Disable TLS by default (elastic/x-pack-elasticsearch#2481)

This commit adds back the ability to disable TLS on the transport layer and also disables TLS by
default to restore the 5.x behavior. The auto generation of key/cert and bundled CA certificate
have also been removed.

Relates elastic/x-pack-elasticsearch#2463

Original commit: elastic/x-pack-elasticsearch@abc66ec67d

plugin/src/main/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.java

@@ -8,6 +8,7 @@ package org.elasticsearch.xpack.security;
 import org.elasticsearch.bootstrap.BootstrapCheck;
 import org.elasticsearch.bootstrap.BootstrapContext;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.xpack.XPackSettings;
 import org.elasticsearch.xpack.security.authc.RealmSettings;
 import org.elasticsearch.xpack.security.authc.pki.PkiRealm;
 import org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4Transport;
@@ -46,16 +47,18 @@ class PkiRealmBootstrapCheck implements BootstrapCheck {
             }
 
             // Default Transport
+            final boolean transportSSLEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings);
             final Settings transportSSLSettings = settings.getByPrefix(setting("transport.ssl."));
             final boolean clientAuthEnabled = sslService.isSSLClientAuthEnabled(transportSSLSettings);
-            if (clientAuthEnabled) {
+            if (transportSSLEnabled && clientAuthEnabled) {
                 return BootstrapCheckResult.success();
             }
 
             // Transport Profiles
             Map<String, Settings> groupedSettings = settings.getGroups("transport.profiles.");
             for (Map.Entry<String, Settings> entry : groupedSettings.entrySet()) {
-                if (sslService.isSSLClientAuthEnabled(SecurityNetty4Transport.profileSslSettings(entry.getValue()), transportSSLSettings)) {
+                if (transportSSLEnabled && sslService.isSSLClientAuthEnabled(
+                        SecurityNetty4Transport.profileSslSettings(entry.getValue()), transportSSLSettings)) {
                     return BootstrapCheckResult.success();
                 }
             }

plugin/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -165,7 +165,6 @@ import org.elasticsearch.xpack.security.transport.filter.IPFilter;
 import org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4HttpServerTransport;
 import org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4Transport;
 import org.elasticsearch.xpack.security.user.AnonymousUser;
-import org.elasticsearch.xpack.ssl.SSLBootstrapCheck;
 import org.elasticsearch.xpack.ssl.SSLConfigurationSettings;
 import org.elasticsearch.xpack.ssl.SSLService;
 import org.elasticsearch.xpack.ssl.TLSLicenseBootstrapCheck;
@@ -246,7 +245,6 @@ public class Security implements ActionPlugin, IngestPlugin, NetworkPlugin, Clus
             // fetched
             final List<BootstrapCheck> checks = new ArrayList<>();
             checks.addAll(Arrays.asList(
-                    new SSLBootstrapCheck(sslService, env),
                     new TokenSSLBootstrapCheck(),
                     new PkiRealmBootstrapCheck(sslService),
                     new TLSLicenseBootstrapCheck()));

plugin/src/main/java/org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.java

@@ -171,10 +171,12 @@ public class SecurityServerTransportInterceptor extends AbstractComponent implem
         Map<String, ServerTransportFilter> profileFilters = new HashMap<>(profileSettingsMap.size() + 1);
 
         final Settings transportSSLSettings = settings.getByPrefix(setting("transport.ssl."));
+        final boolean transportSSLEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings);
         for (Map.Entry<String, Settings> entry : profileSettingsMap.entrySet()) {
             Settings profileSettings = entry.getValue();
             final Settings profileSslSettings = SecurityNetty4Transport.profileSslSettings(profileSettings);
-            final boolean extractClientCert = sslService.isSSLClientAuthEnabled(profileSslSettings, transportSSLSettings);
+            final boolean extractClientCert = transportSSLEnabled &&
+                    sslService.isSSLClientAuthEnabled(profileSslSettings, transportSSLSettings);
             String type = TRANSPORT_TYPE_SETTING_TEMPLATE.apply(TRANSPORT_TYPE_SETTING_KEY).get(entry.getValue());
             switch (type) {
                 case "client":
@@ -193,7 +195,7 @@ public class SecurityServerTransportInterceptor extends AbstractComponent implem
         }
 
         if (!profileFilters.containsKey(TcpTransport.DEFAULT_PROFILE)) {
-            final boolean extractClientCert = sslService.isSSLClientAuthEnabled(transportSSLSettings);
+            final boolean extractClientCert = transportSSLEnabled && sslService.isSSLClientAuthEnabled(transportSSLSettings);
             profileFilters.put(TcpTransport.DEFAULT_PROFILE, new ServerTransportFilter.NodeProfile(authcService, authzService,
                     threadPool.getThreadContext(), extractClientCert, destructiveOperations, reservedRealmEnabled, securityContext));
         }

plugin/src/main/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4Transport.java

