-
Notifications
You must be signed in to change notification settings - Fork 25k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace custom reloadable Key/TrustManager #30509
Conversation
In JVMs running in FIPS approved mode, only SunJSSE TrustManagers and KeyManagers can be used. This commit replaces all the custom KeyManagers and TrustManagers (ReloadableKeyManager, ReloadableTrustManager, EmptyKeyManager, EmptyTrustManager) with instances of X509ExtendedKeyManager and X509ExtendedTrustManager. Reloadability is now ensured by a volatile instance of SSLContext in SSLContectHolder. SSLConfigurationReloaderTests use the reloadable SSLContext to initialize HTTP Clients and Servers and use these for testing the key material and trust relations.
Pinging @elastic/es-security |
CI fails because of #30507, will rerun tests once it is resolved. |
run gradle build tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left some minor comments. Otherwise LGTM
new ReloadableTrustManager(sslConfiguration.trustConfig().createTrustManager(env), sslConfiguration.trustConfig()); | ||
ReloadableX509KeyManager keyManager = | ||
new ReloadableX509KeyManager(sslConfiguration.keyConfig().createKeyManager(env), sslConfiguration.keyConfig()); | ||
X509ExtendedTrustManager trustManager = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you move this statement to a single line now?
new ReloadableX509KeyManager(sslConfiguration.keyConfig().createKeyManager(env), sslConfiguration.keyConfig()); | ||
X509ExtendedTrustManager trustManager = | ||
sslConfiguration.trustConfig().createTrustManager(env); | ||
X509ExtendedKeyManager keyManager = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you move this statement to a single line now?
SSLContext loadedSslContext = SSLContext.getInstance(sslContextAlgorithm(sslConfiguration.supportedProtocols())); | ||
loadedSslContext.init(new X509ExtendedKeyManager[]{loadedKeyManager}, | ||
new X509ExtendedTrustManager[]{loadedTrustManager}, null); | ||
supportedCiphers(loadedSslContext.getSupportedSSLParameters().getCipherSuites(), sslConfiguration.cipherSuites(), true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not think we should log here. This is on the reload of a file and not an update to the ciphers settings
final KeyPair keyPair = CertUtils.generateKeyPair(512); | ||
X509Certificate cert = CertUtils.generateSignedCertificate(new X500Principal("CN=testReloadingKeyStore"), null, keyPair, | ||
//Load HTTPClient only once. Client uses the same store as a truststore | ||
try(CloseableHttpClient client = getSSLClient(keystorePath, "testnode")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
space between try
and (
run gradle build tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Make SSLContext reloadable This commit replaces all customKeyManagers and TrustManagers (ReloadableKeyManager,ReloadableTrustManager, EmptyKeyManager, EmptyTrustManager) with instances of X509ExtendedKeyManager and X509ExtendedTrustManager. This change was triggered by the effort to allow Elasticsearch to run in a FIPS-140 environment. In JVMs running in FIPS approved mode, only SunJSSE TrustManagers and KeyManagers can be used. Reloadability is now ensured by a volatile instance of SSLContext in SSLContectHolder. SSLConfigurationReloaderTests use the reloadable SSLContext to initialize HTTP Clients and Servers and use these for testing the key material and trust relations.
…ngs-to-true * elastic/master: (34 commits) Test: increase search logging for LicensingTests Adjust serialization version in IndicesOptions [TEST] Fix compilation Remove version argument in RangeFieldType (elastic#30411) Remove unused DirectoryUtils class. (elastic#30582) Mitigate date histogram slowdowns with non-fixed timezones. (elastic#30534) Add a MovingFunction pipeline aggregation, deprecate MovingAvg agg (elastic#29594) Removes AwaitsFix on IndicesOptionsTests Template upgrades should happen in a system context (elastic#30621) Fix bug in BucketMetrics path traversal (elastic#30632) Fixes IndiceOptionsTests to serialise correctly (elastic#30644) S3 repo plugin populate SettingsFilter (elastic#30652) mute IndicesOptionsTests.testSerialization Rest High Level client: Add List Tasks (elastic#29546) Refactors ClientHelper to combine header logic (elastic#30620) [ML] Wait for ML indices in rolling upgrade tests (elastic#30615) Watcher: Ensure secrets integration tests also run triggered watch (elastic#30478) Move allocation awareness attributes to list setting (elastic#30626) [Docs] Update code snippet in has-child-query.asciidoc (elastic#30510) Replace custom reloadable Key/TrustManager (elastic#30509) ...
…e-dependency and resove conflicts that where introduced by the merge of elastic#30509
Based on the changes to key and trust material reloading that were introduced in elastic#30509. DSA and EC keys are regenerated and the associated certificates are constructed with the correct SAN.
In elastic#30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: elastic#36923
In #30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: #36923
In #30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: #36923
In #30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: #36923
This change fixes the tests that expect the reload of a SSLConfiguration to fail after changes made in elastic#30509. The tests relied on the behavior that an SSLConfiguration only had reload called on it after the key and trust managers had been created, but that is no longer the case. This change removes the fail call with a wrapped call to the original method and captures the exception and counts down a latch to make these tests consistently tested rather than relying on concurrency to catch a failure. Closes elastic#39260
In JVMs running in FIPS approved mode, only SunJSSE TrustManagers
and KeyManagers can be used. This commit replaces all the custom
KeyManagers and TrustManagers (ReloadableKeyManager,
ReloadableTrustManager, EmptyKeyManager, EmptyTrustManager) with
instances of X509ExtendedKeyManager and X509ExtendedTrustManager.
Reloadability is now ensured by a volatile instance of SSLContext
in SSLContectHolder.
SSLConfigurationReloaderTests use the reloadable SSLContext to
initialize HTTP Clients and Servers and use these for testing the
key material and trust relations.