty.sslContext.reload.scanInterval --> solr.jetty.ssl.context.reload.scan.interval.secs --- solr/bin/solr | 2 +- solr/bin/solr.cmd | 2 +- solr/packaging/test/test_ssl.bats | 4 ++-- solr/server/etc/jetty-ssl-context-reload.xml | 2 +- .../modules/deployment-guide/pages/enabling-ssl.adoc | 2 +- .../org/apache/solr/client/solrj/impl/Http2SolrClient.java | 7 +++++-- 6 files changed, 11 insertions(+), 8 deletions(-) diff --git a/solr/bin/solr b/solr/bin/solr index bc2d475e6d2..ea7e3a53386 100755 --- a/solr/bin/solr +++ b/solr/bin/solr @@ -213,7 +213,7 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then SOLR_JETTY_CONFIG+=("--module=https" "--lib=$DEFAULT_SERVER_DIR/solr-webapp/webapp/WEB-INF/lib/*") if [ "${SOLR_SSL_RELOAD_ENABLED:-true}" == "true" ]; then SOLR_JETTY_CONFIG+=("--module=ssl-reload") - SOLR_SSL_OPTS+=" -Dsolr.keyStoreReload.enabled=true" + SOLR_SSL_OPTS+=" -Dsolr.keystore.reload.enabled=true" fi SOLR_URL_SCHEME=https if [ -n "$SOLR_SSL_KEY_STORE" ]; then diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd index 76bcab0ba83..caf24409a58 100755 --- a/solr/bin/solr.cmd +++ b/solr/bin/solr.cmd @@ -103,7 +103,7 @@ IF "%SOLR_SSL_ENABLED%"=="true" ( set SOLR_URL_SCHEME=https IF "%SOLR_SSL_RELOAD_ENABLED%"=="true" ( set "SOLR_JETTY_CONFIG=!SOLR_JETTY_CONFIG! --module=ssl-reload" - set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.keyStoreReload.enabled=true" + set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.keystore.reload.enabled=true" ) IF DEFINED SOLR_SSL_KEY_STORE ( set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.keystore=%SOLR_SSL_KEY_STORE%" diff --git a/solr/packaging/test/test_ssl.bats b/solr/packaging/test/test_ssl.bats index 25615a6fd03..fda80f9a912 100644 --- a/solr/packaging/test/test_ssl.bats +++ b/solr/packaging/test/test_ssl.bats @@ -526,14 +526,14 @@ teardown() { # server1 will run on $SOLR_PORT and will use server1.keystore export SOLR_SSL_KEY_STORE=$ssl_dir/server1.keystore.p12 export SOLR_SSL_TRUST_STORE=$ssl_dir/server1.keystore.p12 - solr start --jvm-opts "-Dsolr.jetty.sslContext.reload.scanInterval=1 -DsocketTimeout=5000" + solr start --jvm-opts "-Dsolr.jetty.ssl.context.reload.scan.interval.secs=1 -DsocketTimeout=5000" solr assert --started https://localhost:${SOLR_PORT} --timeout 5000 # server2 will run on $SOLR2_PORT and will use server2.keystore. Initially, this is the same as server1.keystore export SOLR_SSL_KEY_STORE=$ssl_dir/server2.keystore.p12 export SOLR_SSL_TRUST_STORE=$ssl_dir/server2.keystore.p12 - solr start -z localhost:${ZK_PORT} -p ${SOLR2_PORT} --jvm-opts "-Dsolr.jetty.sslContext.reload.scanInterval=1 -DsocketTimeout=5000" + solr start -z localhost:${ZK_PORT} -p ${SOLR2_PORT} --jvm-opts "-Dsolr.jetty.ssl.context.reload.scan.interval.secs=1 -DsocketTimeout=5000" solr assert --started https://localhost:${SOLR2_PORT} --timeout 5000 # "test" collection is two shards, meaning there must be communication between shards for queries (handled by http shard handler factory) diff --git a/solr/server/etc/jetty-ssl-context-reload.xml b/solr/server/etc/jetty-ssl-context-reload.xml index 827d80c3529..d3084fbac54 100644 --- a/solr/server/etc/jetty-ssl-context-reload.xml +++ b/solr/server/etc/jetty-ssl-context-reload.xml @@ -6,7 +6,7 @@ - + diff --git a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc index 5d49dd99fde..29c4ffe3d34 100644 --- a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc +++ b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc @@ -249,7 +249,7 @@ C:\> bin\solr.cmd -p 8984 Solr can automatically reload KeyStore/TrustStore when certificates are updated without restarting. This is enabled by default when using SSL, but can be disabled by setting the environment variable `SOLR_SSL_RELOAD_ENABLED` to `false`. By default, Solr will check for updates in the KeyStore every 30 seconds, but this interval can be updated by passing the -system property `solr.jetty.sslContext.reload.scanInterval` with the new interval in seconds on startup. +system property `solr.jetty.ssl.context.reload.scan.interval.secs` with the new interval in seconds on startup. Note