@@ -21,6 +21,7 @@ import org.elasticsearch.indices.breaker.CircuitBreakerService;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TcpTransport;
 import org.elasticsearch.transport.netty4.Netty4Transport;
+import org.elasticsearch.xpack.XPackSettings;
 import org.elasticsearch.xpack.ssl.SSLConfiguration;
 import org.elasticsearch.xpack.ssl.SSLService;
 import org.elasticsearch.xpack.security.transport.filter.IPFilter;
@@ -47,6 +48,7 @@ public class SecurityNetty4Transport extends Netty4Transport {
     @Nullable private final IPFilter authenticator;
     private final SSLConfiguration sslConfiguration;
     private final Map<String, SSLConfiguration> profileConfiguration;
+    private final boolean sslEnabled;
 
     public SecurityNetty4Transport(Settings settings, ThreadPool threadPool, NetworkService networkService, BigArrays bigArrays,
                                    NamedWriteableRegistry namedWriteableRegistry, CircuitBreakerService circuitBreakerService,
@@ -54,23 +56,28 @@ public class SecurityNetty4Transport extends Netty4Transport {
         super(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService);
         this.authenticator = authenticator;
         this.sslService = sslService;
+        this.sslEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings);
         final Settings transportSSLSettings = settings.getByPrefix(setting("transport.ssl."));
-        sslConfiguration = sslService.sslConfiguration(transportSSLSettings, Settings.EMPTY);
+        if (sslEnabled) {
-        Map<String, Settings> profileSettingsMap = settings.getGroups("transport.profiles.", true);
+            this.sslConfiguration = sslService.sslConfiguration(transportSSLSettings, Settings.EMPTY);
-        Map<String, SSLConfiguration> profileConfiguration = new HashMap<>(profileSettingsMap.size() + 1);
+            Map<String, Settings> profileSettingsMap = settings.getGroups("transport.profiles.", true);
-        for (Map.Entry<String, Settings> entry : profileSettingsMap.entrySet()) {
+            Map<String, SSLConfiguration> profileConfiguration = new HashMap<>(profileSettingsMap.size() + 1);
-            Settings profileSettings = entry.getValue();
+            for (Map.Entry<String, Settings> entry : profileSettingsMap.entrySet()) {
-            final Settings profileSslSettings = profileSslSettings(profileSettings);
+                Settings profileSettings = entry.getValue();
-            SSLConfiguration configuration =  sslService.sslConfiguration(profileSslSettings, transportSSLSettings);
+                final Settings profileSslSettings = profileSslSettings(profileSettings);
-            profileConfiguration.put(entry.getKey(), configuration);
+                SSLConfiguration configuration =  sslService.sslConfiguration(profileSslSettings, transportSSLSettings);
+                profileConfiguration.put(entry.getKey(), configuration);
+            }
+
+            if (profileConfiguration.containsKey(TcpTransport.DEFAULT_PROFILE) == false) {
+                profileConfiguration.put(TcpTransport.DEFAULT_PROFILE, sslConfiguration);
+            }
+
+            this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration);
+        } else {
+            this.profileConfiguration = Collections.emptyMap();
+            this.sslConfiguration = null;
         }
-
-        if (profileConfiguration.containsKey(TcpTransport.DEFAULT_PROFILE) == false) {
-            profileConfiguration.put(TcpTransport.DEFAULT_PROFILE, sslConfiguration);
-
-        }
-
-        this.profileConfiguration = Collections.unmodifiableMap(profileConfiguration);
     }
 
     @Override
@@ -83,11 +90,15 @@ public class SecurityNetty4Transport extends Netty4Transport {
 
     @Override
     protected ChannelHandler getServerChannelInitializer(String name) {
-        SSLConfiguration configuration = profileConfiguration.get(name);
+        if (sslEnabled) {
-        if (configuration == null) {
+            SSLConfiguration configuration = profileConfiguration.get(name);
-            throw new IllegalStateException("unknown profile: " + name);
+            if (configuration == null) {
+                throw new IllegalStateException("unknown profile: " + name);
+            }
+            return new SecurityServerChannelInitializer(name, configuration);
+        } else {
+            return new IPFilterServerChannelInitializer(name);
         }
-        return new SecurityServerChannelInitializer(name, configuration);
     }
 
     @Override
@@ -127,13 +138,26 @@ public class SecurityNetty4Transport extends Netty4Transport {
         }
     }
 
-    class SecurityServerChannelInitializer extends ServerChannelInitializer {
+    class IPFilterServerChannelInitializer extends ServerChannelInitializer {
+        IPFilterServerChannelInitializer(String name) {
+            super(name);
+        }
+
+        @Override
+        protected void initChannel(Channel ch) throws Exception {
+            super.initChannel(ch);
+            if (authenticator != null) {
+                ch.pipeline().addFirst("ipfilter", new IpFilterRemoteAddressFilter(authenticator, name));
+            }
+        }
+    }
+
+    class SecurityServerChannelInitializer extends IPFilterServerChannelInitializer {
         private final SSLConfiguration configuration;
 
         SecurityServerChannelInitializer(String name, SSLConfiguration configuration) {
             super(name);
             this.configuration = configuration;
-
         }
 
         @Override
@@ -141,9 +165,12 @@ public class SecurityNetty4Transport extends Netty4Transport {
             super.initChannel(ch);
             SSLEngine serverEngine = sslService.createSSLEngine(configuration, null, -1);
             serverEngine.setUseClientMode(false);
-            ch.pipeline().addFirst(new SslHandler(serverEngine));
+            IpFilterRemoteAddressFilter remoteAddressFilter = ch.pipeline().get(IpFilterRemoteAddressFilter.class);
-            if (authenticator != null) {
+            final SslHandler sslHandler = new SslHandler(serverEngine);
-                ch.pipeline().addFirst(new IpFilterRemoteAddressFilter(authenticator, name));
+            if (remoteAddressFilter == null) {
+                ch.pipeline().addFirst("sslhandler", sslHandler);
+            } else {
+                ch.pipeline().addAfter("ipfilter", "sslhandler", sslHandler);
             }
         }
     }
@@ -153,13 +180,15 @@ public class SecurityNetty4Transport extends Netty4Transport {
         private final boolean hostnameVerificationEnabled;
 
