From d374543a1e0c6fb4f2d000bb74b71b6ebd51316b Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Wed, 23 Nov 2022 13:36:31 -0500 Subject: [PATCH 1/3] Remove OpenSSL provider Signed-off-by: Craig Perkins --- .../security/ssl/DefaultSecurityKeyStore.java | 116 +-------- .../ssl/OpenSearchSecuritySSLPlugin.java | 5 - .../security/ssl/util/SSLConfigConstants.java | 2 - .../opensearch/security/IntegrationTests.java | 6 - .../opensearch/security/ssl/OpenSSLTest.java | 234 ------------------ .../org/opensearch/security/ssl/SSLTest.java | 98 ++------ .../test/AbstractSecurityUnitTest.java | 4 +- 7 files changed, 21 insertions(+), 444 deletions(-) delete mode 100644 src/test/java/org/opensearch/security/ssl/OpenSSLTest.java diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java index d186b26869..abc6fb5409 100644 --- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java +++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java @@ -37,7 +37,6 @@ import java.util.Collection; import java.util.Collections; import java.util.Date; -import java.util.HashSet; import java.util.List; import java.util.Objects; import java.util.Set; @@ -59,12 +58,10 @@ import io.netty.handler.ssl.ApplicationProtocolConfig.SelectorFailureBehavior; import io.netty.handler.ssl.ApplicationProtocolNames; import io.netty.handler.ssl.ClientAuth; -import io.netty.handler.ssl.OpenSsl; import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContextBuilder; import io.netty.handler.ssl.SslProvider; import io.netty.handler.ssl.SupportedCipherSuiteFilter; -import io.netty.util.internal.PlatformDependent; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.bouncycastle.asn1.ASN1InputStream; @@ -114,14 +111,10 @@ private void printJCEWarnings() { private final boolean transportSSLEnabled; private List enabledHttpCiphersJDKProvider; - private List enabledHttpCiphersOpenSSLProvider; private List enabledTransportCiphersJDKProvider; - private List enabledTransportCiphersOpenSSLProvider; private List enabledHttpProtocolsJDKProvider; - private List enabledHttpProtocolsOpenSSLProvider; private List enabledTransportProtocolsJDKProvider; - private List enabledTransportProtocolsOpenSSLProvider; private SslContext httpSslContext; private SslContext transportServerSslContext; @@ -144,38 +137,14 @@ public DefaultSecurityKeyStore(final Settings settings, final Path configPath) { SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT); transportSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT); - final boolean useOpenSSLForHttpIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && settings - .getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true); - final boolean useOpenSSLForTransportIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && settings - .getAsBoolean(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true); - - if(!OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable() && (settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true) || settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true) )) { - if (PlatformDependent.javaVersion() < 12) { - log.warn("Support for OpenSSL with Java 11 or prior versions require using Netty allocator. Set 'opensearch.unsafe.use_netty_default_allocator' system property to true"); - } else { - log.warn("Support for OpenSSL with Java 12+ has been removed from Open Distro Security since Elasticsearch 7.4.0. Using JDK SSL instead."); - } - } - - boolean openSSLInfoLogged = false; - if (httpSSLEnabled && useOpenSSLForHttpIfAvailable) { - sslHTTPProvider = SslContext.defaultServerProvider(); - logOpenSSLInfos(); - openSSLInfoLogged = true; - } else if (httpSSLEnabled) { + if (httpSSLEnabled) { sslHTTPProvider = SslProvider.JDK; } else { sslHTTPProvider = null; } - if (transportSSLEnabled && useOpenSSLForTransportIfAvailable) { - sslTransportClientProvider = SslContext.defaultClientProvider(); - sslTransportServerProvider = SslContext.defaultServerProvider(); - if (!openSSLInfoLogged) { - logOpenSSLInfos(); - } - } else if (transportSSLEnabled) { + if (transportSSLEnabled) { sslTransportClientProvider = sslTransportServerProvider = SslProvider.JDK; } else { sslTransportClientProvider = sslTransportServerProvider = null; @@ -729,37 +698,15 @@ private void setHttpSSLCerts(X509Certificate[] certs) { this.httpCerts = certs; } - private void logOpenSSLInfos() { - if (OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()) { - log.info("OpenSSL {} ({}) available", OpenSsl.versionString(), OpenSsl.version()); - - if (OpenSsl.version() < 0x10002000L) { - log.warn( - "Outdated OpenSSL version detected. You should update to 1.0.2k or later. Currently installed: {}", - OpenSsl.versionString()); - } - - if (!OpenSsl.supportsHostnameValidation()) { - log.warn("Your OpenSSL version {} does not support hostname verification. You should update to 1.0.2k or later.", OpenSsl.versionString()); - } - - log.debug("OpenSSL available ciphers {}", OpenSsl.availableOpenSslCipherSuites()); - } else { - log.info("OpenSSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of " - + OpenSsl.unavailabilityCause()); - } - } - private List getEnabledSSLCiphers(final SslProvider provider, boolean http) { if (provider == null) { return Collections.emptyList(); } if (http) { - return provider == SslProvider.JDK ? enabledHttpCiphersJDKProvider : enabledHttpCiphersOpenSSLProvider; + return enabledHttpCiphersJDKProvider; } else { - return provider == SslProvider.JDK ? enabledTransportCiphersJDKProvider - : enabledTransportCiphersOpenSSLProvider; + return enabledTransportCiphersJDKProvider; } } @@ -770,10 +717,9 @@ private String[] getEnabledSSLProtocols(final SslProvider provider, boolean http } if (http) { - return (provider == SslProvider.JDK ? enabledHttpProtocolsJDKProvider : enabledHttpProtocolsOpenSSLProvider).toArray(new String[0]); + return enabledHttpProtocolsJDKProvider.toArray(new String[0]); } else { - return (provider == SslProvider.JDK ? enabledTransportProtocolsJDKProvider - : enabledTransportProtocolsOpenSSLProvider).toArray(new String[0]); + return enabledTransportProtocolsJDKProvider.toArray(new String[0]); } } @@ -786,56 +732,6 @@ private void initEnabledSSLCiphers() { final List secureHttpSSLProtocols = Arrays.asList(SSLConfigConstants.getSecureSSLProtocols(settings, true)); final List secureTransportSSLProtocols = Arrays.asList(SSLConfigConstants.getSecureSSLProtocols(settings, false)); - if (OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()) { - final Set openSSLSecureHttpCiphers = new HashSet<>(); - for (final String secure : secureHttpSSLCiphers) { - if (OpenSsl.isCipherSuiteAvailable(secure)) { - openSSLSecureHttpCiphers.add(secure); - } - } - - - log.debug("OPENSSL {} supports the following ciphers (java-style) {}", OpenSsl.versionString(), OpenSsl.availableJavaCipherSuites()); - log.debug("OPENSSL {} supports the following ciphers (openssl-style) {}", OpenSsl.versionString(), OpenSsl.availableOpenSslCipherSuites()); - - enabledHttpCiphersOpenSSLProvider = Collections - .unmodifiableList(new ArrayList(openSSLSecureHttpCiphers)); - } else { - enabledHttpCiphersOpenSSLProvider = Collections.emptyList(); - } - - if (OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()) { - final Set openSSLSecureTransportCiphers = new HashSet<>(); - for (final String secure : secureTransportSSLCiphers) { - if (OpenSsl.isCipherSuiteAvailable(secure)) { - openSSLSecureTransportCiphers.add(secure); - } - } - - enabledTransportCiphersOpenSSLProvider = Collections - .unmodifiableList(new ArrayList(openSSLSecureTransportCiphers)); - } else { - enabledTransportCiphersOpenSSLProvider = Collections.emptyList(); - } - - if(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable() && OpenSsl.version() > 0x10101009L) { - enabledHttpProtocolsOpenSSLProvider = new ArrayList(Arrays.asList("TLSv1.3","TLSv1.2","TLSv1.1","TLSv1")); - enabledHttpProtocolsOpenSSLProvider.retainAll(secureHttpSSLProtocols); - enabledTransportProtocolsOpenSSLProvider = new ArrayList(Arrays.asList("TLSv1.3","TLSv1.2","TLSv1.1")); - enabledTransportProtocolsOpenSSLProvider.retainAll(secureTransportSSLProtocols); - - log.info("OpenSSL supports TLSv1.3"); - - } else if(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()){ - enabledHttpProtocolsOpenSSLProvider = new