apache · epugh · Nov 11, 2025 · Nov 6, 2025 · Nov 6, 2025 · Nov 7, 2025
diff --git a/solr/bin/solr b/solr/bin/solr
@@ -213,7 +213,7 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
   SOLR_JETTY_CONFIG+=("--module=https" "--lib=$DEFAULT_SERVER_DIR/solr-webapp/webapp/WEB-INF/lib/*")
   if [ "${SOLR_SSL_RELOAD_ENABLED:-true}" == "true" ]; then
     SOLR_JETTY_CONFIG+=("--module=ssl-reload")
-    SOLR_SSL_OPTS+=" -Dsolr.keyStoreReload.enabled=true"
+    SOLR_SSL_OPTS+=" -Dsolr.keystore.reload.enabled=true"
   fi
   SOLR_URL_SCHEME=https
   if [ -n "$SOLR_SSL_KEY_STORE" ]; then
@@ -245,10 +245,10 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
   fi
 
   if [ -n "$SOLR_SSL_NEED_CLIENT_AUTH" ]; then
-    SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.needClientAuth=$SOLR_SSL_NEED_CLIENT_AUTH"
+    SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.need.client.auth.enabled=$SOLR_SSL_NEED_CLIENT_AUTH"
   fi
   if [ -n "$SOLR_SSL_WANT_CLIENT_AUTH" ]; then
-    SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.wantClientAuth=$SOLR_SSL_WANT_CLIENT_AUTH"
+    SOLR_SSL_OPTS+=" -Dsolr.jetty.ssl.want.client.auth.enabled=$SOLR_SSL_WANT_CLIENT_AUTH"
   fi
 
   if [ -n "$SOLR_SSL_CLIENT_KEY_STORE" ]; then
@@ -274,7 +274,7 @@ if [ "$SOLR_SSL_ENABLED" == "true" ]; then
   fi
 
   if [ -n "$SOLR_SSL_CHECK_PEER_NAME" ]; then
-    SOLR_SSL_OPTS+=" -Dsolr.ssl.checkPeerName=$SOLR_SSL_CHECK_PEER_NAME -Dsolr.jetty.ssl.sniHostCheck=$SOLR_SSL_CHECK_PEER_NAME"
+    SOLR_SSL_OPTS+=" -Dsolr.ssl.check.peer.name.enabled=$SOLR_SSL_CHECK_PEER_NAME -Dsolr.jetty.ssl.sni.host.check.enabled=$SOLR_SSL_CHECK_PEER_NAME"
   fi
 
   if [ -n "$SOLR_SSL_CLIENT_TRUST_STORE" ]; then

diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
@@ -103,7 +103,7 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
   set SOLR_URL_SCHEME=https
   IF "%SOLR_SSL_RELOAD_ENABLED%"=="true" (
     set "SOLR_JETTY_CONFIG=!SOLR_JETTY_CONFIG! --module=ssl-reload"
-    set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.keyStoreReload.enabled=true"
+    set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.keystore.reload.enabled=true"
   )
   IF DEFINED SOLR_SSL_KEY_STORE (
     set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.keystore=%SOLR_SSL_KEY_STORE%"
@@ -133,10 +133,10 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
   )
 
   IF DEFINED SOLR_SSL_NEED_CLIENT_AUTH (
-    set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.needClientAuth=%SOLR_SSL_NEED_CLIENT_AUTH%"
+    set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.need.client.auth.enabled=%SOLR_SSL_NEED_CLIENT_AUTH%"
   )
   IF DEFINED SOLR_SSL_WANT_CLIENT_AUTH (
-    set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.wantClientAuth=%SOLR_SSL_WANT_CLIENT_AUTH%"
+    set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.jetty.ssl.want.client.auth.enabled=%SOLR_SSL_WANT_CLIENT_AUTH%"
   )
 