         SecurityClientChannelInitializer() {
-            this.hostnameVerificationEnabled = sslConfiguration.verificationMode().isHostnameVerificationEnabled();
+            this.hostnameVerificationEnabled = sslEnabled && sslConfiguration.verificationMode().isHostnameVerificationEnabled();
         }
 
         @Override
         protected void initChannel(Channel ch) throws Exception {
             super.initChannel(ch);
-            ch.pipeline().addFirst(new ClientSslHandlerInitializer(sslConfiguration, sslService, hostnameVerificationEnabled));
+            if (sslEnabled) {
+                ch.pipeline().addFirst(new ClientSslHandlerInitializer(sslConfiguration, sslService, hostnameVerificationEnabled));
+            }
         }
     }
 
@@ -197,5 +226,4 @@ public class SecurityNetty4Transport extends Netty4Transport {
     public static Settings profileSslSettings(Settings profileSettings) {
         return profileSettings.getByPrefix(setting("ssl."));
     }
-
 }

plugin/src/main/java/org/elasticsearch/xpack/ssl/GeneratedKeyConfig.java

@@ -1,211 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.xpack.ssl;
-
-import org.bouncycastle.asn1.x509.GeneralNames;
-import org.bouncycastle.operator.OperatorCreationException;
-import org.elasticsearch.common.Nullable;
-import org.elasticsearch.common.hash.MessageDigests;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.env.Environment;
-import org.elasticsearch.node.Node;
-
-import javax.net.ssl.X509ExtendedKeyManager;
-import javax.net.ssl.X509ExtendedTrustManager;
-import javax.security.auth.DestroyFailedException;
-import javax.security.auth.x500.X500Principal;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.Reader;
-import java.io.UncheckedIOException;
-import java.net.InetAddress;
-import java.net.NetworkInterface;
-import java.net.SocketException;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.Path;
-import java.security.KeyPair;
-import java.security.KeyStoreException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Enumeration;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Objects;
-import java.util.Set;
-
-/**
- * Represents a {@link KeyConfig} that is automatically generated on node startup if necessary. This helps with the default user experience
- * so that the user does not need to have any knowledge about SSL setup to start a node
- */
-final class GeneratedKeyConfig extends KeyConfig {
-
-    // these values have been generated using openssl
-    // For private key: openssl pkcs8 -in private.pem -inform PEM -nocrypt -topk8 -outform DER | openssl dgst -sha256 -hex
-    // For certificate: openssl x509 -in ca.pem -noout -fingerprint -sha256
-    private static final String PRIVATE_KEY_SHA256 = "eec5bdb422c17c75d3850ffc64a724e52a99ec64366677da2fe4e782d7426e9f";
-    private static final String CA_CERT_FINGERPRINT_SHA256 = "A147166C71EB8B61DADFC5B19ECAC8443BE2DB32A56FC1A73BC1623250738598";
-
-    private final X509ExtendedKeyManager keyManager;
-    private final X509ExtendedTrustManager trustManager;
-
-    GeneratedKeyConfig(Settings settings) throws NoSuchAlgorithmException, IOException, CertificateException, OperatorCreationException,
-            UnrecoverableKeyException, KeyStoreException {
-        final KeyPair keyPair = CertUtils.generateKeyPair(2048);
-        final X500Principal principal = new X500Principal("CN=" + Node.NODE_NAME_SETTING.get(settings));
-        final Certificate caCert = readCACert();
-        final PrivateKey privateKey = readPrivateKey();
-        final GeneralNames generalNames = CertUtils.getSubjectAlternativeNames(false, getLocalAddresses());
-        X509Certificate certificate =
-                CertUtils.generateSignedCertificate(principal, generalNames, keyPair, (X509Certificate) caCert, privateKey, 365);
-        try {
-            privateKey.destroy();
-        } catch (DestroyFailedException e) {
-            // best effort attempt. This is known to fail for RSA keys on the oracle JDK but maybe they'll fix it in ten years or so...
-        }
-        keyManager = CertUtils.keyManager(new Certificate[] { certificate, caCert }, keyPair.getPrivate(), new char[0]);
-        trustManager = CertUtils.trustManager(new Certificate[] { caCert });
-    }
-
-    @Override
-    X509ExtendedTrustManager createTrustManager(@Nullable Environment environment) {
-        return trustManager;
-    }
-
-    @Override
-    List<Path> filesToMonitor(@Nullable Environment environment) {
-        // no files to watch
-        return Collections.emptyList();
-    }
-
-    @Override
-    public String toString() {
-        return "Generated Key Config. DO NOT USE IN PRODUCTION";
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        return this == o;
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(keyManager, trustManager);
-    }
-
-    @Override
-    X509ExtendedKeyManager createKeyManager(@Nullable Environment environment) {
-        return keyManager;
-    }
-
-    @Override
-    List<PrivateKey> privateKeys(@Nullable Environment environment) {
-        try {
-            return Collections.singletonList(readPrivateKey());
-        } catch (IOException e) {
-            throw new UncheckedIOException("failed to read key", e);
-        }
-    }
-
-    /**
-     * Enumerates all of the loopback and link local addresses so these can be used as SubjectAlternativeNames inside the certificate for
-     * a good out of the box experience with TLS
-     */
-    private Set<InetAddress> getLocalAddresses() throws SocketException {
-        Enumeration<NetworkInterface> networkInterfaces = NetworkInterface.getNetworkInterfaces();
-        Set<InetAddress> inetAddresses = new HashSet<>();
-        while (networkInterfaces.hasMoreElements()) {
-            NetworkInterface intf = networkInterfaces.nextElement();
-            if (intf.isUp()) {
-                if (intf.isLoopback()) {
-                    inetAddresses.addAll(Collections.list(intf.getInetAddresses()));
-                } else {
-                    Enumeration<InetAddress> inetAddressEnumeration = intf.getInetAddresses();
-                    while (inetAddressEnumeration.hasMoreElements()) {
-                        InetAddress inetAddress = inetAddressEnumeration.nextElement();
-                        if (inetAddress.isLoopbackAddress() || inetAddress.isLinkLocalAddress()) {
-                            inetAddresses.add(inetAddress);
-                        }
-                    }
-                }
-            }
-        }
-        return inetAddresses;
-    }
-
-    /**
-     * Reads the bundled CA private key. This key is used for signing a automatically generated certificate that allows development nodes
-     * to talk to each other on the same machine.
-     *
-     * This private key is the same for every distribution and is only here for a nice out of the box experience. Once in production mode
-     * this key should not be used!
-     */
-    static PrivateKey readPrivateKey() throws IOException {
-        try (InputStream inputStream = GeneratedKeyConfig.class.getResourceAsStream("private.pem");
-            Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8)) {
-            PrivateKey privateKey = CertUtils.readPrivateKey(reader, () -> null);
-            MessageDigest md = MessageDigests.sha256();
-            final byte[] privateKeyBytes = privateKey.getEncoded();
-            try {
-                final byte[] digest = md.digest(privateKeyBytes);
-                final byte[] expected = hexStringToByteArray(PRIVATE_KEY_SHA256);
-                if (Arrays.equals(digest, expected) == false) {
-                    throw new IllegalStateException("private key hash does not match the expected value!");
-                }
-            } finally {
-                Arrays.fill(privateKeyBytes, (byte) 0);
-            }
-            return privateKey;
-        }
-    }
-
-    /**
-     * Reads the bundled CA certificate
-     */
-    static Certificate readCACert() throws IOException, CertificateException {
-        try (InputStream inputStream = GeneratedKeyConfig.class.getResourceAsStream("ca.pem");
-             Reader reader = new InputStreamReader(inputStream, StandardCharsets.UTF_8)) {
-            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
-            List<Certificate> certificateList = new ArrayList<>(1);
-            CertUtils.readCertificates(reader, certificateList, certificateFactory);
-            if (certificateList.size() != 1) {
-                throw new IllegalStateException("expected [1] default CA certificate but found [" + certificateList.size() + "]");
-            }
-            Certificate certificate = certificateList.get(0);
-            final byte[] encoded = MessageDigests.sha256().digest(certificate.getEncoded());
-            final byte[] expected = hexStringToByteArray(CA_CERT_FINGERPRINT_SHA256);
-            if (Arrays.equals(encoded, expected) == false) {
-                throw new IllegalStateException("CA certificate fingerprint does not match!");
-            }
-            return certificateList.get(0);
-        }
-    }
-
-    private static byte[] hexStringToByteArray(String hexString) {
-        if (hexString.length() % 2 != 0) {
-            throw new IllegalArgumentException("String must be an even length");
-        }
-        final int numBytes = hexString.length() / 2;
-        final byte[] data = new byte[numBytes];
-
-        for(int i = 0; i < numBytes; i++) {
-            final int index = i * 2;
-            final int index2 = index + 1;
-            data[i] = (byte) ((Character.digit(hexString.charAt(index), 16) << 4) + Character.digit(hexString.charAt(index2), 16));
-        }
-
-        return data;
-    }
-}

plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheck.java

@@ -1,99 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.xpack.ssl;
-
-import org.elasticsearch.ElasticsearchException;
-import org.elasticsearch.bootstrap.BootstrapCheck;
-import org.elasticsearch.bootstrap.BootstrapContext;
-import org.elasticsearch.common.inject.internal.Nullable;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.env.Environment;
-import org.elasticsearch.xpack.XPackSettings;
-
-import java.io.IOException;
-import java.io.UncheckedIOException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.SignatureException;
-import java.security.cert.CertificateException;
-import java.util.Arrays;
-import java.util.Objects;
-import java.util.stream.Stream;
-
-/**
- * Bootstrap check to ensure that we only use the generated key config in non-production situations. This class is currently public because
- * {@link org.elasticsearch.xpack.security.Security} is in a different package and we use package private accessors of the
- * {@link SSLService} to get the configuration for the node to node transport
- */
-public final class SSLBootstrapCheck implements BootstrapCheck {
-
-    private final SSLService sslService;
-    private final Environment environment;
-
-    public SSLBootstrapCheck(SSLService sslService, @Nullable Environment environment) {
-        this.sslService = sslService;
-        this.environment = environment;
-    }
-
-    @Override
-    public BootstrapCheckResult check(BootstrapContext context) {
-        final Settings transportSSLSettings = context.settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX);
-        if (sslService.sslConfiguration(transportSSLSettings).keyConfig() == KeyConfig.NONE
-                || isDefaultCACertificateTrusted() || isDefaultPrivateKeyUsed()) {
-            return BootstrapCheckResult.failure(
-                    "default SSL key and certificate do not provide security; please generate keys and certificates");
-        } else {
-            return BootstrapCheckResult.success();
-        }
-    }
-
-    /**
-     * Looks at all of the trusted certificates to ensure the default CA is not being trusted. We cannot let this happen in production mode
-     */
-    private boolean isDefaultCACertificateTrusted() {
-        final PublicKey publicKey;
-        try {
-            publicKey = GeneratedKeyConfig.readCACert().getPublicKey();
-        } catch (IOException | CertificateException e) {
-            throw new ElasticsearchException("failed to check default CA", e);
-        }
-        return sslService.getLoadedSSLConfigurations().stream()
-                .flatMap(config -> Stream.of(config.keyConfig().createTrustManager(environment),
-                        config.trustConfig().createTrustManager(environment)))
-                .filter(Objects::nonNull)
-                .flatMap((tm) -> Arrays.stream(tm.getAcceptedIssuers()))
-                .anyMatch((cert) -> {
-                    try {
-                        cert.verify(publicKey);
-                        return true;
-                    } catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException
-                            | SignatureException e) {
-                        // just ignore these
-                        return false;
-                    }
-                });
-    }
-
-    /**
-     * Looks at all of the private keys and if there is a key that is equal to the default CA key then we should bail out
-     */
-    private boolean isDefaultPrivateKeyUsed() {
-        final PrivateKey defaultPrivateKey;
-        try {
-            defaultPrivateKey = GeneratedKeyConfig.readPrivateKey();
-        } catch (IOException e) {
-            throw new UncheckedIOException("failed to read key", e);
-        }
-
-        return sslService.getLoadedSSLConfigurations().stream()
-                .flatMap(sslConfiguration -> sslConfiguration.keyConfig().privateKeys(environment).stream())
-                .anyMatch(defaultPrivateKey::equals);
-    }
-
-}

