diff --git a/plugin-descriptor.properties b/plugin-descriptor.properties
index 754d261..87d6991 100644
--- a/plugin-descriptor.properties
+++ b/plugin-descriptor.properties
@@ -3,7 +3,7 @@
description=Provides SSL for Elasticsearch 6
#
# 'version': plugin's version
-version=0.7.0.1
+version=0.8.0.0
#
# 'name': the plugin name
name=opendistro_security-ssl
@@ -22,4 +22,4 @@ java.version=1.8
# elasticsearch release. This version is checked when the plugin
# is loaded so Elasticsearch will refuse to start in the presence of
# plugins with the incorrect elasticsearch.version.
-elasticsearch.version=6.5.4
+elasticsearch.version=6.6.2
diff --git a/pom.xml b/pom.xml
index cd05d33..22e5460 100644
--- a/pom.xml
+++ b/pom.xml
@@ -35,11 +35,11 @@
com.amazon.opendistroforelasticsearch
opendistro_security_parent
- 0.7.0.1
+ 0.8.0.0
opendistro_security_ssl
- 0.7.0.1
+ 0.8.0.0
jar
Open Distro Security SSL
@@ -56,10 +56,10 @@
- 6.5.4
+ 6.6.2
- 2.0.15.Final
+ 2.0.20.Final
2.11.1
@@ -67,7 +67,7 @@
https://github.com/opendistro-for-elasticsearch/security-ssl
scm:git:git@github.com:opendistro-for-elasticsearch/security-ssl.git
scm:git:git@github.com:opendistro-for-elasticsearch/security-ssl.git
- v0.7.0.1
+ v0.8.0.0
@@ -172,7 +172,7 @@
com.floragunn
search-guard-static-tcnative-beta
- 1.1.0j-${netty-native.version}-non-fedora-linux-x86_64
+ 1.1.1a-${netty-native.version}-non-fedora-linux-x86_64
provided
@@ -183,7 +183,7 @@
com.floragunn
search-guard-static-tcnative-beta
- 1.1.0j-${netty-native.version}-fedora-linux-x86_64
+ 1.1.1a-${netty-native.version}-fedora-linux-x86_64
provided
diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLPlugin.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLPlugin.java
index d33026d..8c87641 100644
--- a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLPlugin.java
+++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLPlugin.java
@@ -50,6 +50,7 @@
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.SpecialPermission;
+import org.elasticsearch.Version;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.node.DiscoveryNodes;
@@ -255,14 +256,13 @@ public List getTransportInterceptors(NamedWriteableRegistr
@Override
- public Map> getTransports(Settings settings, ThreadPool threadPool, BigArrays bigArrays,
- PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService,
- NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) {
-
+ public Map> getTransports(Settings settings, ThreadPool threadPool, PageCacheRecycler pageCacheRecycler,
+ CircuitBreakerService circuitBreakerService, NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) {
Map> transports = new HashMap>();
if (transportSSLEnabled) {
transports.put("com.amazon.opendistroforelasticsearch.security.ssl.http.netty.OpenDistroSecuritySSLNettyTransport",
- () -> new OpenDistroSecuritySSLNettyTransport(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService, odsks, NOOP_SSL_EXCEPTION_HANDLER));
+ () -> new OpenDistroSecuritySSLNettyTransport(settings, Version.CURRENT, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService, odsks, NOOP_SSL_EXCEPTION_HANDLER));
+
}
return transports;
diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/http/netty/OpenDistroSecuritySSLNettyHttpServerTransport.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/http/netty/OpenDistroSecuritySSLNettyHttpServerTransport.java
index d885f58..fc78d68 100644
--- a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/http/netty/OpenDistroSecuritySSLNettyHttpServerTransport.java
+++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/http/netty/OpenDistroSecuritySSLNettyHttpServerTransport.java
@@ -40,6 +40,8 @@
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays;
@@ -53,6 +55,7 @@
public class OpenDistroSecuritySSLNettyHttpServerTransport extends Netty4HttpServerTransport {
+ private static final Logger logger = LogManager.getLogger(OpenDistroSecuritySSLNettyHttpServerTransport.class);
private final OpenDistroSecurityKeyStore sgks;
private final ThreadContext threadContext;
private final SslExceptionHandler errorHandler;
diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/OpenDistroSecuritySSLInfoAction.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/OpenDistroSecuritySSLInfoAction.java
index 87796e0..d513f71 100644
--- a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/OpenDistroSecuritySSLInfoAction.java
+++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/rest/OpenDistroSecuritySSLInfoAction.java
@@ -59,6 +59,7 @@ public class OpenDistroSecuritySSLInfoAction extends BaseRestHandler {
private final OpenDistroSecurityKeyStore sgks;
final PrincipalExtractor principalExtractor;
private final Path configPath;
+ private final Settings settings;
public OpenDistroSecuritySSLInfoAction(final Settings settings, final Path configPath, final RestController controller,
final OpenDistroSecurityKeyStore sgks, final PrincipalExtractor principalExtractor) {
@@ -66,6 +67,7 @@ public OpenDistroSecuritySSLInfoAction(final Settings settings, final Path confi
this.sgks = sgks;
this.principalExtractor = principalExtractor;
this.configPath = configPath;
+ this.settings = settings;
controller.registerHandler(GET, "/_opendistro/_security/sslinfo", this);
}
diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLNettyTransport.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLNettyTransport.java
index 370d5d7..6431ebd 100644
--- a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLNettyTransport.java
+++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLNettyTransport.java
@@ -30,15 +30,6 @@
package com.amazon.opendistroforelasticsearch.security.ssl.transport;
-import io.netty.channel.Channel;
-import io.netty.channel.ChannelHandler;
-import io.netty.channel.ChannelHandlerContext;
-import io.netty.channel.ChannelOutboundHandlerAdapter;
-import io.netty.channel.ChannelPromise;
-import io.netty.handler.codec.DecoderException;
-import io.netty.handler.ssl.NotSslRecordException;
-import io.netty.handler.ssl.SslHandler;
-
import java.net.InetSocketAddress;
import java.net.SocketAddress;
@@ -49,11 +40,13 @@
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ExceptionsHelper;
+import org.elasticsearch.Version;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
+import org.elasticsearch.common.network.CloseableChannel;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.util.BigArrays;
+import org.elasticsearch.common.util.PageCacheRecycler;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TcpChannel;
@@ -63,21 +56,31 @@
import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler;
import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConfigConstants;
+import io.netty.channel.Channel;
+import io.netty.channel.ChannelHandler;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.ChannelOutboundHandlerAdapter;
+import io.netty.channel.ChannelPromise;
+import io.netty.handler.codec.DecoderException;
+import io.netty.handler.ssl.NotSslRecordException;
+import io.netty.handler.ssl.SslHandler;
+
public class OpenDistroSecuritySSLNettyTransport extends Netty4Transport {
+ private static final Logger logger = LogManager.getLogger(OpenDistroSecuritySSLNettyTransport.class);
private final OpenDistroSecurityKeyStore sgks;
private final SslExceptionHandler errorHandler;
- public OpenDistroSecuritySSLNettyTransport(final Settings settings, final ThreadPool threadPool, final NetworkService networkService,
- final BigArrays bigArrays, final NamedWriteableRegistry namedWriteableRegistry,
- final CircuitBreakerService circuitBreakerService, final OpenDistroSecurityKeyStore sgks, final SslExceptionHandler errorHandler) {
- super(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService);
+ public OpenDistroSecuritySSLNettyTransport(final Settings settings, final Version version, final ThreadPool threadPool, final NetworkService networkService,
+ final PageCacheRecycler pageCacheRecycler, final NamedWriteableRegistry namedWriteableRegistry,
+ final CircuitBreakerService circuitBreakerService, final OpenDistroSecurityKeyStore sgks, final SslExceptionHandler errorHandler) {
+ super(settings, version, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService);
this.sgks = sgks;
this.errorHandler = errorHandler;
}
@Override
- protected void onException(TcpChannel channel, Exception e) {
+ public void onException(TcpChannel channel, Exception e) {
if (lifecycle.started()) {
@@ -92,15 +95,15 @@ protected void onException(TcpChannel channel, Exception e) {
if(cause instanceof NotSslRecordException) {
logger.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", channel.getLocalAddress());
- TcpChannel.closeChannel(channel, false);
+ CloseableChannel.closeChannel(channel, false);
return;
} else if (cause instanceof SSLException) {
logger.error("SSL Problem "+cause.getMessage(),cause);
- TcpChannel.closeChannel(channel, false);
+ CloseableChannel.closeChannel(channel, false);
return;
} else if (cause instanceof SSLHandshakeException) {
logger.error("Problem during handshake "+cause.getMessage());
- TcpChannel.closeChannel(channel, false);
+ CloseableChannel.closeChannel(channel, false);
return;
}
}
diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLRequestHandler.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLRequestHandler.java
index 330f806..a82f40d 100644
--- a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLRequestHandler.java
+++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/transport/OpenDistroSecuritySSLRequestHandler.java
@@ -30,9 +30,6 @@
package com.amazon.opendistroforelasticsearch.security.ssl.transport;
-import io.netty.channel.Channel;
-import io.netty.handler.ssl.SslHandler;
-
import java.lang.reflect.Method;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
@@ -53,12 +50,14 @@
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
-import org.elasticsearch.transport.netty4.NettyTcpChannel;
+import org.elasticsearch.transport.netty4.Netty4TcpChannel;
import com.amazon.opendistroforelasticsearch.security.ssl.SslExceptionHandler;
import com.amazon.opendistroforelasticsearch.security.ssl.util.ExceptionUtils;
import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLRequestHelper;
+import io.netty.handler.ssl.SslHandler;
+
public class OpenDistroSecuritySSLRequestHandler
implements TransportRequestHandler {
@@ -120,15 +119,15 @@ public final void messageReceived(T request, TransportChannel channel, Task task
try {
- NettyTcpChannel nettyChannel = null;
