-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reject misconfigured/ambiguous SSL server config #45892
Conversation
This commit makes it an error to start a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration.
Pinging @elastic/es-security |
This is 8.0 only, as it is a breaking change. I will raise a separate PR to backport to 7.x as a deprecation. |
@elasticmachine update branch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, left some suggestions
`xpack.security.http.ssl` without also configuring | ||
`xpack.security.http.ssl.enabled`. | ||
|
||
For example, the following configuration is invalid: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe do this example with PEM files to further visually indicate that this doesn't apply only to keystores/truststores?
final SSLConfigurationSettings configurationSettings = SSLConfigurationSettings.withPrefix(prefix + "."); | ||
if (isConfigurationValidForServerUsage(configuration) == false) { | ||
throw new ElasticsearchSecurityException("invalid configuration for " + prefix + | ||
" - a server context requires a key and certificate, but these have not been configured; either [" + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unsure how clear "server context" is. We could try "server SSL context" or "server SSL configuration" ?
throw new ElasticsearchSecurityException("invalid configuration for " + prefix + | ||
" - a server context requires a key and certificate, but these have not been configured; either [" + | ||
configurationSettings.x509KeyPair.keystorePath.getKey() + "] or [" + | ||
configurationSettings.x509KeyPair.certificatePath.getKey() + "] should be set"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
configurationSettings.x509KeyPair.certificatePath.getKey() + "] should be set"); | |
configurationSettings.x509KeyPair.keyPath.getKey() + " and " + configurationSettings.x509KeyPair.certificatePath.getKey() + "] should be set"); |
configurationSettings.x509KeyPair.certificatePath.getKey() + "] should be set"); | ||
} | ||
} else if (settings.hasValue(enabledSetting) == false) { | ||
final List<String> sslKeys = settings.keySet().stream() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
final List<String> sslKeys = settings.keySet().stream() | |
final List<String> sslConfigKeys = settings.keySet().stream() |
to make it immediately obvious when looking at the code these are not SSL Keys but configuration keys
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, Thank you.
We added a few tests with invalid config while this PR was stagnant
@elasticmachine update branch |
This commit adds a deprecation warning when starting a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration. Backport of: elastic#45892
This commit adds a deprecation warning when starting a node where either of the server contexts (xpack.security.transport.ssl and xpack.security.http.ssl) meet either of these conditions: 1. The server lacks a certificate/key pair (i.e. neither ssl.keystore.path not ssl.certificate are configured) 2. The server has some ssl configuration, but ssl.enabled is not specified. This new validation does not care whether ssl.enabled is true or false (though other validation might), it simply makes it an error to configure server SSL without being explicit about whether to enable that configuration. Backport of: #45892
…settings (#77092) In 8.0 we prevent the server from starting up if certain SSL properties are misconfigured or ambiguous. Specifically: 1) The server lacks a certificate/key pair (i.e. neither ssl.keystore.path nor ssl.key/ssl.certificate are configured) 2) The server has some ssl configuration, but ssl.enabled is not specified. This commit adds a check to the deprecation info API for these changes. Relates #42404 #45892
This commit makes it an error to start a node where either of the
server contexts (xpack.security.transport.ssl and
xpack.security.http.ssl) meet either of these conditions:
ssl.keystore.path nor ssl.certificate are configured)
specified. This new validation does not care whether ssl.enabled is
true or false (though other validation might), it simply makes it
an error to configure server SSL without being explicit about
whether to enable that configuration.
Relates to #49280