plugin/src/main/java/org/elasticsearch/xpack/ssl/SSLService.java

@@ -10,7 +10,6 @@ import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
 import org.apache.lucene.util.SetOnce;
 import org.bouncycastle.operator.OperatorCreationException;
 import org.elasticsearch.ElasticsearchException;
-import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.CheckedSupplier;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.component.AbstractComponent;
@@ -33,7 +32,6 @@ import javax.security.auth.DestroyFailedException;
 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.Socket;
-import java.nio.file.Path;
 import java.security.KeyManagementException;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
@@ -447,74 +445,12 @@ public class SSLService extends AbstractComponent {
         final SSLConfiguration transportSSLConfiguration = new SSLConfiguration(transportSSLSettings, globalSSLConfiguration);
         this.transportSSLConfiguration.set(transportSSLConfiguration);
         List<Settings> profileSettings = getTransportProfileSSLSettings(settings);
-
+        sslConfigurations.computeIfAbsent(transportSSLConfiguration, this::createSslContext);
-        // if no key is provided for transport we can auto-generate a key with a signed certificate for development use only. There is a
+        profileSettings.forEach((profileSetting) ->
-        // bootstrap check that prevents this configuration from being use in production (SSLBootstrapCheck)
+            sslConfigurations.computeIfAbsent(new SSLConfiguration(profileSetting, transportSSLConfiguration), this::createSslContext));
-        if (transportSSLConfiguration.keyConfig() == KeyConfig.NONE) {
-            createDevelopmentTLSConfiguration(sslConfigurations, transportSSLConfiguration, profileSettings);
-
-        } else {
-            sslConfigurations.computeIfAbsent(transportSSLConfiguration, this::createSslContext);
-            profileSettings.forEach((profileSetting) ->
-                sslConfigurations.computeIfAbsent(new SSLConfiguration(profileSetting, transportSSLConfiguration), this::createSslContext));
-        }
         return Collections.unmodifiableMap(sslConfigurations);
     }
 
-    private void createDevelopmentTLSConfiguration(Map<SSLConfiguration, SSLContextHolder> sslConfigurations,
-                                                   SSLConfiguration transportSSLConfiguration, List<Settings> profileSettings)
-            throws NoSuchAlgorithmException, IOException, CertificateException, OperatorCreationException, UnrecoverableKeyException,
-            KeyStoreException {
-        // lazily generate key to avoid slowing down startup where we do not need it
-        final GeneratedKeyConfig generatedKeyConfig = new GeneratedKeyConfig(settings);
-        final TrustConfig trustConfig =
-                new TrustConfig.CombiningTrustConfig(Arrays.asList(transportSSLConfiguration.trustConfig(), new TrustConfig() {
-                    @Override
-                    X509ExtendedTrustManager createTrustManager(@Nullable Environment environment) {
-                        return generatedKeyConfig.createTrustManager(environment);
-                    }
-
-                    @Override
-                    List<Path> filesToMonitor(@Nullable Environment environment) {
-                        return Collections.emptyList();
-                    }
-
-                    @Override
-                    public String toString() {
-                        return "Generated Trust Config. DO NOT USE IN PRODUCTION";
-                    }
-
-                    @Override
-                    public boolean equals(Object o) {
-                        return this == o;
-                    }
-
-                    @Override
-                    public int hashCode() {
-                        return System.identityHashCode(this);
-                    }
-        }));
-        X509ExtendedTrustManager extendedTrustManager = trustConfig.createTrustManager(env);
-        ReloadableTrustManager trustManager = new ReloadableTrustManager(extendedTrustManager, trustConfig);
-        ReloadableX509KeyManager keyManager =
-                new ReloadableX509KeyManager(generatedKeyConfig.createKeyManager(env), generatedKeyConfig);
-        sslConfigurations.put(transportSSLConfiguration, createSslContext(keyManager, trustManager, transportSSLConfiguration));
-        profileSettings.forEach((profileSetting) -> {
-            SSLConfiguration configuration = new SSLConfiguration(profileSetting, transportSSLConfiguration);
-            if (configuration.keyConfig() == KeyConfig.NONE) {
-                sslConfigurations.compute(configuration, (conf, holder) -> {
-                    if (holder != null && holder.keyManager == keyManager && holder.trustManager == trustManager) {
-                        return holder;
-                    } else {
-                        return createSslContext(keyManager, trustManager, configuration);
-                    }
-                });
-            } else {
-                sslConfigurations.computeIfAbsent(configuration, this::createSslContext);
-            }
-        });
-    }
-
     /**
      * This socket factory wraps an existing SSLSocketFactory and sets the protocols and ciphers on each SSLSocket after it is created. This
      * is needed even though the SSLContext is configured properly as the configuration does not flow down to the sockets created by the