ArrayList(Arrays.asList("TLSv1.2","TLSv1.1","TLSv1")); - enabledHttpProtocolsOpenSSLProvider.retainAll(secureHttpSSLProtocols); - enabledTransportProtocolsOpenSSLProvider = new ArrayList(Arrays.asList("TLSv1.2","TLSv1.1")); - enabledTransportProtocolsOpenSSLProvider.retainAll(secureTransportSSLProtocols); - } else { - enabledHttpProtocolsOpenSSLProvider = Collections.emptyList(); - enabledTransportProtocolsOpenSSLProvider = Collections.emptyList(); - } - SSLEngine engine = null; List jdkSupportedCiphers = null; List jdkSupportedProtocols = null; diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index 52983e7814..a59018f3fa 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -43,7 +43,6 @@ import org.opensearch.cluster.metadata.IndexNameExpressionResolver; import org.opensearch.cluster.node.DiscoveryNodes; import org.opensearch.cluster.service.ClusterService; -import org.opensearch.common.Booleans; import org.opensearch.common.io.stream.NamedWriteableRegistry; import org.opensearch.common.network.NetworkModule; import org.opensearch.common.network.NetworkService; @@ -89,8 +88,6 @@ //For ES5 this class has only effect when SSL only plugin is installed public class OpenSearchSecuritySSLPlugin extends Plugin implements SystemIndexPlugin, NetworkPlugin { - private static boolean USE_NETTY_DEFAULT_ALLOCATOR = Booleans.parseBoolean(System.getProperty("opensearch.unsafe.use_netty_default_allocator"), false); - public static final boolean OPENSSL_SUPPORTED = (PlatformDependent.javaVersion() < 12) && USE_NETTY_DEFAULT_ALLOCATOR; protected final Logger log = LogManager.getLogger(this.getClass()); protected static final String CLIENT_TYPE = "client.type"; protected final boolean client; @@ -328,9 +325,7 @@ public List> getSettings() { settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, Property.NodeScope, Property.Filtered)); settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD, Property.NodeScope, Property.Filtered)); settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED, Property.NodeScope, Property.Filtered)); settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED, SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered)); - settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, OPENSSL_SUPPORTED,Property.NodeScope, Property.Filtered)); settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED, SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered)); settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, Property.NodeScope, Property.Filtered)); settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, Property.NodeScope, Property.Filtered)); diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java index 287152d9dc..2b89128354 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java @@ -25,7 +25,6 @@ public final class SSLConfigConstants { - public static final String SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE = "plugins.security.ssl.http.enable_openssl_if_available"; public static final String SECURITY_SSL_HTTP_ENABLED = "plugins.security.ssl.http.enabled"; public static final boolean SECURITY_SSL_HTTP_ENABLED_DEFAULT = false; public static final String SECURITY_SSL_HTTP_CLIENTAUTH_MODE = "plugins.security.ssl.http.clientauth_mode"; @@ -42,7 +41,6 @@ public final class SSLConfigConstants { public static final String SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = "plugins.security.ssl.http.truststore_filepath"; public static final String SECURITY_SSL_HTTP_TRUSTSTORE_PASSWORD = "plugins.security.ssl.http.truststore_password"; public static final String SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = "plugins.security.ssl.http.truststore_type"; - public static final String SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE = "plugins.security.ssl.transport.enable_openssl_if_available"; public static final String SECURITY_SSL_TRANSPORT_ENABLED = "plugins.security.ssl.transport.enabled"; public static final boolean SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT = true; public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION = "plugins.security.ssl.transport.enforce_hostname_verification"; diff --git a/src/test/java/org/opensearch/security/IntegrationTests.java