[DOCS] Adds common definitions for security settings #51017
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,150 @@ | ||
| tag::ssl-certificate[] | ||
| Specifies the path for the PEM encoded certificate (or certificate chain) that is | ||
| associated with the key. | ||
| //TBD: This setting can be used only if `ssl.key` is set. | ||
| end::ssl-certificate[] | ||
|
|
||
| tag::ssl-certificate-authorities[] | ||
| List of paths to PEM encoded certificate files that should be trusted. | ||
| //TBD: You cannot use this setting and `ssl.truststore.path` at the same time. | ||
| end::ssl-certificate-authorities[] | ||
|
|
||
| tag::ssl-cipher-suites-values[] | ||
| Supported cipher suites vary depending on which version of Java you use. For | ||
| example, for version 12 the default value is `TLS_AES_256_GCM_SHA384`, | ||
| `TLS_AES_128_GCM_SHA256`, `TLS_CHACHA20_POLY1305_SHA256`, | ||
| `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, | ||
| `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, | ||
| `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`, | ||
| `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, | ||
| `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, | ||
| `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, | ||
| `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, | ||
| `TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_128_GCM_SHA256`, | ||
| `TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, | ||
| `TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`. | ||
| For more information, see Oracle's | ||
| https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation]. | ||
| end::ssl-cipher-suites-values[] | ||
|
|
||
| tag::ssl-cipher-suites-values-java11[] | ||
| Supported cipher suites vary depending on which version of Java you use. For | ||
| example, for version 11 the default value is `TLS_AES_256_GCM_SHA384`, | ||
| `TLS_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, | ||
| `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, | ||
| `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, | ||
| `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, | ||
| `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, | ||
| `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, | ||
| `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_256_GCM_SHA384`, | ||
| `TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA256`, | ||
| `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`, | ||
| `TLS_RSA_WITH_AES_128_CBC_SHA`. For more information, see Oracle's | ||
| https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation]. | ||
| end::ssl-cipher-suites-values-java11[] | ||
|
|
||
| tag::ssl-key-pem[] | ||
| Path to a PEM encoded file containing the private key. | ||
| //TBD: You cannot use this setting and `ssl.keystore.path` at the same time. | ||
| end::ssl-key-pem[] | ||
|
|
||
| tag::ssl-key-passphrase[] | ||
| The passphrase that is used to decrypt the private key. Since the key might not | ||
| be encrypted, this value is optional. | ||
| //TBD: You cannot use this setting and `ssl.secure_key_passphrase` at the same time. | ||
| end::ssl-key-passphrase[] | ||
|
|
||
| tag::ssl-keystore-key-password[] | ||
| The password for the key in the keystore. The default is the keystore password. | ||
| //TBD: You cannot use this setting and `ssl.keystore.secure_key_password` at the same time. | ||
| end::ssl-keystore-key-password[] | ||
|
|
||
| tag::ssl-keystore-password[] | ||
| The password for the keystore. | ||
| //TBD: You cannot use this setting and `ssl.keystore.secure_password` at the same time. | ||
| end::ssl-keystore-password[] | ||
|
|
||
| tag::ssl-keystore-path[] | ||
| The path for the keystore file that contains a private key and certificate. | ||
| //TBD: It must be either a Java keystore (jks) or a PKCS#12 file. | ||
| //TBD: You cannot use this setting and `ssl.key` at the same time. | ||
| end::ssl-keystore-path[] | ||
|
|
||
| tag::ssl-keystore-secure-key-password[] | ||
| The password for the key in the keystore. The default is the keystore password. | ||
| //TBD: You cannot use this setting and `ssl.keystore.key_password` at the same time. | ||
| end::ssl-keystore-secure-key-password[] | ||
|
|
||
| tag::ssl-keystore-secure-password[] | ||
| The password for the keystore. | ||
| //TBD: You cannot use this setting and `ssl.keystore.password` at the same time. | ||
| end::ssl-keystore-secure-password[] | ||
|
|
||
| tag::ssl-keystore-type-pkcs12[] | ||
| The format of the keystore file. It must be either `jks` or `PKCS12`. If the | ||
| keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults | ||
| to `PKCS12`. Otherwise, it defaults to `jks`. | ||
| end::ssl-keystore-type-pkcs12[] | ||
|