plugin/src/main/resources/org/elasticsearch/xpack/ssl/ca.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDWDCCAkCgAwIBAgIJANRlkT/I8aROMA0GCSqGSIb3DQEBCwUAMCYxJDAiBgNV
-BAMTG3hwYWNrIHB1YmxpYyBkZXZlbG9wbWVudCBjYTAeFw0xNzAxMDUxNDUyMDNa
-Fw00NDA1MjMxNDUyMDNaMCYxJDAiBgNVBAMTG3hwYWNrIHB1YmxpYyBkZXZlbG9w
-bWVudCBjYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALBfQEQYZmPW
-cAw939i8RRsa27+qxd32ysJu9aKgSEiIDFKU0JwFh6pog1l8frICM4jF0TqILGHv
-+QbQYsD2e3jYp0cj8dy2+YN6jgTXMf1N8yh6GYXEzRrEKYhqVTHLpZgbhxEFxsws
-gZiEMHiVxn6h5i4uWDmkp6zt4kHlKgvjtIEzZ1xiXWcS7jJvVPb8r0xUFPDu8Qij
-BhjxkbkXprzjGEtt4bKqZ8/R+pr+eUuvmApMSMB38dZxDRXxyavbmbJcGDJX+ZKN
-4OcECH55B/EtxhPxpfFXmX+y5Lh597vkhgitw8Qhayaa8gF16tt4rUgYude9kGSi
-m3hs6Q9mWM8CAwEAAaOBiDCBhTAdBgNVHQ4EFgQUM6+ZLgmnj1FXHEPejFcpiRR+
-ANIwVgYDVR0jBE8wTYAUM6+ZLgmnj1FXHEPejFcpiRR+ANKhKqQoMCYxJDAiBgNV
-BAMTG3hwYWNrIHB1YmxpYyBkZXZlbG9wbWVudCBjYYIJANRlkT/I8aROMAwGA1Ud
-EwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABqgr2p+Ivb3myF56BuiJYYz55Wa
-ncm4Aqdw6p/A5qkl3pSXu2zbgSfyFvux7Q1+lowIvw4fAOTBcQQpQkYWJmObkCLg
-HMiKbBreFVqPOqScjTBk6t1g/mOdJXfOognc6QRwfunEBqevNVDT2w3sGlNHooEM
-3XUPBgyuznE1Olqt7U0tMGsENyBgZv51bUg7ZZCLrV2sdgqc3XYZUqBnttvbBDyU
-tozgDMoCXLvVHcpWcKsA+ONd0szbSAu1uF0ZfqgaoSslM1ph9ydPbXEvnD5AFO6Y
-VBTW3v4cnluhrxO6TwRqNo43L5ENqZhtX9gVtzQ54exQsuoKzZ8NO5X1uIA=
------END CERTIFICATE-----

plugin/src/main/resources/org/elasticsearch/xpack/ssl/private.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAsF9ARBhmY9ZwDD3f2LxFGxrbv6rF3fbKwm71oqBISIgMUpTQ
-nAWHqmiDWXx+sgIziMXROogsYe/5BtBiwPZ7eNinRyPx3Lb5g3qOBNcx/U3zKHoZ
-hcTNGsQpiGpVMculmBuHEQXGzCyBmIQweJXGfqHmLi5YOaSnrO3iQeUqC+O0gTNn
-XGJdZxLuMm9U9vyvTFQU8O7xCKMGGPGRuRemvOMYS23hsqpnz9H6mv55S6+YCkxI
-wHfx1nENFfHJq9uZslwYMlf5ko3g5wQIfnkH8S3GE/Gl8VeZf7LkuHn3u+SGCK3D
-xCFrJpryAXXq23itSBi5172QZKKbeGzpD2ZYzwIDAQABAoIBADRpKbzSj2Ktr4BD
-xsguMk76rUCIq+Ho25npxT69aJ19KERGCrPChO0jv5yQ/UlClDPZrPI60w2LdTIM
-LLxwwoJHx3XBfbb7/KuQeLGBjU5bop1tozX4JIcGsdzi1ExG2v+XdoydbdTwiNZc
-udark1/AFpm0le0TO+yMiEbSpasAUetmwmBLl0ld1qOoEFNM4ueLtM0/JE4kQHJC
-a6a0fS1D+TQsPCdziW80X2hpwCIbg4CF3LqR521SfwIzRscbaXzCzeBNCShJE8Nm
-Qun91Szze80aaFBBIwMKbppEx5iYCCKeTyO3yswRuZ44+iBe/piB3F/qRKnjBwNS
-LeL9NOECgYEA4xMUueF8HN23QeC/KZ/6LALwyNBtT7JP7YbW6dvo+3F0KSPxbDL1
-nMmeOTV8suAlGslsE+GuvPU6M9fUCxpbVnbYH5hEuh0v25WRekFv14H/yEpVF26o
-OHeilUIzpRTUOndgkmN8cXNp2xkzs2Yp7F2RSlog2kXQOYgC91YmvjECgYEAxtbC
-OzxUUjebeqnolo8wYur42BievUDqyD9pCnaix+2F59SdLDgirJIOEtv31jjpLaIh
-nO8akxMCPNwhEgVzelI2k+jJ+Kermi3+tEAnlBBDf/tMEGNav2XE3MnYkDt2jdza
-fganfhKQwAufyq2lUHC/Slh+xcLPepTef6zFxv8CgYB6ZEJ7ninDdU3dWEIxMWUq
-a7tUweLpXfbu1Arqqfl97bzqn9D0vNLd215I/6di0qWtNnvmi3Ifrx3b660C/wXU
-KOJ8xRnmJu0wsgFjn/mkcxFm54nNw3swVGtxf+lORVfO26FVxgHBNLANxBu1yo82
-M4ioRsQGYjLFj6XpoqnnQQKBgE8RpYlCs1FCdZxwpmIArMAZKj1chPtDLlnVBWM4
-zABuzpni7WFhLUCsj9YmDMbuOKOB3pX2av3jSDeFXc05x7LzsGpe3rn3iwCzm554
-CIUTdpQVDSlTKQoFYSRfS7QHQVymX2hQIxi6Lz9/H9rL9Hopa5gX2smvbywSuOvS
-e49nAoGAM7TQ9iFBsygXxbxh2EL47nw/LBxbDm86TazpSKrHd9pV6Z/Xv870QEf7
-cZJ9T/KRGkxlK8L6B7uzeckpk4uMWuDRiymnbg2pqk94oELKkh0iLnlGSMf3IPO8
-qIRFQsQfA3PaU6SG/izaB1lquBRtIj5kAW2ZXI4O9l5V39Y5/n4=
------END RSA PRIVATE KEY-----