b/src/test/java/org/opensearch/security/IntegrationTests.java index 226551a5ae..891da56379 100644 --- a/src/test/java/org/opensearch/security/IntegrationTests.java +++ b/src/test/java/org/opensearch/security/IntegrationTests.java @@ -173,12 +173,6 @@ public void testDNSpecials1() throws Exception { Assert.assertEquals(HttpStatus.SC_OK, rh.executeGetRequest("", encodeBasicHeader("worf", "worf")).getStatusCode()); } - @Test - public void testEnsureOpenSSLAvailability() { - Assume.assumeTrue(allowOpenSSL); - Assert.assertTrue(String.valueOf(OpenSsl.unavailabilityCause()), OpenSsl.isAvailable()); - } - @Test public void testMultiget() throws Exception { diff --git a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java b/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java deleted file mode 100644 index 6990df9ea7..0000000000 --- a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java +++ /dev/null @@ -1,234 +0,0 @@ -/* - * Copyright 2015-2017 floragunn GmbH - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package org.opensearch.security.ssl; - -import java.util.HashSet; -import java.util.Random; -import java.util.Set; - -import io.netty.handler.ssl.OpenSsl; -import io.netty.util.internal.PlatformDependent; -import org.junit.AfterClass; -import org.junit.Assert; -import org.junit.Assume; -import org.junit.Before; -import org.junit.BeforeClass; -import org.junit.Test; - -import org.opensearch.action.admin.cluster.health.ClusterHealthRequest; -import org.opensearch.action.admin.cluster.health.ClusterHealthResponse; -import org.opensearch.action.admin.cluster.node.info.NodesInfoRequest; -import org.opensearch.common.settings.Settings; -import org.opensearch.common.unit.TimeValue; -import org.opensearch.node.Node; -import org.opensearch.node.PluginAwareNode; -import org.opensearch.security.OpenSearchSecurityPlugin; -import org.opensearch.security.ssl.util.SSLConfigConstants; -import org.opensearch.security.support.ConfigConstants; -import org.opensearch.security.test.AbstractSecurityUnitTest; -import org.opensearch.security.test.helper.file.FileHelper; -import org.opensearch.security.test.helper.rest.RestHelper; -import org.opensearch.transport.Netty4ModulePlugin; - -public class OpenSSLTest extends SSLTest { - private static final String USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY = "opensearch.unsafe.use_netty_default_allocator"; - private static String USE_NETTY_DEFAULT_ALLOCATOR; - - @BeforeClass - public static void enableNettyDefaultAllocator() { - USE_NETTY_DEFAULT_ALLOCATOR = System.getProperty(USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY); - System.setProperty(USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY, "true"); - } - - @AfterClass - public static void restoreNettyDefaultAllocator() { - if (USE_NETTY_DEFAULT_ALLOCATOR != null) { - System.setProperty(USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY, USE_NETTY_DEFAULT_ALLOCATOR); - } else { - System.clearProperty(USE_NETTY_DEFAULT_ALLOCATOR_PROPERTY); - } - } - - @Before - public void setup() { - Assume.assumeFalse(PlatformDependent.isWindows()); - allowOpenSSL = true; - } - - @Override - @Test - public void testHttps() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testHttps(); - } - - @Override - @Test - public void testHttpsAndNodeSSL() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testHttpsAndNodeSSL(); - } - - @Override - @Test - public void testHttpPlainFail() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testHttpPlainFail(); - } - - @Override - @Test - public void testHttpsNoEnforce() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testHttpsNoEnforce(); - } - - @Override - @Test - public void testHttpsV3Fail() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testHttpsV3Fail(); - } - - - @Override - @Test(timeout=40000) - public void testNodeClientSSL() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testNodeClientSSL(); - } - - @Override - @Test - public void testHttpsOptionalAuth() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testHttpsOptionalAuth(); - } - - @Test - public void