+ Netty4TcpChannel nettyChannel = null;
if (innerChannel instanceof TaskTransportChannel) {
final TransportChannel inner = ((TaskTransportChannel) innerChannel).getChannel();
- nettyChannel = (NettyTcpChannel) ((TcpTransportChannel) inner).getChannel();
+ nettyChannel = (Netty4TcpChannel) ((TcpTransportChannel) inner).getChannel();
} else
if (innerChannel instanceof TcpTransportChannel) {
final TcpChannel inner = ((TcpTransportChannel) innerChannel).getChannel();
- nettyChannel = (NettyTcpChannel) inner;
+ nettyChannel = (Netty4TcpChannel) inner;
} else {
throw new Exception("Invalid channel of type "+innerChannel.getClass()+ " ("+innerChannel.getChannelType()+")");
}
diff --git a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/util/SSLConfigConstants.java b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/util/SSLConfigConstants.java
index 9886c97..0dc37dd 100644
--- a/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/util/SSLConfigConstants.java
+++ b/src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/util/SSLConfigConstants.java
@@ -186,7 +186,8 @@ public static final String[] getSecureSSLProtocols(Settings settings, boolean ht
"TLS_AES_256_GCM_SHA384",
//TLS 1.3 OpenSSL
- "TLS_CHACHA20_POLY1305_SHA256",
+ "TLS_AES_128_CCM_8_SHA256",
+ "TLS_AES_128_CCM_SHA256",
//IBM
"SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenSSLTest.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenSSLTest.java
index 0a36489..32bf2a2 100644
--- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenSSLTest.java
+++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenSSLTest.java
@@ -30,12 +30,18 @@
package com.amazon.opendistroforelasticsearch.security.ssl;
-import io.netty.handler.ssl.OpenSsl;
-
import java.util.HashSet;
+import java.util.Random;
import java.util.Set;
+import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest;
+import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
+import org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest;
import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.unit.TimeValue;
+import org.elasticsearch.node.Node;
+import org.elasticsearch.node.PluginAwareNode;
+import org.elasticsearch.transport.Netty4Plugin;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
@@ -43,6 +49,8 @@
import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConfigConstants;
+import io.netty.handler.ssl.OpenSsl;
+
public class OpenSSLTest extends SSLTest {
@Before
@@ -177,4 +185,42 @@ public void testHttpsAndNodeSSLPemEnc() throws Exception {
Assume.assumeTrue(OpenSsl.isAvailable());
super.testHttpsAndNodeSSLPemEnc();
}
+
+ @Test
+ public void testNodeClientSSLwithOpenSslTLSv13() throws Exception {
+
+ Assume.assumeTrue(OpenSsl.isAvailable() && OpenSsl.version() > 0x10101009L);
+
+ final Settings settings = Settings.builder().put("opendistro_security.ssl.transport.enabled", true)
+ .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL)
+ .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL)
+ .put(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, "node-0")
+ .put("opendistro_security.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks"))
+ .put("opendistro_security.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks"))
+ .put("opendistro_security.ssl.transport.enforce_hostname_verification", false)
+ .put("opendistro_security.ssl.transport.resolve_hostname", false)
+ .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, "TLSv1.3")
+ .putList(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, "TLS_CHACHA20_POLY1305_SHA256")
+ .build();
+
+ startES(settings);
+
+ final Settings tcSettings = Settings.builder().put("cluster.name", clustername).put("path.home", ".")
+ .put("node.name", "client_node_" + new Random().nextInt())
+ .put(settings)// -----
+ .build();
+
+ try (Node node = new PluginAwareNode(tcSettings, Netty4Plugin.class, OpenDistroSecuritySSLPlugin.class).start()) {
+ ClusterHealthResponse res = node.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5))).actionGet();
+ Assert.assertFalse(res.isTimedOut());
+ Assert.assertEquals(4, res.getNumberOfNodes());
+ Assert.assertEquals(4, node.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet().getNodes().size());
+ }
+
+ Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
+ Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
+ Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
+ Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
+ }
+
}
diff --git a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/SSLTest.java b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/SSLTest.java
index e91a79a..70611cc 100644
--- a/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/SSLTest.java
+++ b/src/test/java/com/amazon/opendistroforelasticsearch/security/ssl/SSLTest.java
@@ -371,12 +371,8 @@ public void testHttpsAndNodeSSLFailedCipher() throws Exception {
Assert.fail();
} catch (Exception e1) {
Throwable e = ExceptionUtils.getRootCause(e1);
- if(allowOpenSSL) {
- Assert.assertTrue(e.toString(), e.toString().contains("no cipher match"));
- } else {
- Assert.assertTrue(e.toString(), e.toString().contains("no valid cipher"));
- }
- }
+ Assert.assertTrue(e.toString(), e.toString().contains("no valid cipher"));
+ }
}
@Test