plugin/src/main/resources/org/elasticsearch/xpack/ssl/public.pem

@@ -1,9 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsF9ARBhmY9ZwDD3f2LxF
-Gxrbv6rF3fbKwm71oqBISIgMUpTQnAWHqmiDWXx+sgIziMXROogsYe/5BtBiwPZ7
-eNinRyPx3Lb5g3qOBNcx/U3zKHoZhcTNGsQpiGpVMculmBuHEQXGzCyBmIQweJXG
-fqHmLi5YOaSnrO3iQeUqC+O0gTNnXGJdZxLuMm9U9vyvTFQU8O7xCKMGGPGRuRem
-vOMYS23hsqpnz9H6mv55S6+YCkxIwHfx1nENFfHJq9uZslwYMlf5ko3g5wQIfnkH
-8S3GE/Gl8VeZf7LkuHn3u+SGCK3DxCFrJpryAXXq23itSBi5172QZKKbeGzpD2ZY
-zwIDAQAB
------END PUBLIC KEY-----

plugin/src/test/java/org/elasticsearch/integration/ldap/AbstractAdLdapRealmTestCase.java

@@ -34,7 +34,6 @@ import org.junit.BeforeClass;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
 import java.io.UncheckedIOException;
 import java.nio.file.Path;
 import java.util.Arrays;
@@ -221,8 +220,8 @@ public abstract class AbstractAdLdapRealmTestCase extends SecurityIntegTestCase
     }
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return useGlobalSSL == false;
+        return useGlobalSSL;
     }
 
     protected final void configureFileRoleMappings(Settings.Builder builder, List<RoleMappingEntry> mappings) {

plugin/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java

@@ -43,14 +43,12 @@ import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.rules.ExternalResource;
 
-import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.nio.file.Path;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
-import java.util.concurrent.CountDownLatch;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
@@ -169,12 +167,12 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase {
                 case SUITE:
                     if (customSecuritySettingsSource == null) {
                         customSecuritySettingsSource =
-                                new CustomSecuritySettingsSource(useGeneratedSSLConfig(), createTempDir(), currentClusterScope);
+                                new CustomSecuritySettingsSource(transportSSLEnabled(), createTempDir(), currentClusterScope);
                     }
                     break;
                 case TEST:
                     customSecuritySettingsSource =
-                            new CustomSecuritySettingsSource(useGeneratedSSLConfig(), createTempDir(), currentClusterScope);
+                            new CustomSecuritySettingsSource(transportSSLEnabled(), createTempDir(), currentClusterScope);
                     break;
             }
         }
@@ -325,7 +323,7 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase {
     /**
      * Allows to control whether ssl key information is auto generated or not on the transport layer
      */
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
         return randomBoolean();
     }
 
@@ -339,8 +337,8 @@ public abstract class SecurityIntegTestCase extends ESIntegTestCase {
 
     private class CustomSecuritySettingsSource extends SecuritySettingsSource {
 
-        private CustomSecuritySettingsSource(boolean useGeneratedSSLConfig, Path configDir, Scope scope) {
+        private CustomSecuritySettingsSource(boolean sslEnabled, Path configDir, Scope scope) {
-            super(maxNumberOfNodes(), useGeneratedSSLConfig, configDir, scope);
+            super(maxNumberOfNodes(), sslEnabled, configDir, scope);
         }
 
         @Override

plugin/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java

@@ -79,7 +79,7 @@ public class SecuritySettingsSource extends ClusterDiscoveryConfiguration.Unicas
 
     private final Path parentFolder;
     private final String subfolderPrefix;
-    private final boolean useGeneratedSSLConfig;
+    private final boolean sslEnabled;
     private final boolean hostnameVerificationEnabled;
     private final boolean usePEM;
 
