OpenSearch/plugin/NOTICE.txt

207 lines
11 KiB
Plaintext
Raw Normal View History

security: ssl by default on the transport layer This commit adds the necessary changes to make SSL work on the transport layer by default. A large portion of the SSL configuration/settings was re-worked with this change. Some notable highlights include support for PEM cert/keys, reloadable SSL configuration, separate HTTP ssl configuration, and separate LDAP configuration. The following is a list of specific items addressed: * `SSLSettings` renamed to `SSLConfiguration` * `KeyConfig` and `TrustConfig` abstractions created. These hide the details of how `KeyManager[]` and `TrustManager[]` are loaded. These are also responsible for settings validation (ie keystore password is not null) * Configuration fallback is changed. Previously any setting would fallback to the "global" value (`xpack.security.ssl.*`). Now a keystore path, key path, ca paths, or truststore path must be specified otherwise the configuration for that key/trust will fallback to the global configuration. In other words if you want to change part of a keystore or truststore in a profile you need to supply all the information. This could be considered breaking if a user relied on the old fallback * JDK trusted certificates (`cacerts`) are trusted by default (breaking change). This can be disabled via a setting. * We now monitor the SSL files for changes and enable dynamic reloading of the configuration. This will make it easier for users when they are getting set up with certificates so they do not need to restart every time. This can be disabled via a setting * LDAP realms can now have their own SSL configurations * HTTP can now have its own SSL configuration * SSL is enabled by default on the transport layer only. Hostname verification is enabled as well. On startup if no global SSL settings are present and SSL is configured to be used, we auto generate one based on the default CA that is shipped. This process includes a best effort attempt to generate the subject alternative names. * `xpack.security.ssl.hostname_verification` is deprecated in favor of `xpack.security.ssl.hostname_verification.enabled` * added Bouncy Castle info to NOTICE * consolidated NOTICE and LICENSE files Closes elastic/elasticsearch#14 Closes elastic/elasticsearch#34 Closes elastic/elasticsearch#1483 Closes elastic/elasticsearch#1933 Addresses security portion of elastic/elasticsearch#673 Original commit: elastic/x-pack-elasticsearch@7c359db90bbea93110f3824ede82c09eafcd2f79
2016-04-12 09:19:07 -04:00
Elasticsearch X-Pack
Copyright 2009-2016 Elasticsearch
---
This product includes software developed by The Apache Software
Foundation (http://www.apache.org/).
---
This product contains software developed by Anders Moeller. The
following is the copyright and notice text for this software:
Copyright (c) 2001-2011 Anders Moeller
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
---
This product contains software developed by UNBOUNDID CORP
(https://www.unboundid.com/). The following is the copyright and notice
text for this software:
UnboundID LDAP SDK Free Use License
THIS IS AN AGREEMENT BETWEEN YOU ("YOU") AND UNBOUNDID CORP. ("UNBOUNDID")
REGARDING YOUR USE OF UNBOUNDID LDAP SDK FOR JAVA AND ANY ASSOCIATED
DOCUMENTATION, OBJECT CODE, COMPILED LIBRARIES, SOURCE CODE AND SOURCE FILES OR
OTHER MATERIALS MADE AVAILABLE BY UNBOUNDID (COLLECTIVELY REFERRED TO IN THIS
AGREEMENT AS THE ("SDK").
BY INSTALLING, ACCESSING OR OTHERWISE USING THE SDK, YOU ACCEPT THE TERMS OF
THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO NOT
INSTALL, ACCESS OR USE THE SDK.
USE OF THE SDK. Subject to your compliance with this Agreement, UnboundID
grants to You a non-exclusive, royalty-free license, under UnboundID's
intellectual property rights in the SDK, to use, reproduce, modify and
distribute this release of the SDK; provided that no license is granted herein
under any patents that may be infringed by your modifications, derivative works
or by other works in which the SDK may be incorporated (collectively, your
"Applications"). You may reproduce and redistribute the SDK with your
Applications provided that you (i) include this license file and an
unmodified copy of the unboundid-ldapsdk-se.jar file; and (ii) such
redistribution is subject to a license whose terms do not conflict with or
contradict the terms of this Agreement. You may also reproduce and redistribute
the SDK without your Applications provided that you redistribute the SDK
complete and unmodified (i.e., with all "read me" files, copyright notices, and
other legal notices and terms that UnboundID has included in the SDK).
SCOPE OF LICENSES. This Agreement does not grant You the right to use any
UnboundID intellectual property which is not included as part of the SDK. The
SDK is licensed, not sold. This Agreement only gives You some rights to use
the SDK. UnboundID reserves all other rights. Unless applicable law gives You
more rights despite this limitation, You may use the SDK only as expressly
permitted in this Agreement.
SUPPORT. UnboundID is not obligated to provide any technical or other support
("Support Services") for the SDK to You under this Agreement. However, if
UnboundID chooses to provide any Support Services to You, Your use of such
Support Services will be governed by then-current UnboundID support policies.
TERMINATION. UnboundID reserves the right to discontinue offering the SDK and
to modify the SDK at any time in its sole discretion. Notwithstanding anything
contained in this Agreement to the contrary, UnboundID may also, in its sole
discretion, terminate or suspend access to the SDK to You or any end user at
any time. In addition, if you fail to comply with the terms of this Agreement,
then any rights granted herein will be automatically terminated if such failure
is not corrected within 30 days of the initial notification of such failure.