that the truststore file is not actively monitored, so if you need to apply changes to the truststore, you need to update it and after that touch the keystore to trigger a reload. diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java index 6f7d14c702e..dab3e979517 100644 --- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java +++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java @@ -55,6 +55,7 @@ import org.apache.solr.common.params.SolrParams; import org.apache.solr.common.params.UpdateParams; import org.apache.solr.common.util.ContentStream; +import org.apache.solr.common.util.EnvUtils; import org.apache.solr.common.util.ExecutorUtil; import org.apache.solr.common.util.NamedList; import org.apache.solr.common.util.ObjectReleaseTracker; @@ -238,8 +239,10 @@ private HttpClient createHttpClient(Builder builder) { : sslConfig.createClientContextFactory(); Long keyStoreReloadIntervalSecs = builder.keyStoreReloadIntervalSecs; - if (keyStoreReloadIntervalSecs == null && Boolean.getBoolean("solr.keyStoreReload.enabled")) { - keyStoreReloadIntervalSecs = Long.getLong("solr.jetty.sslContext.reload.scanInterval", 30); + if (keyStoreReloadIntervalSecs == null + && EnvUtils.getPropertyAsBool("solr.keystore.reload.enabled", false)) { + keyStoreReloadIntervalSecs = + EnvUtils.getPropertyAsLong("solr.jetty.ssl.context.reload.scan.interval.secs", 30l); } if (sslContextFactory != null && sslContextFactory.getKeyStoreResource() != null From c2ccc9d75315a99491b6098671f2c73ff6445d4b Mon Sep 17 00:00:00 2001 From: Eric Pugh Date: Thu, 6 Nov 2025 07:17:30 -0500 Subject: [PATCH 2/5] use standard property name for boolean system properties --- solr/bin/solr | 6 +++--- solr/bin/solr.cmd | 6 +++--- solr/packaging/test/test_ssl.bats | 2 +- solr/server/etc/jetty-ssl.xml | 12 ++++++------ .../modules/deployment-guide/pages/enabling-ssl.adoc | 2 +- .../solr/client/solrj/impl/SolrHttpConstants.java | 2 +- .../solr/client/solrj/impl/Http2SolrClientTest.java | 8 ++++---- 7 files changed, 19 insertions(+), 19 deletions(-) diff --git a/solr/bin/solr b/solr/bin/solr index ea7e3a53386..cef72d6dda6 100755 --- a/solr/bin/solr +++ b/solr/bin/solr @@ -245,10 +245,10 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then fi if [ -n "$SOLR_SSL_NEED_CLIENT_AUTH" ]; then - SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.needClientAuth=$SOLR_SSL_NEED_CLIENT_AUTH" + SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.need.client.auth.enabled=$SOLR_SSL_NEED_CLIENT_AUTH" fi if [ -n "$SOLR_SSL_WANT_CLIENT_AUTH" ]; then - SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.wantClientAuth=$SOLR_SSL_WANT_CLIENT_AUTH" + SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.want.client.auth.enabled=$SOLR_SSL_WANT_CLIENT_AUTH" fi if [ -n "$SOLR_SSL_CLIENT_KEY_STORE" ]; then @@ -274,7 +274,7 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then fi if [ -n "$SOLR_SSL_CHECK_PEER_NAME" ]; then - SOLR_SSL_OPTS+=" -Dsolr.ssl.checkPeerName=$SOLR_SSL_CHECK_PEER_NAME -Dsolr.jetty.ssl.sniHostCheck=$SOLR_SSL_CHECK_PEER_NAME" + SOLR_SSL_OPTS+=" -Dsolr.ssl.check.peer.name=$SOLR_SSL_CHECK_PEER_NAME -Dsolr.jetty.ssl.sni.host.check.enabled=$SOLR_SSL_CHECK_PEER_NAME" fi if [ -n "$SOLR_SSL_CLIENT_TRUST_STORE" ]; then diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd index caf24409a58..47296a8dbd0 100755 --- a/solr/bin/solr.cmd +++ b/solr/bin/solr.cmd @@ -133,10 +133,10 @@ IF "%SOLR_SSL_ENABLED%"=="true" ( ) IF DEFINED SOLR_SSL_NEED_CLIENT_AUTH ( - set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.needClientAuth=%SOLR_SSL_NEED_CLIENT_AUTH%" + set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.need.client.auth.enabled=%SOLR_SSL_NEED_CLIENT_AUTH%" ) IF DEFINED SOLR_SSL_WANT_CLIENT_AUTH ( - set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.wantClientAuth=%SOLR_SSL_WANT_CLIENT_AUTH%" + set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.want.client.auth.enabled=%SOLR_SSL_WANT_CLIENT_AUTH%" ) IF DEFINED SOLR_SSL_CLIENT_KEY_STORE ( @@ -174,7 +174,7 @@ IF "%SOLR_SSL_ENABLED%"=="true" ( ) ) IF DEFINED SOLR_SSL_CHECK_PEER_NAME ( - set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.checkPeerName=%SOLR_SSL_CHECK_PEER_NAME% -Dsolr.jetty.ssl.sniHostCheck=%SOLR_SSL_CHECK_PEER_NAME%" + set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.check.peer.name.enabled=%SOLR_SSL_CHECK_PEER_NAME% -Dsolr.jetty.ssl.sni.host.check.enabled=%SOLR_SSL_CHECK_PEER_NAME%" ) ) ELSE ( set SOLR_SSL_OPTS= diff --git a/solr/packaging/test/test_ssl.bats b/solr/packaging/test/test_ssl.bats index fda80f9a912..3115b7b619a 100644 --- a/solr/packaging/test/test_ssl.bats +++ b/solr/packaging/test/test_ssl.bats @@ -118,7 +118,7 @@ teardown() { # Restart the server enabling the SNI hostcheck export SOLR_SSL_CHECK_PEER_NAME=false - export SOLR_OPTS="${SOLR_OPTS} -Dsolr.jetty.ssl.sniHostCheck=true" + export SOLR_OPTS="${SOLR_OPTS} -Dsolr.jetty.ssl.sni.host.check.enabled=true" solr restart # This should fail the SNI Hostname check run ! solr api --verbose --solr-url "https://localhost:${SOLR_PORT}/solr/admin/collections?action=CLUSTERSTATUS" diff --git a/solr/server/etc/jetty-ssl.xml b/solr/server/etc/jetty-ssl.xml index 90cbc13c257..b759d8b5524 100644 --- a/solr/server/etc/jetty-ssl.xml +++ b/solr/server/etc/jetty-ssl.xml @@ -18,8 +18,8 @@ - - + + @@ -35,10 +35,10 @@ - - - - + + + + diff --git a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc index 29c4ffe3d34..dc7c2341ab2 100644 --- a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc +++ b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc @@ -194,7 +194,7 @@ NOTE: If you have defined `ZK_HOST` in `solr.in.sh`/`solr.in.cmd` (see xref:zook Start each Solr node with the Solr control script as shown in the examples below. Customize the values for the parameters shown as necessary and add any used in your system. -If you created the SSL key without all DNS names or IP addresses on which Solr nodes run, you can tell Solr to skip hostname verification for inter-node communications by setting the `-Dsolr.ssl.checkPeerName=false` system property. +If you created the SSL key without all DNS names or IP addresses on which Solr nodes run, you can tell Solr to skip hostname verification for inter-node communications by setting the `-Dsolr.ssl.check.peer.name.enabled=false` system property. [tabs#cloud] ====== diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java index 8c207364594..9b2e776cf95 100644 --- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java +++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java @@ -52,7 +52,7 @@ public interface SolrHttpConstants { * System property consulted to determine if HTTP based SolrClients will require hostname * validation of SSL Certificates. The default behavior is to enforce peer name validation. */ - String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.checkPeerName"; + String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.peer.name.enabled"; /** Basic auth username */ String PROP_BASIC_AUTH_USER = "httpBasicAuthUser"; diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java index c66bd436985..1f3324ce6c3 100644 --- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java +++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java @@ -440,25 +440,25 @@ public void testGetDefaultSslContextFactory() { System.clearProperty("javax.net.ssl.keyStoreType"); System.clearProperty("javax.net.ssl.trustStoreType"); - System.setProperty("solr.ssl.checkPeerName", "true"); + System.setProperty("solr.ssl.check.peer.name.enabled", "true"); System.setProperty("javax.net.ssl.keyStoreType", "foo"); System.setProperty("javax.net.ssl.trustStoreType", "bar"); SslContextFactory.Client sslContextFactory2 = Http2SolrClient.getDefaultSslContextFactory(); assertEquals("HTTPS", sslContextFactory2.getEndpointIdentificationAlgorithm()); assertEquals("foo", sslContextFactory2.getKeyStoreType()); assertEquals("bar", sslContextFactory2.getTrustStoreType()); - System.clearProperty("solr.ssl.checkPeerName"); + System.clearProperty("solr.ssl.peer.name.enabled"); System.clearProperty("javax.net.ssl.keyStoreType"); System.clearProperty("javax.net.ssl.trustStoreType"); - System.setProperty("solr.ssl.checkPeerName", "false"); + System.setProperty("solr.ssl.peer.name.enabled", "false"); System.setProperty("javax.net.ssl.keyStoreType", "foo"); System.setProperty("javax.net.ssl.trustStoreType", "bar"); SslContextFactory.Client