Modifying SSL settings to be consistent with the stack

[kobelb]

Per #7777 we want to move towards consistent SSL settings across the stack.

This introduces the following new settings:

• server.ssl.enabled
• server.ssl.keyPassphrase
• server.ssl.certificateAuthorities
• server.ssl.clientAuthentication
• server.ssl.supportedProtocols
• server.ssl.cipherSuites
• elasticsearch.ssl.keyPassphrase

and deprecates the following:

• server.ssl.cert -> server.ssl.certificate
• elasticsearch.ssl.ca -> elasticsearch.ssl.certificateAuthorities
• elasticsearch.ssl.cert -> elasticsearch.ssl.certificate
• elasticsearch.ssl.verify -> elasticsearch.ssl.verificationMode
• console.proxyConfig

[jbudz]

I tested all of the new configurations and they're functioning as expected. Deprecation warnings look good, including the more complicated ones like console.proxyConfig.

Lots of tests too, great work on this. A few comments below but otherwise this lgtm.

[jbudz]

thoughts on adding these to kibana.yml?

[kobelb]

Good question! It's my understanding that we only try to put the common settings in the kibana.yml, I feel like keyPassphrase is a contender to add in there, but I dunno how I feel about clientAuthentication and certiricateAuthorities because I don't see a majority of our users using these. What are your thoughts?

[jbudz]

makes sense, on second thought it's probably fine. consistent with the configs for our other products too.

[jbudz]

can we remove this from the settings docs page and console page?

[kobelb]

Great call, I'll make it so.

[jbudz]

When using this I'm occasionally seeing

 log   [18:54:38.465] [error][client][connection] Error: TLS handshake timeout
    at TLSSocket._handleTimeout (_tls_wrap.js:539:22)
    at TLSSocket.g (events.js:291:16)
    at emitNone (events.js:86:13)
    at TLSSocket.emit (events.js:185:7)
    at TLSSocket.Socket._onTimeout (net.js:339:8)
    at ontimeout (timers.js:365:14)
    at tryOnTimeout (timers.js:237:5)
    at Timer.listOnTimeout (timers.js:207:5)

I'm not able to reproduce it consistently or often. Functionally it doesn't seem to have an impact, is this something we want in the error log?

[kobelb]

Lemme see if I can track down where this is coming from, and see if there's a way to at least downgrade it from error like we're doing elsewhere.

[kobelb]

I've been able to consistently get this log message to occur by setting server.ssl.clientAuthentication: required and then opening up Kibana and letting the browser sit on the prompt for me to select a certificate for a long-time. However, I'm sure that other situations could also cause this to occur as well.

This error is being emitted by the tls socket to the https Server to the hapi connection which we then intercept, and downgrade certain errors.

We've been downgrading errors based on their errno, but those only exist on System Errors, and these are just generic Errors.

We could potentially filter these out by matching the err.message of TLS handshake timeout, but that feels rather brittle. Additionally, there are various other generic client errors the underlying ssl library is throwing with uglier messages like the following:

4330128320:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/s3_pkt.c:1487:SSL alert number 48
4330128320:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:1210:

I'm beginning to wonder whether we should be downgrading all client errors to debug/info. What are your alls thoughts @spalger @tylersmalley @jbudz?

[kobelb]

@jbudz caught that this PR does not currently allow the user to configure the list of cipher-suites.

@epixa - in the chart in #7777 there's a note next to cipher-suites saying 'see list below' and 'language specific', do you happen to recall the original discussion surrounding this issue and whether it impacts how we implement this?

@spalger do you happen to recall why we're customizing the current default list of cipher-suites and whether there is any reason why we wouldn't use the NodeJS default and then allow the user to overwrite this?

[tylersmalley]

If we are seeking consistent configurations, why do we camel case our names when ES and others are all lowercase with underscore delimited words?

