[jetty-users] Different passwords for key store and trust store -- is it

[Shawn Heisey <eclipse@xxxxxxxxxxxx>]

I'm a committer on the Apache Lucene/Solr project.  One of our users
opened an issue on Solr 6.6.2, which uses Jetty 9.3.14.  Here's the URL
for that issue:

https://issues.apache.org/jira/browse/SOLR-11678

They want to use different passwords for their key store and their trust
store.  If they set their stores up so they both use the same password,
then everything works, but when they use different passwords, the Jetty
startup throws an exception.

At this time I don't have precise information on how the user has
installed and configured Solr, but I'm taking a leap of faith and
assuming that they're not completely clueless and have done the job
correctly from the point of view of the Solr project.

I'm just barely familiar with how Java deals with stores for SSL ...
enough to know that it's typically more difficult to inform Java-based
software about certificates and keys compared to software that can
directly use PEM-encoded files.

The Solr startup script sets system properties for the store filenames
and environment variables for the passwords, and makes sure the
environment variables are exported so forked processes can access them.
Then in the jetty-ssl.xml that Solr provides we have this:

  <Set name="KeyStorePath"><Property name="solr.jetty.keystore"
default="./etc/solr-ssl.keystore.jks"/></Set>
  <Set name="KeyStorePassword"><Env name="SOLR_SSL_KEY_STORE_PASSWORD"
default="secret"/></Set>
  <Set name="TrustStorePath"><Property name="solr.jetty.truststore"
default="./etc/solr-ssl.keystore.jks"/></Set>
  <Set name="TrustStorePassword"><Env
name="SOLR_SSL_TRUST_STORE_PASSWORD" default="secret"/></Set>

Does Jetty support different passwords for the key store and the trust
store?  If so, then based on the info I've provided, is Solr configuring
Jetty correctly?  Would we need to upgrade Jetty beyond 9.3.14 for it to
work?

Thanks,
Shawn