sslContextFactory3 = Http2SolrClient.getDefaultSslContextFactory(); assertNull(sslContextFactory3.getEndpointIdentificationAlgorithm()); assertEquals("foo", sslContextFactory3.getKeyStoreType()); assertEquals("bar", sslContextFactory3.getTrustStoreType()); - System.clearProperty("solr.ssl.checkPeerName"); + System.clearProperty("solr.ssl.peer.name.enabled"); System.clearProperty("javax.net.ssl.keyStoreType"); System.clearProperty("javax.net.ssl.trustStoreType"); } From db43fe45c5be34bea69c6bcf1887af39cf2d9da3 Mon Sep 17 00:00:00 2001 From: Eric Pugh Date: Fri, 7 Nov 2025 08:56:49 -0500 Subject: [PATCH 3/5] Fix one bad rename to be correct. --- solr/bin/solr | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solr/bin/solr b/solr/bin/solr index cef72d6dda6..4d4b4d70bf2 100755 --- a/solr/bin/solr +++ b/solr/bin/solr @@ -274,7 +274,7 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then fi if [ -n "$SOLR_SSL_CHECK_PEER_NAME" ]; then - SOLR_SSL_OPTS+=" -Dsolr.ssl.check.peer.name=$SOLR_SSL_CHECK_PEER_NAME -Dsolr.jetty.ssl.sni.host.check.enabled=$SOLR_SSL_CHECK_PEER_NAME" + SOLR_SSL_OPTS+=" -Dsolr.ssl.check.peer.name.enabled=$SOLR_SSL_CHECK_PEER_NAME -Dsolr.jetty.ssl.sni.host.check.enabled=$SOLR_SSL_CHECK_PEER_NAME" fi if [ -n "$SOLR_SSL_CLIENT_TRUST_STORE" ]; then From b00b05d96e928f9dfbd5afbb8697b7a2d24dd4f0 Mon Sep 17 00:00:00 2001 From: Eric Pugh Date: Fri, 7 Nov 2025 12:08:39 -0500 Subject: [PATCH 4/5] Fix property name --- .../org/apache/solr/client/solrj/impl/SolrHttpConstants.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java index 9b2e776cf95..bc2bbaf9712 100644 --- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java +++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java @@ -52,7 +52,7 @@ public interface SolrHttpConstants { * System property consulted to determine if HTTP based SolrClients will require hostname * validation of SSL Certificates. The default behavior is to enforce peer name validation. */ - String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.peer.name.enabled"; + String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.check.peer.name.enabled"; /** Basic auth username */ String PROP_BASIC_AUTH_USER = "httpBasicAuthUser"; From 811153ae11957670309ed429c8a5a542de825c63 Mon Sep 17 00:00:00 2001 From: Eric Pugh Date: Fri, 7 Nov 2025 16:00:38 -0500 Subject: [PATCH 5/5] Fix a bad property rename --- .../apache/solr/client/solrj/impl/Http2SolrClientTest.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java index 1f3324ce6c3..92d089f5ad2 100644 --- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java +++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java @@ -447,18 +447,18 @@ public void testGetDefaultSslContextFactory() { assertEquals("HTTPS", sslContextFactory2.getEndpointIdentificationAlgorithm()); assertEquals("foo", sslContextFactory2.getKeyStoreType()); assertEquals("bar", sslContextFactory2.getTrustStoreType()); - System.clearProperty("solr.ssl.peer.name.enabled"); + System.clearProperty("solr.ssl.check.peer.name.enabled"); System.clearProperty("javax.net.ssl.keyStoreType"); System.clearProperty("javax.net.ssl.trustStoreType"); - System.setProperty("solr.ssl.peer.name.enabled", "false"); + System.setProperty("solr.ssl.check.peer.name.enabled", "false"); System.setProperty("javax.net.ssl.keyStoreType", "foo"); System.setProperty("javax.net.ssl.trustStoreType", "bar"); SslContextFactory.Client sslContextFactory3 = Http2SolrClient.getDefaultSslContextFactory(); assertNull(sslContextFactory3.getEndpointIdentificationAlgorithm()); assertEquals("foo", sslContextFactory3.getKeyStoreType()); assertEquals("bar", sslContextFactory3.getTrustStoreType()); - System.clearProperty("solr.ssl.peer.name.enabled"); + System.clearProperty("solr.ssl.check.peer.name.enabled"); System.clearProperty("javax.net.ssl.keyStoreType"); System.clearProperty("javax.net.ssl.trustStoreType"); }