testAvailCiphersOpenSSL() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - - // Set openSSLAvailCiphers = new - // HashSet<>(OpenSsl.availableCipherSuites()); - // System.out.println("OpenSSL available ciphers: "+openSSLAvailCiphers); - // ECDHE-RSA-AES256-SHA, ECDH-ECDSA-AES256-SHA, DH-DSS-DES-CBC-SHA, - // ADH-AES256-SHA256, ADH-CAMELLIA128-SHA - - final Set openSSLSecureCiphers = new HashSet<>(); - for (final String secure : SSLConfigConstants.getSecureSSLCiphers(Settings.EMPTY, false)) { - if (OpenSsl.isCipherSuiteAvailable(secure)) { - openSSLSecureCiphers.add(secure); - } - } - - System.out.println("OpenSSL secure ciphers: " + openSSLSecureCiphers); - Assert.assertTrue(openSSLSecureCiphers.size() > 0); - } - - @Test - public void testHttpsEnforceFail() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testHttpsEnforceFail(); - } - - @Override - public void testCipherAndProtocols() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testCipherAndProtocols(); - } - - @Override - public void testHttpsAndNodeSSLFailedCipher() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testHttpsAndNodeSSLFailedCipher(); - } - - @Test - public void testHttpsAndNodeSSLPem() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testHttpsAndNodeSSLPKCS8Pem(); - } - - @Test - public void testHttpsAndNodeSSLPemEnc() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testHttpsAndNodeSSLPemEnc(); - } - - @Test - public void testNodeClientSSLwithOpenSslTLSv13() throws Exception { - - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable() && OpenSsl.version() > 0x10101009L); - - final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) - .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") - .put("plugins.security.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) - .put("plugins.security.ssl.transport.enforce_hostname_verification", false) - .put("plugins.security.ssl.transport.resolve_hostname", false) - .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3") - .putList(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_CHACHA20_POLY1305_SHA256") - .put("node.max_local_storage_nodes",4) - .build(); - - setupSslOnlyMode(settings); - - RestHelper rh = nonSslRestHelper(); - - final Settings tcSettings = AbstractSecurityUnitTest.nodeRolesSettings(Settings.builder(), false, false) - .put("cluster.name", clusterInfo.clustername).put("path.home", "/tmp") - .put("node.name", "client_node_" + new Random().nextInt()) - .put("path.data", "./target/data/" + clusterInfo.clustername + "/ssl/data") - .put("path.logs", "./target/data/" + clusterInfo.clustername + "/ssl/logs") - .put("path.home", "./target") - .put("discovery.initial_state_timeout","8s") - .putList("discovery.zen.ping.unicast.hosts", clusterInfo.nodeHost+":"+clusterInfo.nodePort) - .put(settings)// ----- - .build(); - - try (Node node = new PluginAwareNode(false, tcSettings, Netty4ModulePlugin.class, OpenSearchSecurityPlugin.class).start()) { - ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5))).actionGet(); - Assert.assertFalse(res.isTimedOut()); - Assert.assertEquals(4, res.getNumberOfNodes()); - Assert.assertEquals(4, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size()); - } - - Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0")); - Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0")); - Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0")); - Assert.assertFalse(rh.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0")); - } - - @Test - public void testTLSv12() throws Exception { - Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()); - super.testTLSv12(); - } - - @Test - public void testJava12WithOpenSslEnabled() throws Exception { - // If the user has Java 12 running and OpenSSL enabled, we give - // a warning, ignore OpenSSL and use JDK SSl instead. - Assume.assumeTrue(PlatformDependent.javaVersion() >= 12); - super.testHttps(); - } -} diff --git a/src/test/java/org/opensearch/security/ssl/SSLTest.java b/src/test/java/org/opensearch/security/ssl/SSLTest.java index 08bbbb15d3..671d26177e 100644 --- a/src/test/java/org/opensearch/security/ssl/SSLTest.java +++ b/src/test/java/org/opensearch/security/ssl/SSLTest.java @@ -67,8 +67,6 @@ public class SSLTest extends SingleClusterTest { @Rule public final ExpectedException thrown = ExpectedException.none(); - - protected boolean allowOpenSSL = false; @Test public void testHttps() throws Exception { @@ -76,8 +74,6 @@ public void testHttps() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put("plugins.security.ssl.http.enabled", true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, "TLSv1.1","TLSv1.2") .putList(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256") @@ -112,13 +108,10 @@ public void testCipherAndProtocols() throws Exception { Security.setProperty("jdk.tls.disabledAlgorithms",""); System.out.println("Disabled algos: "+Security.getProperty("jdk.tls.disabledAlgorithms")); - System.out.println("allowOpenSSL: "+allowOpenSSL); Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) @@ -134,22 +127,13 @@ public void testCipherAndProtocols() throws Exception { String[] enabledCiphers = new DefaultSecurityKeyStore(settings, Paths.get(".")).createHTTPSSLEngine().getEnabledCipherSuites(); String[] enabledProtocols = new DefaultSecurityKeyStore(settings, Paths.get(".")).createHTTPSSLEngine().getEnabledProtocols(); - if(allowOpenSSL) { - Assert.assertEquals(2, enabledProtocols.length); //SSLv2Hello is always enabled when using openssl - Assert.assertTrue("Check SSLv3", "SSLv3".equals(enabledProtocols[0]) || "SSLv3".equals(enabledProtocols[1])); - Assert.assertEquals(1, enabledCiphers.length); - Assert.assertEquals("TLS_RSA_EXPORT_WITH_RC4_40_MD5",enabledCiphers[0]); - } else { - Assert.assertEquals(1, enabledProtocols.length); - Assert.assertEquals("SSLv3", enabledProtocols[0]); - Assert.assertEquals(1, enabledCiphers.length); - Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5",enabledCiphers[0]); - } + Assert.assertEquals(1, enabledProtocols.length); + Assert.assertEquals("SSLv3", enabledProtocols[0]); + Assert.assertEquals(1, enabledCiphers.length); + Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5",enabledCiphers[0]); settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) //WEAK and insecure cipher, do NOT use this, its here for unittesting only!!! @@ -163,31 +147,17 @@ public void testCipherAndProtocols() throws Exception { enabledCiphers = new DefaultSecurityKeyStore(settings, Paths.get(".")).createServerTransportSSLEngine().getEnabledCipherSuites(); enabledProtocols = new DefaultSecurityKeyStore(settings, Paths.get(".")).createServerTransportSSLEngine().getEnabledProtocols(); - if(allowOpenSSL) { - Assert.assertEquals(2, enabledProtocols.length); //SSLv2Hello is always enabled when using openssl - Assert.assertTrue("Check SSLv3", "SSLv3".equals(enabledProtocols[0]) || "SSLv3".equals(enabledProtocols[1])); - Assert.assertEquals(1, enabledCiphers.length); - Assert.assertEquals("TLS_RSA_EXPORT_WITH_RC4_40_MD5",enabledCiphers[0]); - } else { - Assert.assertEquals(1, enabledProtocols.length); - Assert.assertEquals("SSLv3", enabledProtocols[0]); - Assert.assertEquals(1, enabledCiphers.length); - Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5",enabledCiphers[0]); - } + Assert.assertEquals(1, enabledProtocols.length); + Assert.assertEquals("SSLv3", enabledProtocols[0]); + Assert.assertEquals(1, enabledCiphers.length); + Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5",enabledCiphers[0]); enabledCiphers = new DefaultSecurityKeyStore(settings, Paths.get(".")).createClientTransportSSLEngine(null, -1).getEnabledCipherSuites(); enabledProtocols = new DefaultSecurityKeyStore(settings, Paths.get(".")).createClientTransportSSLEngine(null, -1).getEnabledProtocols(); - if(allowOpenSSL) { - Assert.assertEquals(2, enabledProtocols.length); //SSLv2Hello is always enabled when using openssl - Assert.assertTrue("Check SSLv3","SSLv3".equals(enabledProtocols[0]) || "SSLv3".equals(enabledProtocols[1])); - Assert.assertEquals(1, enabledCiphers.length); - Assert.assertEquals("TLS_RSA_EXPORT_WITH_RC4_40_MD5",enabledCiphers[0]); - } else { - Assert.assertEquals(1, enabledProtocols.length); - Assert.assertEquals("SSLv3", enabledProtocols[0]); - Assert.assertEquals(1, enabledCiphers.length); - Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5",enabledCiphers[0]); - } + Assert.assertEquals(1, enabledProtocols.length); + Assert.assertEquals("SSLv3", enabledProtocols[0]); + Assert.assertEquals(1, enabledCiphers.length); + Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5",enabledCiphers[0]); } catch (OpenSearchSecurityException e) { System.out.println("EXPECTED "+e.getClass().getSimpleName()+" for "+System.getProperty("java.specification.version")+": "+e.toString()); e.printStackTrace(); @@ -196,7 +166,7 @@ public void testCipherAndProtocols() throws Exception { || e.toString().contains("Unable to configure permitted SSL ciphers") || e.toString().contains("OPENSSL_internal:NO_CIPHER_MATCH") ); - Assert.assertTrue("Check if >= Java 8 and no openssl",allowOpenSSL?true:Constants.JRE_IS_MINIMUM_JAVA8 ); + Assert.assertTrue("Check if >= Java 8 and no openssl", Constants.JRE_IS_MINIMUM_JAVA8 ); } } @@ -206,8 +176,6 @@ public void testHttpsOptionalAuth() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build(); @@ -230,8 +198,6 @@ public void testHttpsAndNodeSSL() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) @@ -269,8 +235,6 @@ public void testHttpsAndNodeSSLPKCS8Pem() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) //.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") @@ -306,8 +270,6 @@ public void testHttpsAndNodeSSLPKCS1Pem() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-pkcs1.key.pem")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")) @@ -339,8 +301,6 @@ public void testHttpsAndNodeSSLPemEnc() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/pem/node-4.crt.pem")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/pem/node-4.key")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") @@ -377,8 +337,6 @@ public void testHttpsAndNodeSSLFailedCipher() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) @@ -411,8 +369,6 @@ public void testHttpPlainFail() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) .put("plugins.security.ssl.http.clientauth_mode", "OPTIONAL") .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) @@ -436,8 +392,6 @@ public void testHttpsNoEnforce() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) .put("plugins.security.ssl.http.clientauth_mode", "NONE") .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) @@ -460,8 +414,6 @@ public void testHttpsEnforceFail() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) @@ -492,8 +444,6 @@ public void testHttpsV3Fail() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) .put("plugins.security.ssl.http.clientauth_mode", "NONE") .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) @@ -516,8 +466,6 @@ public void testNodeClientSSL() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) @@ -588,8 +536,6 @@ public void testCustomPrincipalExtractor() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) @@ -641,8 +587,6 @@ public void testCRLPem() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")) //.put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD, "changeit") @@ -676,8 +620,6 @@ public void testCRL() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", false) .put(ConfigConstants.SECURITY_SSL_ONLY, true) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0").put("plugins.security.ssl.http.enabled", true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") .put("plugins.security.ssl.http.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put("plugins.security.ssl.http.truststore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) @@ -701,12 +643,10 @@ public void testCRL() throws Exception { public void testNodeClientSSLwithJavaTLSv13() throws Exception { //Java TLS 1.3 is available since Java 11 - Assume.assumeTrue(!allowOpenSSL && PlatformDependent.javaVersion() >= 11); + Assume.assumeTrue(PlatformDependent.javaVersion() >= 11); final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) @@ -749,8 +689,6 @@ public void testTLSv12() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/truststore.jks")) @@ -777,8 +715,6 @@ public void testHttpsAndNodeSSLKeyPass() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) @@ -819,8 +755,6 @@ public void testHttpsAndNodeSSLKeyStoreExtendedUsageEnabled() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS, "node-0-client") @@ -868,8 +802,6 @@ public void testHttpsAndNodeSSLKeyPassFail() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0") .