You acknowledge that termination and/or monetary damages may not be a
sufficient remedy if You breach this Agreement and that UnboundID will be
entitled, without waiving any other rights or remedies, to injunctive or
equitable relief as may be deemed proper by a court of competent jurisdiction
in the event of a breach. UnboundID may also terminate this Agreement if the
SDK becomes, or in UnboundID?s reasonable opinion is likely to become, the
subject of a claim of intellectual property infringement or trade secret
misappropriation. All rights and licenses granted herein will simultaneously
and automatically terminate upon termination of this Agreement for any reason.
DISCLAIMER OF WARRANTY. THE SDK IS PROVIDED "AS IS" AND UNBOUNDID DOES NOT
WARRANT THAT THE SDK WILL BE ERROR-FREE, VIRUS-FREE, WILL PERFORM IN AN
UNINTERRUPTED, SECURE OR TIMELY MANNER, OR WILL INTEROPERATE WITH OTHER
HARDWARE, SOFTWARE, SYSTEMS OR DATA. TO THE MAXIMUM EXTENT ALLOWED BY LAW, ALL
CONDITIONS, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY
OR OTHERWISE INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE (EVEN IF UNBOUNDID HAD BEEN
INFORMED OF SUCH PURPOSE), OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS ARE HEREBY
DISCLAIMED.
LIMITATION OF LIABILITY. IN NO EVENT WILL UNBOUNDID OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PROFITS,
REVENUE, DATA OR DATA USE, BUSINESS INTERRUPTION, COST OF COVER, DIRECT,
INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND)
ARISING OUT OF THE USE OF OR INABILITY TO USE THE SDK OR IN ANY WAY RELATED TO
THIS AGREEMENT, EVEN IF UNBOUNDID HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
ADDITIONAL RIGHTS. Certain states do not allow the exclusion of implied
warranties or limitation of liability for certain kinds of damages, so the
exclusion of limited warranties and limitation of liability set forth above may
not apply to You.
EXPORT RESTRICTIONS. The SDK is subject to United States export control laws.
You acknowledge and agree that You are responsible for compliance with all
domestic and international export laws and regulations that apply to the SDK.
MISCELLANEOUS. This Agreement constitutes the entire agreement with respect to
the SDK. If any provision of this Agreement shall be held to be invalid,
illegal or unenforceable, the validity, legality and enforceability of the
remaining provisions shall in no way be affected or impaired thereby. This
Agreement and performance hereunder shall be governed by and construed in
accordance with the laws of the State of Texas without regard to its conflict
of laws rules. Any disputes related to this Agreement shall be exclusively
security: ssl by default on the transport layer This commit adds the necessary changes to make SSL work on the transport layer by default. A large portion of the SSL configuration/settings was re-worked with this change. Some notable highlights include support for PEM cert/keys, reloadable SSL configuration, separate HTTP ssl configuration, and separate LDAP configuration. The following is a list of specific items addressed: * `SSLSettings` renamed to `SSLConfiguration` * `KeyConfig` and `TrustConfig` abstractions created. These hide the details of how `KeyManager[]` and `TrustManager[]` are loaded. These are also responsible for settings validation (ie keystore password is not null) * Configuration fallback is changed. Previously any setting would fallback to the "global" value (`xpack.security.ssl.*`). Now a keystore path, key path, ca paths, or truststore path must be specified otherwise the configuration for that key/trust will fallback to the global configuration. In other words if you want to change part of a keystore or truststore in a profile you need to supply all the information. This could be considered breaking if a user relied on the old fallback * JDK trusted certificates (`cacerts`) are trusted by default (breaking change). This can be disabled via a setting. * We now monitor the SSL files for changes and enable dynamic reloading of the configuration. This will make it easier for users when they are getting set up with certificates so they do not need to restart every time. This can be disabled via a setting * LDAP realms can now have their own SSL configurations * HTTP can now have its own SSL configuration * SSL is enabled by default on the transport layer only. Hostname verification is enabled as well. On startup if no global SSL settings are present and SSL is configured to be used, we auto generate one based on the default CA that is shipped. This process includes a best effort attempt to generate the subject alternative names. * `xpack.security.ssl.hostname_verification` is deprecated in favor of `xpack.security.ssl.hostname_verification.enabled` * added Bouncy Castle info to NOTICE * consolidated NOTICE and LICENSE files Closes elastic/elasticsearch#14 Closes elastic/elasticsearch#34 Closes elastic/elasticsearch#1483 Closes elastic/elasticsearch#1933 Addresses security portion of elastic/elasticsearch#673 Original commit: elastic/x-pack-elasticsearch@7c359db90bbea93110f3824ede82c09eafcd2f79
2016-04-12 09:19:07 -04:00
litigated in the state or federal courts located in Travis County, Texas.
---
This product contains software distributed under
Common Development and Distribution License 1.0 (CDDL)
JavaMail API 1.5.3
https://java.net/projects/javamail/pages/Home
https://java.net/projects/javamail/pages/License
JavaBeans Activation Framework 1.1.1
http://www.oracle.com/technetwork/articles/java/index-135046.html
---
This product contains software developed by Mike Samuel. The
following is the copyright and notice text for this software:
Copyright (c) 2011, Mike Samuel
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
Neither the name of the OWASP nor the names of its contributors may
be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
---
This product contains software developed by The Legion of the Bouncy Castle.
The following is the copyright and notice text for this software:
Copyright (c) 2000 - 2015 The Legion of the Bouncy Castle Inc.
(http://www.bouncycastle.org)
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.