   IF DEFINED SOLR_SSL_CLIENT_KEY_STORE (
@@ -174,7 +174,7 @@ IF "%SOLR_SSL_ENABLED%"=="true" (
     )
   )
   IF DEFINED SOLR_SSL_CHECK_PEER_NAME (
-   set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.checkPeerName=%SOLR_SSL_CHECK_PEER_NAME% -Dsolr.jetty.ssl.sniHostCheck=%SOLR_SSL_CHECK_PEER_NAME%"
+   set "SOLR_SSL_OPTS=!SOLR_SSL_OPTS! -Dsolr.ssl.check.peer.name.enabled=%SOLR_SSL_CHECK_PEER_NAME% -Dsolr.jetty.ssl.sni.host.check.enabled=%SOLR_SSL_CHECK_PEER_NAME%"
   )
 ) ELSE (
   set SOLR_SSL_OPTS=

diff --git a/solr/packaging/test/test_ssl.bats b/solr/packaging/test/test_ssl.bats
@@ -118,7 +118,7 @@ teardown() {
 
   # Restart the server enabling the SNI hostcheck
   export SOLR_SSL_CHECK_PEER_NAME=false
-  export SOLR_OPTS="${SOLR_OPTS} -Dsolr.jetty.ssl.sniHostCheck=true"
+  export SOLR_OPTS="${SOLR_OPTS} -Dsolr.jetty.ssl.sni.host.check.enabled=true"
   solr restart
   # This should fail the SNI Hostname check
   run ! solr api --verbose --solr-url "https://localhost:${SOLR_PORT}/solr/admin/collections?action=CLUSTERSTATUS"
@@ -526,14 +526,14 @@ teardown() {
   # server1 will run on $SOLR_PORT and will use server1.keystore
   export SOLR_SSL_KEY_STORE=$ssl_dir/server1.keystore.p12
   export SOLR_SSL_TRUST_STORE=$ssl_dir/server1.keystore.p12
-  solr start --jvm-opts "-Dsolr.jetty.sslContext.reload.scanInterval=1 -DsocketTimeout=5000"
+  solr start --jvm-opts "-Dsolr.jetty.ssl.context.reload.scan.interval.secs=1 -DsocketTimeout=5000"
   solr assert --started https://localhost:${SOLR_PORT} --timeout 5000
 
   # server2 will run on $SOLR2_PORT and will use server2.keystore. Initially, this is the same as server1.keystore
   export SOLR_SSL_KEY_STORE=$ssl_dir/server2.keystore.p12
   export SOLR_SSL_TRUST_STORE=$ssl_dir/server2.keystore.p12
 
-  solr start -z localhost:${ZK_PORT} -p ${SOLR2_PORT} --jvm-opts "-Dsolr.jetty.sslContext.reload.scanInterval=1 -DsocketTimeout=5000"
+  solr start -z localhost:${ZK_PORT} -p ${SOLR2_PORT} --jvm-opts "-Dsolr.jetty.ssl.context.reload.scan.interval.secs=1 -DsocketTimeout=5000"
   solr assert --started https://localhost:${SOLR2_PORT} --timeout 5000
 
   # "test" collection is two shards, meaning there must be communication between shards for queries (handled by http shard handler factory)

diff --git a/solr/server/etc/jetty-ssl-context-reload.xml b/solr/server/etc/jetty-ssl-context-reload.xml
@@ -6,7 +6,7 @@
         <Arg>
             <New id="keyStoreScanner" class="org.eclipse.jetty.util.ssl.KeyStoreScanner">
                 <Arg><Ref refid="sslContextFactory"/></Arg>
-                <Set name="scanInterval"><Property name="solr.jetty.sslContext.reload.scanInterval" default="30"/></Set>
+                <Set name="scanInterval"><Property name="solr.jetty.ssl.context.reload.scan.interval.secs" default="30"/></Set>
             </New>
         </Arg>
     </Call>