[tylersmalley]

Should use use the array for this to show multiple CA's can be provided?

elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

[jbudz]

we do have #7444. i was on the fence for this one, it is consistent with out current config

[kobelb]

Regarding camelCasing, I wanted to keep this consistent with the rest of our settings and then address converting all of them to snake_case in a separate PR. Should we consider trying to do both in the same minor version to reduce the impact on the user? I would prefer to at least do it in a separate PR, even if it's for the same minor version. What are your thoughts?

[tylersmalley]

I agree, let's keep it out of this PR and see if it's something we want to also get into 5.2 to reduce the number of times folks are re-doing their config.

[tylersmalley]

I am personally really excited about this as I had been previously needing to remove the passphrase from my generated certs.

[tylersmalley]

bindKey can actually be removed as it's not being used.

[tylersmalley]

isNull is not used

[tylersmalley]

isNull is not used

[tylersmalley]

When testing the deprecation for pid_file, it appears were now handling the deprecation calls later in the startup processing than before.

In this test, I have defined pid_file which has been renamed to pid.file. The file does not exist so I am getting ENOENT.

When testing for the same thing on master, I immediately get the deprecation warning without a file error.

[tylersmalley]

A couple feedback items. Only one of concern is when the deprecations are ran.

[kobelb]

@tylersmalley, after discussing with Spencer, we decided to move the deprecation logging to use the standard logger, which unfortunately delayed when these deprecations will be output because the logging is currently attached to the kibana server.

It's a trade-off that at the time seemed reasonable, but I'm definitely open to alternatives.

[tylersmalley]

@kobelb, I have come around to this as it's actually transforming the config and everything uses the servers logger so this is no different. If @spalger agrees, I am fine moving forward.

[spalger]

Yeah, there are only a couple settings that will trigger failures before the deprecation warning, and you found one of them, but I think it's better to use the standard logging format than fix the ordering for those edge cases. That said, if we can do the deprecation logging any earlier I think we should (it runs after http right now which seems unnecessary, but idk)

[kobelb]

@spalger good call on moving the deprecations to earlier in the kbn_server. The deprecations currently have to run after http and logging because the log function is exposed on the server, but I was able to put it before the warnings and status.

[tylersmalley]

LGTM! By moving the deprecations were now consistent with the behavior in master.

[kobelb]

@jbudz you mind giving the changes that I made a look over?

[kobelb]

If you need assistance generating certs with passphrases, this will help: https://gist.github.com/mtigas/952344

Certgen doesn't let you specify passphrases, but it's nice for the other test-cases

[rashmivkulkarni]

To Test:

• Make sure all the deprecation warnings appear on the Kibana console as you make changes in kibana.yml for every setting .

• X-Pack: regression testing on Monitoring( in general) and have a separate Monitoring Cluster.

• Test all the new settings mentioned in the ticket work as expected.

• using the certgen tool should be good for generating certs. ( be sure to use the pass-phrase : follow: https://gist.github.com/mtigas/952344 for certificates)

Tested on 5.3.0 -BC1 builds From dev ticket #725

[kobelb]

To test the server.ssl.cipherSuites and server.ssl.supportedProtocols the following openssl commands will come in handy; however, you'll want to ensure that you're using a newer version of SSL than the one that comes packaged with OS X 10.12 because it's outdated, and technically a version that Apple patched.

# connect using SSLv3
./openssl s_client -connect localhost:5601 -ssl3

# connect using TLSv1.0
./openssl s_client -connect localhost:5601  -tls1

# connect using TLSv1.1
./openssl s_client -connect localhost:5601  -tls1_1

# connect using TLSv1.2
./openssl s_client -connect localhost:5601  -tls1_2

# `openssl ciphers` will return all the ciphers the openssl library supports
./openssl s_client -connect localhost:5601 -cipher [INSERT YOUR CIPHER]

[ghost]

Is this a missed rename to elasticsearch.ssl.certificate?

[kobelb]

@Jarpy it is, I'll get a fix up there for this, thanks!