Acasă Explorează Ajutor
Autentificare
lqb
/
elasticsearch
oglindă de https://gitee.com/mirrors/elasticsearch.git
1
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Răsfoiți Sursa

Add ChaCha20 TLS ciphers on Java 12+ (#42155)

Java 12 added support for the ChaCha20 TLS ciphers, so this change
conditionally adds these ciphers to the default ciphers if the JVM is
Java 12 or later.
Jay Modi 6 ani în urmă
părinte
7e0ffaebaf
comite
673db8581c
4 a modificat fișierele cu 72 adăugiri și 5 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 20 4
      libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationLoader.java
  2. 17 0
      libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/SslConfigurationLoaderTests.java
  3. 19 1
      x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
  4. 16 0
      x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/XPackSettingsTests.java

+ 20 - 4
libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationLoader.java
Vizualizați fișierul 

@@ -19,6 +19,8 @@
 
 
 package org.elasticsearch.common.ssl;
 
 
+import org.elasticsearch.bootstrap.JavaVersion;
 
+
 
 import javax.net.ssl.KeyManagerFactory;
 
 import javax.net.ssl.TrustManagerFactory;
 
 import java.nio.file.Path;
 
@@ -66,10 +68,7 @@ public abstract class SslConfigurationLoader {
 
 
     static final List<String> DEFAULT_PROTOCOLS = List.of("TLSv1.3", "TLSv1.2", "TLSv1.1");
 
 
-    /**
 
-     * This list has been created with ordering
 
-     */
 
-    static final List<String> DEFAULT_CIPHERS = List.of(
 
+    private static final List<String> JDK11_CIPHERS = List.of(
 
         "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", // TLSv1.3 cipher has PFS, AEAD, hardware support
 
         "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
 
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
 
@@ -80,6 +79,23 @@ public abstract class SslConfigurationLoader {
 
         "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", // AEAD, hardware support
 
         "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", // hardware support
 
         "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA"); // hardware support
 
+
 
+    private static final List<String> JDK12_CIPHERS = List.of(
 
+        "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", // TLSv1.3 cipher has PFS, AEAD, hardware support
 
+        "TLS_CHACHA20_POLY1305_SHA256", // TLSv1.3 cipher has PFS, AEAD
 
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
 
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
 
+        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", // PFS, AEAD
 
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support
 
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support
 
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", // PFS, hardware support
 
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // PFS, hardware support
 
+        "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", // AEAD, hardware support
 
+        "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", // hardware support
 
+        "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA"); // hardware support
 
+
 
+    static final List<String> DEFAULT_CIPHERS =
 
+        JavaVersion.current().compareTo(JavaVersion.parse("12")) > -1 ? JDK12_CIPHERS : JDK11_CIPHERS;
 
     private static final char[] EMPTY_PASSWORD = new char[0];
 
 
     private final String settingPrefix;

+ 17 - 0
libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/SslConfigurationLoaderTests.java
Vizualizați fișierul 

@@ -19,6 +19,7 @@
 
 
 package org.elasticsearch.common.ssl;
 
 
+import org.elasticsearch.bootstrap.JavaVersion;
 
 import org.elasticsearch.common.settings.MockSecureSettings;
 
 import org.elasticsearch.common.settings.SecureString;
 
 import org.elasticsearch.common.settings.Settings;
 
@@ -33,8 +34,10 @@ import java.util.Locale;
 
 
 import static org.hamcrest.Matchers.containsInAnyOrder;
 
 import static org.hamcrest.Matchers.equalTo;
 
+import static org.hamcrest.Matchers.hasItem;
 
 import static org.hamcrest.Matchers.instanceOf;
 
 import static org.hamcrest.Matchers.is;
 
+import static org.hamcrest.Matchers.not;
 
 import static org.hamcrest.Matchers.notNullValue;
 
 
 public class SslConfigurationLoaderTests extends ESTestCase {
 
@@ -217,4 +220,18 @@ public class SslConfigurationLoaderTests extends ESTestCase {
 
         assertThat(keyConfig.getDependentFiles(), containsInAnyOrder(getDataPath("/certs/cert-all/certs.jks")));
 
         assertThat(keyConfig.createKeyManager(), notNullValue());
 
     }
 
+
 
+    public void testChaCha20InCiphersOnJdk12Plus() {
 
+        assumeTrue("Test is only valid on JDK 12+ JVM", JavaVersion.current().compareTo(JavaVersion.parse("12")) > -1);
 
+        assertThat(SslConfigurationLoader.DEFAULT_CIPHERS, hasItem("TLS_CHACHA20_POLY1305_SHA256"));
 
+        assertThat(SslConfigurationLoader.DEFAULT_CIPHERS, hasItem("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"));
 
+        assertThat(SslConfigurationLoader.DEFAULT_CIPHERS, hasItem("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
 
