opensearch-project · willyborankin · Oct 28, 2024 · Oct 23, 2024 · Oct 28, 2024
@@ -122,7 +122,9 @@ private void printJCEWarnings() {
     public final SslProvider sslTransportServerProvider;
     public final SslProvider sslTransportClientProvider;
     private final boolean httpSSLEnabled;
+    private final boolean httpSSLEnforceCertReloadDnVerification;
     private final boolean transportSSLEnabled;
+    private final boolean transportSSLEnforceCertReloadDnVerification;
 
     private List<String> enabledHttpCiphersJDKProvider;
     private List<String> enabledHttpCiphersOpenSSLProvider;
@@ -155,10 +157,18 @@ public DefaultSecurityKeyStore(final Settings settings, final Path configPath) {
             SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED,
             SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT
         );
+        httpSSLEnforceCertReloadDnVerification = settings.getAsBoolean(
+            SSLConfigConstants.SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+            true
+        );
         transportSSLEnabled = settings.getAsBoolean(
             SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED,
             SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT
         );
+        transportSSLEnforceCertReloadDnVerification = settings.getAsBoolean(
+            SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+            true
+        );
         final boolean useOpenSSLForHttpIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED
             && settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true);
         final boolean useOpenSSLForTransportIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED
@@ -411,7 +421,7 @@ public void initTransportSSLConfig() {
                     certFromTruststore = new CertFromTruststore(truststoreProps, truststoreAlias);
                 }
 
-                validateNewCerts(transportCerts, certFromKeystore.getCerts());
+                validateNewCerts(transportCerts, certFromKeystore.getCerts(), transportSSLEnforceCertReloadDnVerification);
                 transportServerSslContext = buildSSLServerContext(
                     certFromKeystore.getServerKey(),
                     certFromKeystore.getServerCert(),
@@ -462,7 +472,7 @@ public void initTransportSSLConfig() {
                     certFromFile = new CertFromFile(certProps);
                 }
 
-                validateNewCerts(transportCerts, certFromFile.getCerts());
+                validateNewCerts(transportCerts, certFromFile.getCerts(), transportSSLEnforceCertReloadDnVerification);
                 transportServerSslContext = buildSSLServerContext(
                     certFromFile.getServerPemKey(),
                     certFromFile.getServerPemCert(),
@@ -560,7 +570,7 @@ public void initHttpSSLConfig() {
                     certFromTruststore = new CertFromTruststore(truststoreProps, truststoreAlias);
                 }
 
-                validateNewCerts(httpCerts, certFromKeystore.getCerts());
+                validateNewCerts(httpCerts, certFromKeystore.getCerts(), httpSSLEnforceCertReloadDnVerification);
                 httpSslContext = buildSSLServerContext(
                     certFromKeystore.getServerKey(),
                     certFromKeystore.getServerCert(),
@@ -591,7 +601,7 @@ public void initHttpSSLConfig() {
                 );
                 CertFromFile certFromFile = new CertFromFile(certFileProps);
 
-                validateNewCerts(httpCerts, certFromFile.getCerts());
+                validateNewCerts(httpCerts, certFromFile.getCerts(), httpSSLEnforceCertReloadDnVerification);
                 httpSslContext = buildSSLServerContext(
                     certFromFile.getServerPemKey(),
                     certFromFile.getServerPemCert(),
@@ -622,11 +632,16 @@ public void initHttpSSLConfig() {
      * If the current and new certificates are same, skip remaining checks.
      * For new X509 cert to be valid Issuer, Subject DN must be the same and
      * new certificates should expire after current ones.
-     * @param currentX509Certs  Array of current x509 certificates
-     * @param newX509Certs      Array of x509 certificates which will replace our current cert
+     * @param currentX509Certs Array of current x509 certificates
+     * @param newX509Certs     Array of x509 certificates which will replace our current cert
+     * @param verifyValidDNs   Whether to verify that new certs have valid IssuerDN, SubjectDN and SAN
      * @throws Exception if certificate is invalid
      */
-    private void validateNewCerts(final X509Certificate[] currentX509Certs, final X509Certificate[] newX509Certs) throws Exception {
+    private void validateNewCerts(
+        final X509Certificate[] currentX509Certs,
+        final X509Certificate[] newX509Certs,
+        final boolean verifyValidDNs
+    ) throws Exception {
 
         // First time we init certs ignore validity check
         if (currentX509Certs == null) {
@@ -643,7 +658,7 @@ private void validateNewCerts(final X509Certificate[] currentX509Certs, final X5
         }
 
         // Check if new X509 certs have valid IssuerDN, SubjectDN or SAN
-        if (!hasValidDNs(currentX509Certs, newX509Certs)) {
+        if (verifyValidDNs && !hasValidDNs(currentX509Certs, newX509Certs)) {
             throw new Exception("New Certs do not have valid Issuer DN, Subject DN or SAN.");
         }
     }

@@ -634,6 +634,23 @@ public List<Setting<?>> getSettings() {
             Setting.longSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Property.NodeScope, Property.Filtered)
         );
 
+        settings.add(
+            Setting.boolSetting(
+                SSLConfigConstants.SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+                true,
+                Property.NodeScope,
+                Property.Filtered
+            )
+        );
+        settings.add(
+            Setting.boolSetting(
+                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+                true,
+                Property.NodeScope,
+                Property.Filtered
+            )
+        );
+
         return settings;
     }
 

