Hi guys, Thanks for the info! I managed to reproduce this locally and created a JIRA ticket to investigate and release a fix: https://issues.apache.org/jira/browse/SOLR-17515
To me at least it looks like a pretty serious bug, and might end up resulting in a 9.7.1 release if other folks agree (and we can find a volunteer to do the release). But I'll poke around a bit to see if we can't figure out a workaround for everyone in the meantime, and let you guys know if I find anything! Best, Jason On Fri, Oct 25, 2024 at 5:01 AM Patrik Peng <patrik.p...@hostpoint.ch.invalid> wrote: > > Hi Jason > > Thanks for looking into this. > > - what authc/authz plugins are enabled on your cluster? If basicAuth > is in use (as the stack suggests), is "forwardCredentials" setup? > > We have BasicAuth and RuleBasedAuthorization in use with blockUnknown enabled > and forwardCredentials disabled. > > - is SSL/TLS enabled on these clusters? If so, can you share the > controlling sysprops? > > TLS is enabled with the following properties: > > -Dsolr.keyStoreReload.enabled=true > -Dsolr.jetty.keystore=/var/solr/keystore.p12 > -Dsolr.jetty.truststore=/var/solr/truststore.p12 > -Djavax.net.ssl.keyStore=/var/solr/keystore.p12 > -Dsolr.ssl.checkPeerName=true > -Dsolr.jetty.ssl.sniHostCheck=true > -Djavax.net.ssl.trustStore=/var/solr/truststore.p12 > -Dsolr.jetty.https.port=8983 > > -Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory > -Dbasicauth=--REDACTED-- > -Djava.security.auth.login.config=/var/solr/jaas_client.conf > -Dsolr.jetty.ssl.sniHostCheck=false > -DzkACLProvider=org.apache.solr.common.cloud.SaslZkACLProvider > > -DzkCredentialsProvider=org.apache.solr.common.cloud.DigestZkCredentialsProvider > > -DzkCredentialsInjector=org.apache.solr.common.cloud.VMParamsZkCredentialsInjector > > Checking these properties, I realized "solr.jetty.ssl.sniHostCheck" being > there twice with differing values. > This has been fixed but the issue persists. > > - have you made any customizations to Jetty HttpClient creation? (Solr > exposes sysprop-based hooks for influencing HttpClient settings) > > None that I'm aware of. > > > Regards, > Patrik