There was a problem hiding this comment. I think we probably want to merge the There was a problem hiding this comment. @tvernum Does that mean we should get rid of this section altogether?: http://elasticsearch_51017.docs-preview.app.elstc.co/guide/en/elasticsearch/reference/master/security-settings.html#security-http-pkcs11-tokens There was a problem hiding this comment. I'll admit my PKCS#11 knowledge is pretty thin - maybe @jkakavas can chime in here, but ... No, we still want that section, I think (but am not 100% sure) that our PKCS#11 support is consistent across all SSL contexts, so anything we say for However, there is a limit of having only 1 PKCS#11 provider per JVM, so setting this up & describing it is pretty complex. Maybe we leave this for now so we can merge it, and then come back to it. I think we'd need to setup a PKCS#11 environment for testing, and I don't have cycles for that right now. There was a problem hiding this comment. Tim's comment is right. PKCS#11 support is consistent across all SSL contexts, but there can only be 1 PKCS#11 provider/keystore and we don't offer a way to configure which alias in a keystore will be used. So that means that of PKCS#11 is used, then there is a single key/certificate pair that needs to be shared across all SSL contexts ( more details are shared in #33459 ) . I agree we can handle adding a few more details in PKCS11 in another PR |
||
|
|
||
| tag::ssl-secure-key-passphrase[] | ||
| The passphrase that is used to decrypt the private key. Since the key might not | ||
| be encrypted, this value is optional. | ||
| //TBD: You cannot use this setting and `ssl.key_passphrase` at the same time. | ||
| end::ssl-secure-key-passphrase[] | ||
|
|
||
| tag::ssl-supported-protocols[] | ||
| Supported protocols with versions. Valid protocols: `SSLv2Hello`, | ||
| `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. If the JVM's SSL provider supports TLSv1.3, | ||
| the default is `TLSv1.3,TLSv1.2,TLSv1.1`. Otherwise, the default is | ||
| `TLSv1.2,TLSv1.1`. | ||
| + | ||
| -- | ||
| NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hello` | ||
| or `SSLv3`. See <<fips-140-compliance>>. | ||
|
|
||
| -- | ||
| end::ssl-supported-protocols[] | ||
|
|
||
| tag::ssl-truststore-password[] | ||
| The password for the truststore. | ||
| //TBD: You cannot use this setting and `ssl.truststore.secure_password` at the same time. | ||
| end::ssl-truststore-password[] | ||
|
|
||
| tag::ssl-truststore-path[] | ||
| The path for the keystore that contains the certificates to trust. It must be | ||
| either a Java keystore (jks) or a PKCS#12 file. | ||
| //TBD: You cannot use this setting and `ssl.certificate_authorities` at the same time. | ||
| end::ssl-truststore-path[] | ||
|
|
||
| tag::ssl-truststore-secure-password[] | ||
| Password for the truststore. | ||
| //TBD: You cannot use this setting and `ssl.truststore.password` at the same time. | ||
| end::ssl-truststore-secure-password[] | ||
|
|
||
| tag::ssl-truststore-type[] | ||
| The format of the truststore file. It must be either `jks` or `PKCS12`. If the | ||
| file name ends in ".p12", ".pfx" or "pkcs12", the default is `PKCS12`. | ||
| Otherwise, it defaults to `jks`. | ||
| end::ssl-truststore-type[] | ||
|
|
||
| tag::ssl-truststore-type-pkcs11[] | ||
| The format of the truststore file. For the Java keystore format, use `jks`. For | ||
| PKCS#12 files, use `PKCS12`. For a PKCS#11 token, use `PKCS11`. The default is | ||
| `jks`. | ||
| end::ssl-truststore-type-pkcs11[] | ||
|
|
||
| tag::ssl-verification-mode-values[] | ||
| Valid values are: | ||
| - `full`, which verifies that the provided certificate is signed by a trusted | ||
| authority (CA) and also verifies that the server's hostname (or IP address) | ||
| matches the names identified within the certificate. | ||
| - `certificate`, which verifies that the provided certificate is signed by a | ||
| trusted authority (CA), but does not perform any hostname verification. | ||
| - `none`, which performs _no verification_ of the server's certificate. This | ||
| mode disables many of the security benefits of SSL/TLS and should only be used | ||
| after very careful consideration. It is primarily intended as a temporary | ||
| diagnostic mechanism when attempting to resolve TLS errors; its use on | ||
| production clusters is strongly discouraged. | ||
| + | ||
| The default value is `full`. | ||
| end::ssl-verification-mode-values[] | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the situation with these
//TBDparts? Are you looking for a review as to whether that content is correct, or trying to decide how to represent them in the docs?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tvernum Sorry for the lack of clarity. These "TBD" pieces are bits of information that only existed in a subset of the places where these definitions were used. For now, I've left them as-is and the TBD is to move that info into the shared definition if indeed they're applicable to all contexts (likely in a subsequent PR).