+    }
 
+
 
+    public void testChaCha20NotInCiphersOnPreJdk12() {
 
+        assumeTrue("Test is only valid on pre JDK 12 JVM", JavaVersion.current().compareTo(JavaVersion.parse("12")) < 0);
 
+        assertThat(SslConfigurationLoader.DEFAULT_CIPHERS, not(hasItem("TLS_CHACHA20_POLY1305_SHA256")));
 
+        assertThat(SslConfigurationLoader.DEFAULT_CIPHERS, not(hasItem("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256")));
 
+        assertThat(SslConfigurationLoader.DEFAULT_CIPHERS, not(hasItem("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256")));
 
+    }
 
 }

+ 19 - 1
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
Vizualizați fișierul 

@@ -6,6 +6,7 @@
 
 
 package org.elasticsearch.xpack.core;
 
 
+import org.elasticsearch.bootstrap.JavaVersion;
 
 import org.elasticsearch.common.settings.Setting;
 
 import org.elasticsearch.common.settings.Setting.Property;
 
 import org.elasticsearch.xpack.core.security.SecurityField;
 
@@ -117,7 +118,7 @@ public class XPackSettings {
 
      * SSL settings. These are the settings that are specifically registered for SSL. Many are private as we do not explicitly use them
 
      * but instead parse based on a prefix (eg *.ssl.*)
 
      */
 
-    public static final List<String> DEFAULT_CIPHERS = List.of(
 
+    private static final List<String> JDK11_CIPHERS = List.of(
 
         "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", // TLSv1.3 cipher has PFS, AEAD, hardware support
 
         "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
 
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
 
@@ -129,6 +130,23 @@ public class XPackSettings {
 
         "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", // hardware support
 
         "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA"); // hardware support
 
 
+    private static final List<String> JDK12_CIPHERS = List.of(
 
+        "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", // TLSv1.3 cipher has PFS, AEAD, hardware support
 
+        "TLS_CHACHA20_POLY1305_SHA256", // TLSv1.3 cipher has PFS, AEAD
 
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
 
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
 
+        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", // PFS, AEAD
 
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support
 
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support
 
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", // PFS, hardware support
 
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // PFS, hardware support
 
+        "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", // AEAD, hardware support
 
+        "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", // hardware support
 
+        "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA"); // hardware support
 
+
 
+    public static final List<String> DEFAULT_CIPHERS =
 
+        JavaVersion.current().compareTo(JavaVersion.parse("12")) > -1 ? JDK12_CIPHERS : JDK11_CIPHERS;
 
+
 
     /*
 
      * Do not allow insecure hashing algorithms to be used for password hashing
 
      */

+ 16 - 0
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/XPackSettingsTests.java
Vizualizați fișierul 

@@ -5,6 +5,7 @@
 
  */
 
 package org.elasticsearch.xpack.core;
 
 
+import org.elasticsearch.bootstrap.JavaVersion;
 
 import org.elasticsearch.common.settings.Settings;
 
 import org.elasticsearch.test.ESTestCase;
 
 import javax.crypto.SecretKeyFactory;
 
@@ -14,6 +15,7 @@ import java.security.NoSuchAlgorithmException;
 
 import static org.hamcrest.Matchers.contains;
 
 import static org.hamcrest.Matchers.containsString;
 
 import static org.hamcrest.Matchers.hasItem;
 
+import static org.hamcrest.Matchers.not;
 
 
 public class XPackSettingsTests extends ESTestCase {
 
 
@@ -22,6 +24,20 @@ public class XPackSettingsTests extends ESTestCase {
 
         assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_RSA_WITH_AES_256_CBC_SHA"));
 
     }
 
 
+    public void testChaCha20InCiphersOnJdk12Plus() {
 
+        assumeTrue("Test is only valid on JDK 12+ JVM", JavaVersion.current().compareTo(JavaVersion.parse("12")) > -1);
 
+        assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_CHACHA20_POLY1305_SHA256"));
 
+        assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"));
 
+        assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"));
 
+    }
 
+
 
+    public void testChaCha20NotInCiphersOnPreJdk12() {
 
+        assumeTrue("Test is only valid on pre JDK 12 JVM", JavaVersion.current().compareTo(JavaVersion.parse("12")) < 0);
 
+        assertThat(XPackSettings.DEFAULT_CIPHERS, not(hasItem("TLS_CHACHA20_POLY1305_SHA256")));
 
+        assertThat(XPackSettings.DEFAULT_CIPHERS, not(hasItem("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256")));
 
+        assertThat(XPackSettings.DEFAULT_CIPHERS, not(hasItem("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256")));
 
+    }
 
+
 
     public void testPasswordHashingAlgorithmSettingValidation() {
 
         final boolean isPBKDF2Available = isSecretkeyFactoryAlgoAvailable("PBKDF2WithHMACSHA512");
 
         final String pbkdf2Algo = randomFrom("PBKDF2_10000", "PBKDF2");