Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.x] Allow skipping hot reload dn validation #4839

Merged
merged 2 commits into from
Oct 28, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,9 @@ private void printJCEWarnings() {
public final SslProvider sslTransportServerProvider;
public final SslProvider sslTransportClientProvider;
private final boolean httpSSLEnabled;
private final boolean httpSSLEnforceCertReloadDnVerification;
private final boolean transportSSLEnabled;
private final boolean transportSSLEnforceCertReloadDnVerification;

private List<String> enabledHttpCiphersJDKProvider;
private List<String> enabledHttpCiphersOpenSSLProvider;
Expand Down Expand Up @@ -155,10 +157,18 @@ public DefaultSecurityKeyStore(final Settings settings, final Path configPath) {
SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED,
SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT
);
httpSSLEnforceCertReloadDnVerification = settings.getAsBoolean(
SSLConfigConstants.SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
true
);
transportSSLEnabled = settings.getAsBoolean(
SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED,
SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT
);
transportSSLEnforceCertReloadDnVerification = settings.getAsBoolean(
SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
true
);
final boolean useOpenSSLForHttpIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED
&& settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true);
final boolean useOpenSSLForTransportIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED
Expand Down Expand Up @@ -411,7 +421,7 @@ public void initTransportSSLConfig() {
certFromTruststore = new CertFromTruststore(truststoreProps, truststoreAlias);
}

validateNewCerts(transportCerts, certFromKeystore.getCerts());
validateNewCerts(transportCerts, certFromKeystore.getCerts(), transportSSLEnforceCertReloadDnVerification);
transportServerSslContext = buildSSLServerContext(
certFromKeystore.getServerKey(),
certFromKeystore.getServerCert(),
Expand Down Expand Up @@ -462,7 +472,7 @@ public void initTransportSSLConfig() {
certFromFile = new CertFromFile(certProps);
}

validateNewCerts(transportCerts, certFromFile.getCerts());
validateNewCerts(transportCerts, certFromFile.getCerts(), transportSSLEnforceCertReloadDnVerification);
transportServerSslContext = buildSSLServerContext(
certFromFile.getServerPemKey(),
certFromFile.getServerPemCert(),
Expand Down Expand Up @@ -560,7 +570,7 @@ public void initHttpSSLConfig() {
certFromTruststore = new CertFromTruststore(truststoreProps, truststoreAlias);
}

validateNewCerts(httpCerts, certFromKeystore.getCerts());
validateNewCerts(httpCerts, certFromKeystore.getCerts(), httpSSLEnforceCertReloadDnVerification);
httpSslContext = buildSSLServerContext(
certFromKeystore.getServerKey(),
certFromKeystore.getServerCert(),
Expand Down Expand Up @@ -591,7 +601,7 @@ public void initHttpSSLConfig() {
);
CertFromFile certFromFile = new CertFromFile(certFileProps);

validateNewCerts(httpCerts, certFromFile.getCerts());
validateNewCerts(httpCerts, certFromFile.getCerts(), httpSSLEnforceCertReloadDnVerification);
httpSslContext = buildSSLServerContext(
certFromFile.getServerPemKey(),
certFromFile.getServerPemCert(),
Expand Down Expand Up @@ -622,11 +632,16 @@ public void initHttpSSLConfig() {
* If the current and new certificates are same, skip remaining checks.
* For new X509 cert to be valid Issuer, Subject DN must be the same and
* new certificates should expire after current ones.
* @param currentX509Certs Array of current x509 certificates
* @param newX509Certs Array of x509 certificates which will replace our current cert
* @param currentX509Certs Array of current x509 certificates
* @param newX509Certs Array of x509 certificates which will replace our current cert
* @param verifyValidDNs Whether to verify that new certs have valid IssuerDN, SubjectDN and SAN
* @throws Exception if certificate is invalid
*/
private void validateNewCerts(final X509Certificate[] currentX509Certs, final X509Certificate[] newX509Certs) throws Exception {
private void validateNewCerts(
final X509Certificate[] currentX509Certs,
final X509Certificate[] newX509Certs,
final boolean verifyValidDNs
) throws Exception {

// First time we init certs ignore validity check
if (currentX509Certs == null) {
Expand All @@ -643,7 +658,7 @@ private void validateNewCerts(final X509Certificate[] currentX509Certs, final X5
}

// Check if new X509 certs have valid IssuerDN, SubjectDN or SAN
if (!hasValidDNs(currentX509Certs, newX509Certs)) {
if (verifyValidDNs && !hasValidDNs(currentX509Certs, newX509Certs)) {
throw new Exception("New Certs do not have valid Issuer DN, Subject DN or SAN.");
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -634,6 +634,23 @@ public List<Setting<?>> getSettings() {
Setting.longSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Property.NodeScope, Property.Filtered)
);

settings.add(
Setting.boolSetting(
SSLConfigConstants.SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
true,
Property.NodeScope,
Property.Filtered
)
);
settings.add(
Setting.boolSetting(
SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
true,
Property.NodeScope,
Property.Filtered
)
);

return settings;
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,8 @@ public final class SSLConfigConstants {
public static final String SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = "plugins.security.ssl.http.truststore_alias";
public static final String SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = "plugins.security.ssl.http.truststore_filepath";
public static final String SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = "plugins.security.ssl.http.truststore_type";
public static final String SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION =
"plugins.security.ssl.http.enforce_cert_reload_dn_verification";
public static final String SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE =
"plugins.security.ssl.transport.enable_openssl_if_available";
public static final String SECURITY_SSL_TRANSPORT_ENABLED = "plugins.security.ssl.transport.enabled";
Expand All @@ -91,6 +93,8 @@ public final class SSLConfigConstants {
public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME =
"plugins.security.ssl.transport.resolve_hostname";

public static final String SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION =
"plugins.security.ssl.transport.enforce_cert_reload_dn_verification";
public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = "plugins.security.ssl.transport.keystore_alias";
public static final String SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = "plugins.security.ssl.transport.server.keystore_alias";
public static final String SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = "plugins.security.ssl.transport.client.keystore_alias";
Expand Down
Loading
Loading