Replace custom reloadable Key/TrustManager#30509
Merged
jkakavas merged 5 commits intoelastic:masterfrom May 16, 2018
Merged
Conversation
In JVMs running in FIPS approved mode, only SunJSSE TrustManagers and KeyManagers can be used. This commit replaces all the custom KeyManagers and TrustManagers (ReloadableKeyManager, ReloadableTrustManager, EmptyKeyManager, EmptyTrustManager) with instances of X509ExtendedKeyManager and X509ExtendedTrustManager. Reloadability is now ensured by a volatile instance of SSLContext in SSLContectHolder. SSLConfigurationReloaderTests use the reloadable SSLContext to initialize HTTP Clients and Servers and use these for testing the key material and trust relations.
Collaborator
|
Pinging @elastic/es-security |
12 tasks
Contributor
Author
|
CI fails because of #30507, will rerun tests once it is resolved. |
Contributor
Contributor
Author
|
run gradle build tests |
jaymode
approved these changes
May 14, 2018
Member
jaymode
left a comment
There was a problem hiding this comment.
I left some minor comments. Otherwise LGTM
| new ReloadableTrustManager(sslConfiguration.trustConfig().createTrustManager(env), sslConfiguration.trustConfig()); | ||
| ReloadableX509KeyManager keyManager = | ||
| new ReloadableX509KeyManager(sslConfiguration.keyConfig().createKeyManager(env), sslConfiguration.keyConfig()); | ||
| X509ExtendedTrustManager trustManager = |
Member
There was a problem hiding this comment.
can you move this statement to a single line now?
| new ReloadableX509KeyManager(sslConfiguration.keyConfig().createKeyManager(env), sslConfiguration.keyConfig()); | ||
| X509ExtendedTrustManager trustManager = | ||
| sslConfiguration.trustConfig().createTrustManager(env); | ||
| X509ExtendedKeyManager keyManager = |
Member
There was a problem hiding this comment.
can you move this statement to a single line now?
| SSLContext loadedSslContext = SSLContext.getInstance(sslContextAlgorithm(sslConfiguration.supportedProtocols())); | ||
| loadedSslContext.init(new X509ExtendedKeyManager[]{loadedKeyManager}, | ||
| new X509ExtendedTrustManager[]{loadedTrustManager}, null); | ||
| supportedCiphers(loadedSslContext.getSupportedSSLParameters().getCipherSuites(), sslConfiguration.cipherSuites(), true); |
Member
There was a problem hiding this comment.
I do not think we should log here. This is on the reload of a file and not an update to the ciphers settings
| final KeyPair keyPair = CertUtils.generateKeyPair(512); | ||
| X509Certificate cert = CertUtils.generateSignedCertificate(new X500Principal("CN=testReloadingKeyStore"), null, keyPair, | ||
| //Load HTTPClient only once. Client uses the same store as a truststore | ||
| try(CloseableHttpClient client = getSSLClient(keystorePath, "testnode")) { |
Contributor
Author
|
run gradle build tests |
jkakavas
added a commit
that referenced
this pull request
May 16, 2018
Make SSLContext reloadable This commit replaces all customKeyManagers and TrustManagers (ReloadableKeyManager,ReloadableTrustManager, EmptyKeyManager, EmptyTrustManager) with instances of X509ExtendedKeyManager and X509ExtendedTrustManager. This change was triggered by the effort to allow Elasticsearch to run in a FIPS-140 environment. In JVMs running in FIPS approved mode, only SunJSSE TrustManagers and KeyManagers can be used. Reloadability is now ensured by a volatile instance of SSLContext in SSLContectHolder. SSLConfigurationReloaderTests use the reloadable SSLContext to initialize HTTP Clients and Servers and use these for testing the key material and trust relations.
jasontedor
added a commit
to jasontedor/elasticsearch
that referenced
this pull request
May 16, 2018
…ngs-to-true * elastic/master: (34 commits) Test: increase search logging for LicensingTests Adjust serialization version in IndicesOptions [TEST] Fix compilation Remove version argument in RangeFieldType (elastic#30411) Remove unused DirectoryUtils class. (elastic#30582) Mitigate date histogram slowdowns with non-fixed timezones. (elastic#30534) Add a MovingFunction pipeline aggregation, deprecate MovingAvg agg (elastic#29594) Removes AwaitsFix on IndicesOptionsTests Template upgrades should happen in a system context (elastic#30621) Fix bug in BucketMetrics path traversal (elastic#30632) Fixes IndiceOptionsTests to serialise correctly (elastic#30644) S3 repo plugin populate SettingsFilter (elastic#30652) mute IndicesOptionsTests.testSerialization Rest High Level client: Add List Tasks (elastic#29546) Refactors ClientHelper to combine header logic (elastic#30620) [ML] Wait for ML indices in rolling upgrade tests (elastic#30615) Watcher: Ensure secrets integration tests also run triggered watch (elastic#30478) Move allocation awareness attributes to list setting (elastic#30626) [Docs] Update code snippet in has-child-query.asciidoc (elastic#30510) Replace custom reloadable Key/TrustManager (elastic#30509) ...
jkakavas
added a commit
to jkakavas/elasticsearch
that referenced
this pull request
May 17, 2018
…e-dependency and resove conflicts that where introduced by the merge of elastic#30509
jkakavas
added a commit
to jkakavas/elasticsearch
that referenced
this pull request
May 17, 2018
Based on the changes to key and trust material reloading that were introduced in elastic#30509. DSA and EC keys are regenerated and the associated certificates are constructed with the correct SAN.
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Dec 21, 2018
In elastic#30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: elastic#36923
tvernum
added a commit
that referenced
this pull request
Dec 28, 2018
In #30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: #36923
tvernum
added a commit
that referenced
this pull request
Jan 4, 2019
In #30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: #36923
tvernum
added a commit
that referenced
this pull request
Jan 4, 2019
In #30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: #36923
jaymode
added a commit
to jaymode/elasticsearch
that referenced
this pull request
Feb 26, 2019
This change fixes the tests that expect the reload of a SSLConfiguration to fail after changes made in elastic#30509. The tests relied on the behavior that an SSLConfiguration only had reload called on it after the key and trust managers had been created, but that is no longer the case. This change removes the fail call with a wrapped call to the original method and captures the exception and counts down a latch to make these tests consistently tested rather than relying on concurrency to catch a failure. Closes elastic#39260
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In JVMs running in FIPS approved mode, only SunJSSE TrustManagers
and KeyManagers can be used. This commit replaces all the custom
KeyManagers and TrustManagers (ReloadableKeyManager,
ReloadableTrustManager, EmptyKeyManager, EmptyTrustManager) with
instances of X509ExtendedKeyManager and X509ExtendedTrustManager.
Reloadability is now ensured by a volatile instance of SSLContext
in SSLContectHolder.
SSLConfigurationReloaderTests use the reloadable SSLContext to
initialize HTTP Clients and Servers and use these for testing the
key material and trust relations.