diff --git a/solr/server/etc/jetty-ssl.xml b/solr/server/etc/jetty-ssl.xml
@@ -18,8 +18,8 @@
   <Set name="KeyStorePassword"><Ref refid="keyStorePassword"/></Set>
   <Set name="TrustStorePath"><Property name="solr.jetty.truststore" default="./etc/solr-ssl.keystore.jks"/></Set>
   <Set name="TrustStorePassword"><Ref refid="trustStorePassword"/></Set>
-  <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" default="false"/></Set>
-  <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set>
+  <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.need.client.auth.enabled" default="false"/></Set>
+  <Set name="WantClientAuth"><Property name="solr.jetty.ssl.want.client.auth.enabled" default="false"/></Set>
   <Set name="KeyStoreType"><Property name="solr.jetty.keystore.type" default="PKCS12"/></Set>
   <Set name="TrustStoreType"><Property name="solr.jetty.truststore.type" default="PKCS12"/></Set>
   <Set name="EndpointIdentificationAlgorithm"><Property name="solr.jetty.ssl.verifyClientHostName"/></Set>
@@ -35,10 +35,10 @@
     <Call name="addCustomizer">
       <Arg>
         <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
-          <Arg name="sniRequired" type="boolean"><Property name="solr.jetty.ssl.sniRequired" default="false"/></Arg>
-          <Arg name="sniHostCheck" type="boolean"><Property name="solr.jetty.ssl.sniHostCheck" default="true"/></Arg>
-          <Arg name="stsMaxAgeSeconds" type="int"><Property name="solr.jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
-          <Arg name="stsIncludeSubdomains" type="boolean"><Property name="solr.jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
+          <Arg name="sniRequired" type="boolean"><Property name="solr.jetty.ssl.sni.required.enabled" default="false"/></Arg>
+          <Arg name="sniHostCheck" type="boolean"><Property name="solr.jetty.ssl.sni.host.check.enabled" default="true"/></Arg>
+          <Arg name="stsMaxAgeSeconds" type="int"><Property name="solr.jetty.ssl.sts.max.age.secs" default="-1"/></Arg>
+          <Arg name="stsIncludeSubdomains" type="boolean"><Property name="solr.jetty.ssl.sts.include.subdomains.enabled" default="false"/></Arg>
         </New>
       </Arg>
     </Call>

diff --git a/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc b/solr/solr-ref-guide/modules/deployment-guide/pages/enabling-ssl.adoc
@@ -194,7 +194,7 @@ NOTE: If you have defined `ZK_HOST` in `solr.in.sh`/`solr.in.cmd` (see xref:zook
 Start each Solr node with the Solr control script as shown in the examples below.
 Customize the values for the parameters shown as necessary and add any used in your system.
 
-If you created the SSL key without all DNS names or IP addresses on which Solr nodes run, you can tell Solr to skip hostname verification for inter-node communications by setting the `-Dsolr.ssl.checkPeerName=false` system property.
+If you created the SSL key without all DNS names or IP addresses on which Solr nodes run, you can tell Solr to skip hostname verification for inter-node communications by setting the `-Dsolr.ssl.check.peer.name.enabled=false` system property.
 
 [tabs#cloud]
 ======
@@ -249,7 +249,7 @@ C:\> bin\solr.cmd -p 8984
 Solr can automatically reload KeyStore/TrustStore when certificates are updated without restarting. This is enabled by default
 when using SSL, but can be disabled by setting the environment variable `SOLR_SSL_RELOAD_ENABLED` to `false`. By
 default, Solr will check for updates in the KeyStore every 30 seconds, but this interval can be updated by passing the
-system property `solr.jetty.sslContext.reload.scanInterval` with the new interval in seconds on startup.
+system property `solr.jetty.ssl.context.reload.scan.interval.secs` with the new interval in seconds on startup.
 Note that the truststore file is not actively monitored, so if you need to apply changes to the truststore, you need
 to update it and after that touch the keystore to trigger a reload.
 

diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
@@ -55,6 +55,7 @@
 import org.apache.solr.common.params.SolrParams;
 import org.apache.solr.common.params.UpdateParams;
 import org.apache.solr.common.util.ContentStream;
+import org.apache.solr.common.util.EnvUtils;
 import org.apache.solr.common.util.ExecutorUtil;
 import org.apache.solr.common.util.NamedList;
 import org.apache.solr.common.util.ObjectReleaseTracker;
@@ -238,8 +239,10 @@ private HttpClient createHttpClient(Builder builder) {
             : sslConfig.createClientContextFactory();
 
     Long keyStoreReloadIntervalSecs = builder.keyStoreReloadIntervalSecs;
-    if (keyStoreReloadIntervalSecs == null && Boolean.getBoolean("solr.keyStoreReload.enabled")) {
-      keyStoreReloadIntervalSecs = Long.getLong("solr.jetty.sslContext.reload.scanInterval", 30);
+    if (keyStoreReloadIntervalSecs == null
+        && EnvUtils.getPropertyAsBool("solr.keystore.reload.enabled", false)) {
+      keyStoreReloadIntervalSecs =
+          EnvUtils.getPropertyAsLong("solr.jetty.ssl.context.reload.scan.interval.secs", 30l);
     }
     if (sslContextFactory != null
         && sslContextFactory.getKeyStoreResource() != null

diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrHttpConstants.java
@@ -52,7 +52,7 @@ public interface SolrHttpConstants {
    * System property consulted to determine if HTTP based SolrClients will require hostname
    * validation of SSL Certificates. The default behavior is to enforce peer name validation.
    */
-  String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.checkPeerName";
+  String SYS_PROP_CHECK_PEER_NAME = "solr.ssl.check.peer.name.enabled";
 
   /** Basic auth username */
   String PROP_BASIC_AUTH_USER = "httpBasicAuthUser";

diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/Http2SolrClientTest.java
@@ -440,25 +440,25 @@ public void testGetDefaultSslContextFactory() {
     System.clearProperty("javax.net.ssl.keyStoreType");
     System.clearProperty("javax.net.ssl.trustStoreType");
 
-    System.setProperty("solr.ssl.checkPeerName", "true");
+    System.setProperty("solr.ssl.check.peer.name.enabled", "true");
     System.setProperty("javax.net.ssl.keyStoreType", "foo");
     System.setProperty("javax.net.ssl.trustStoreType", "bar");
     SslContextFactory.Client sslContextFactory2 = Http2SolrClient.getDefaultSslContextFactory();
     assertEquals("HTTPS", sslContextFactory2.getEndpointIdentificationAlgorithm());
     assertEquals("foo", sslContextFactory2.getKeyStoreType());
     assertEquals("bar", sslContextFactory2.getTrustStoreType());
-    System.clearProperty("solr.ssl.checkPeerName");
+    System.clearProperty("solr.ssl.check.peer.name.enabled");
     System.clearProperty("javax.net.ssl.keyStoreType");
     System.clearProperty("javax.net.ssl.trustStoreType");
 
-    System.setProperty("solr.ssl.checkPeerName", "false");
+    System.setProperty("solr.ssl.check.peer.name.enabled", "false");
     System.setProperty("javax.net.ssl.keyStoreType", "foo");
     System.setProperty("javax.net.ssl.trustStoreType", "bar");
     SslContextFactory.Client sslContextFactory3 = Http2SolrClient.getDefaultSslContextFactory();
     assertNull(sslContextFactory3.getEndpointIdentificationAlgorithm());
     assertEquals("foo", sslContextFactory3.getKeyStoreType());
     assertEquals("bar", sslContextFactory3.getTrustStoreType());
-    System.clearProperty("solr.ssl.checkPeerName");
+    System.clearProperty("solr.ssl.check.peer.name.enabled");
     System.clearProperty("javax.net.ssl.keyStoreType");
     System.clearProperty("javax.net.ssl.trustStoreType");
   }