@@ -74,7 +74,7 @@ void reloadSslContext() throws CertificateException {
         if (sameCertificates(newCertificates)) {
             return;
         }
-        validateNewCertificates(newCertificates);
+        validateNewCertificates(newCertificates, sslConfiguration.sslParameters().shouldValidateNewCertDNs());
         invalidateSessions();
         if (sslContext.isClient()) {
             sslContext = sslConfiguration.buildClientSslContext(false);
@@ -141,13 +141,16 @@ private void validateSans(final List<Certificate> newCertificates) throws Certif
         }
     }
 
-    private void validateNewCertificates(final List<Certificate> newCertificates) throws CertificateException {
+    private void validateNewCertificates(final List<Certificate> newCertificates, boolean shouldValidateNewCertDNs)
+        throws CertificateException {
         for (final var certificate : newCertificates) {
             certificate.x509Certificate().checkValidity();
         }
-        validateSubjectDns(newCertificates);
-        validateIssuerDns(newCertificates);
-        validateSans(newCertificates);
+        if (shouldValidateNewCertDNs) {
+            validateSubjectDns(newCertificates);
+            validateIssuerDns(newCertificates);
+            validateSans(newCertificates);
+        }
     }
 
     private void invalidateSessions() {

@@ -40,6 +40,7 @@
 import static org.opensearch.security.ssl.util.SSLConfigConstants.ENABLED_CIPHERS;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.ENABLED_PROTOCOLS;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.ENABLE_OPENSSL_IF_AVAILABLE;
+import static org.opensearch.security.ssl.util.SSLConfigConstants.ENFORCE_CERT_RELOAD_DN_VERIFICATION;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.OPENSSL_1_1_1_BETA_9;
 import static org.opensearch.security.ssl.util.SSLConfigConstants.OPENSSL_AVAILABLE;
 
@@ -53,11 +54,20 @@ public class SslParameters {
 
     private final List<String> ciphers;
 
-    private SslParameters(SslProvider provider, final ClientAuth clientAuth, List<String> protocols, List<String> ciphers) {
+    private final boolean validateCertDNsOnReload;
+
+    private SslParameters(
+        SslProvider provider,
+        final ClientAuth clientAuth,
+        List<String> protocols,
+        List<String> ciphers,
+        boolean validateCertDNsOnReload
+    ) {
         this.provider = provider;
         this.ciphers = ciphers;
         this.protocols = protocols;
         this.clientAuth = clientAuth;
+        this.validateCertDNsOnReload = validateCertDNsOnReload;
     }
 
     public ClientAuth clientAuth() {
@@ -76,6 +86,10 @@ public List<String> allowedProtocols() {
         return protocols;
     }
 
+    public boolean shouldValidateNewCertDNs() {
+        return validateCertDNsOnReload;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
@@ -112,6 +126,10 @@ private SslProvider provider(final Settings settings) {
             }
         }
 
+        private boolean validateCertDNsOnReload(final Settings settings) {
+            return settings.getAsBoolean(ENFORCE_CERT_RELOAD_DN_VERIFICATION, true);
+        }
+
         private List<String> protocols(final SslProvider provider, final Settings settings, boolean http) {
             final var allowedProtocols = settings.getAsList(ENABLED_PROTOCOLS, List.of(ALLOWED_SSL_PROTOCOLS));
             if (provider == SslProvider.OPENSSL) {
@@ -181,7 +199,8 @@ public SslParameters load(final boolean http) {
                 provider,
                 clientAuth,
                 protocols(provider, sslConfigSettings, http),
-                ciphers(provider, sslConfigSettings)
+                ciphers(provider, sslConfigSettings),
+                validateCertDNsOnReload(sslConfigSettings)
             );
             if (sslParameters.allowedProtocols().isEmpty()) {
                 throw new OpenSearchSecurityException("No ssl protocols for " + (http ? "HTTP" : "Transport") + " layer");

@@ -48,6 +48,8 @@ public final class SSLConfigConstants {
 
     public static final String CLIENT_AUTH_MODE = "clientauth_mode";
 
+    public static final String ENFORCE_CERT_RELOAD_DN_VERIFICATION = "enforce_cert_reload_dn_verification";
+
     public static final String KEYSTORE_TYPE = "keystore_type";
     public static final String KEYSTORE_ALIAS = "keystore_alias";
     public static final String KEYSTORE_FILEPATH = "keystore_filepath";
@@ -82,6 +84,8 @@ public final class SSLConfigConstants {
     public static final String SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = "plugins.security.ssl.http.truststore_alias";
     public static final String SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = "plugins.security.ssl.http.truststore_filepath";
     public static final String SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = "plugins.security.ssl.http.truststore_type";
+    public static final String SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION = "plugins.security.ssl.http."
+        + ENFORCE_CERT_RELOAD_DN_VERIFICATION;
     public static final String SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE =
         "plugins.security.ssl.transport.enable_openssl_if_available";
     public static final String SECURITY_SSL_TRANSPORT_ENABLED = "plugins.security.ssl.transport.enabled";
@@ -91,6 +95,8 @@ public final class SSLConfigConstants {
     public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME =
         "plugins.security.ssl.transport.resolve_hostname";
 
+    public static final String SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION = "plugins.security.ssl.transport."
+        + ENFORCE_CERT_RELOAD_DN_VERIFICATION;
     public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = "plugins.security.ssl.transport.keystore_alias";
     public static final String SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = "plugins.security.ssl.transport.server.keystore_alias";
     public static final String SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = "plugins.security.ssl.transport.client.keystore_alias";