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("plugins.security.ssl.transport.keystore_filepath", FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")) @@ -902,8 +834,6 @@ public void testHttpsAndNodeSSLPemExtendedUsageEnabled() throws Exception { final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true) .put(ConfigConstants.SECURITY_SSL_ONLY, true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED, true) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-client.pem")) .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/extended_key_usage/node-key-client.pem")) diff --git a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java index 592433d5e9..859f03a9ae 100644 --- a/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java +++ b/src/test/java/org/opensearch/security/test/AbstractSecurityUnitTest.java @@ -272,9 +272,7 @@ protected Settings.Builder minimumSecuritySettingsBuilder(int node, boolean sslO final String prefix = getResourceFolder()==null?"":getResourceFolder()+"/"; - Settings.Builder builder = Settings.builder() - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL) - .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL); + Settings.Builder builder = Settings.builder(); // If custom transport settings are not defined use defaults if (!hasCustomTransportSettings(other)) { From 5598df563b859a99280ffafcd5586f6d95530abc Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Wed, 23 Nov 2022 13:44:56 -0500 Subject: [PATCH 2/3] Remove additional references to OpenSSL Signed-off-by: Craig Perkins --- .github/workflows/integration-tests.yml | 2 +- .../java/org/opensearch/security/httpclient/HttpClientTest.java | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index b609ad7293..2ae4b75968 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -22,7 +22,7 @@ jobs: - uses: actions/checkout@v2 - - run: OPENDISTRO_SECURITY_TEST_OPENSSL_OPT=true ./gradlew test + - run: ./gradlew test - uses: actions/upload-artifact@v3 if: always() diff --git a/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java b/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java index 96d41b6735..3970019bca 100644 --- a/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java +++ b/src/test/java/org/opensearch/security/httpclient/HttpClientTest.java @@ -74,7 +74,6 @@ public void testSslConnection() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) @@ -107,7 +106,6 @@ public void testSslConnectionPKIAuth() throws Exception { final Settings settings = Settings.builder() .put("plugins.security.ssl.http.enabled", true) .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE") - .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, false) .put(SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, "node-0") .put("plugins.security.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/node-0-keystore.jks")) .put("plugins.security.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("auditlog/truststore.jks")) From b8f2f8c02ccec50f818284b6df2a8f96afeb7565 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Wed, 23 Nov 2022 13:54:01 -0500 Subject: [PATCH 3/3] Remove unused imports Signed-off-by: Craig Perkins --- src/test/java/org/opensearch/security/IntegrationTests.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/test/java/org/opensearch/security/IntegrationTests.java b/src/test/java/org/opensearch/security/IntegrationTests.java index 891da56379..89655e84f7 100644 --- a/src/test/java/org/opensearch/security/IntegrationTests.java +++ b/src/test/java/org/opensearch/security/IntegrationTests.java @@ -29,11 +29,9 @@ import java.util.TreeSet; import com.fasterxml.jackson.databind.JsonNode; -import io.netty.handler.ssl.OpenSsl; import org.apache.hc.core5.http.HttpStatus; import org.apache.hc.core5.http.message.BasicHeader; import org.junit.Assert; -import org.junit.Assume; import org.junit.Test; import org.opensearch.action.admin.indices.alias.IndicesAliasesRequest;