@@ -87,15 +87,15 @@ public class SecuritySettingsSource extends ClusterDiscoveryConfiguration.Unicas
      * Creates a new {@link org.elasticsearch.test.NodeConfigurationSource} for the security configuration.
      *
      * @param numOfNodes the number of nodes for proper unicast configuration (can be more than actually available)
-     * @param useGeneratedSSLConfig whether ssl key/cert should be auto-generated
+     * @param sslEnabled whether ssl is enabled
      * @param parentFolder the parent folder that will contain all of the configuration files that need to be created
      * @param scope the scope of the test that is requiring an instance of SecuritySettingsSource
      */
-    public SecuritySettingsSource(int numOfNodes, boolean useGeneratedSSLConfig, Path parentFolder, Scope scope) {
+    public SecuritySettingsSource(int numOfNodes, boolean sslEnabled, Path parentFolder, Scope scope) {
         super(numOfNodes, DEFAULT_SETTINGS);
         this.parentFolder = parentFolder;
         this.subfolderPrefix = scope.name();
-        this.useGeneratedSSLConfig = useGeneratedSSLConfig;
+        this.sslEnabled = sslEnabled;
         this.hostnameVerificationEnabled = randomBoolean();
         this.usePEM = randomBoolean();
     }
@@ -203,20 +203,24 @@ public class SecuritySettingsSource extends ClusterDiscoveryConfiguration.Unicas
     }
 
     private void addNodeSSLSettings(Settings.Builder builder) {
-        if (usePEM) {
+        if (sslEnabled) {
-            addSSLSettingsForPEMFiles(builder, "",
+            if (usePEM) {
-                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode",
+                addSSLSettingsForPEMFiles(builder, "",
-                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
+                        "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem", "testnode",
-                Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt",
+                        "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
-                              "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt",
+                        Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.crt",
-                              "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
+                                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt",
-                              "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt",
+                                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
-                              "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"),
+                                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt",
-                useGeneratedSSLConfig, hostnameVerificationEnabled, false);
+                                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"),
+                        sslEnabled, hostnameVerificationEnabled, false);
 
-        } else {
+            } else {
-            addSSLSettingsForStore(builder, "", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks",
+                addSSLSettingsForStore(builder, "", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks",
-                "testnode", useGeneratedSSLConfig, hostnameVerificationEnabled, false);
+                        "testnode", sslEnabled, hostnameVerificationEnabled, false);
+            }
+        } else if (randomBoolean()) {
+            builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), false);
         }
     }
 
@@ -227,10 +231,10 @@ public class SecuritySettingsSource extends ClusterDiscoveryConfiguration.Unicas
                 "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
                 Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
                               "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"),
-                useGeneratedSSLConfig, hostnameVerificationEnabled, true);
+                    sslEnabled, hostnameVerificationEnabled, true);
         } else {
             addSSLSettingsForStore(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks",
-                "testclient", useGeneratedSSLConfig, hostnameVerificationEnabled, true);
+                "testclient", sslEnabled, hostnameVerificationEnabled, true);
         }
     }
 
@@ -241,31 +245,30 @@ public class SecuritySettingsSource extends ClusterDiscoveryConfiguration.Unicas
      * @param password the password
      */
     public static void addSSLSettingsForStore(Settings.Builder builder, String resourcePathToStore, String password) {
-        addSSLSettingsForStore(builder, "", resourcePathToStore, password, false, true, true);
+        addSSLSettingsForStore(builder, "", resourcePathToStore, password, true, true, true);
     }
 
     private static void addSSLSettingsForStore(Settings.Builder builder, String prefix, String resourcePathToStore, String password,
-                                               boolean useGeneratedSSLConfig, boolean hostnameVerificationEnabled,
+                                               boolean sslEnabled, boolean hostnameVerificationEnabled,
                                                boolean transportClient) {
         Path store = resolveResourcePath(resourcePathToStore);
 
         if (transportClient == false) {
             builder.put(prefix + "xpack.security.http.ssl.enabled", false);
         }
+        builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled);
 
         builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
-        if (useGeneratedSSLConfig == false) {
+        builder.put(prefix + "xpack.ssl.keystore.path", store);
-            builder.put(prefix + "xpack.ssl.keystore.path", store);
+        if (transportClient) {
-            if (transportClient) {
+            // continue using insecure settings for clients until we figure out what to do there...
-                // continue using insecure settings for clients until we figure out what to do there...
+            builder.put(prefix + "xpack.ssl.keystore.password", password);
-                builder.put(prefix + "xpack.ssl.keystore.password", password);
+        } else {
-            } else {
+            addSecureSettings(builder, secureSettings ->
-                addSecureSettings(builder, secureSettings ->
+                secureSettings.setString(prefix + "xpack.ssl.keystore.secure_password", password));
-                    secureSettings.setString(prefix + "xpack.ssl.keystore.secure_password", password));
-            }
         }
 
-        if (useGeneratedSSLConfig == false && true /*randomBoolean()*/) {
+        if (randomBoolean()) {
             builder.put(prefix + "xpack.ssl.truststore.path", store);
             if (transportClient) {
                 // continue using insecure settings for clients until we figure out what to do there...
@@ -278,29 +281,28 @@ public class SecuritySettingsSource extends ClusterDiscoveryConfiguration.Unicas
     }
 
     private static void addSSLSettingsForPEMFiles(Settings.Builder builder, String prefix, String keyPath, String password,
-                                                  String certificatePath, List<String> trustedCertificates, boolean useGeneratedSSLConfig,
+                                                  String certificatePath, List<String> trustedCertificates, boolean sslEnabled,
                                                   boolean hostnameVerificationEnabled, boolean transportClient) {
 
         if (transportClient == false) {
             builder.put(prefix + "xpack.security.http.ssl.enabled", false);
         }
+        builder.put(XPackSettings.TRANSPORT_SSL_ENABLED.getKey(), sslEnabled);
 
         builder.put(prefix + "xpack.ssl.verification_mode", hostnameVerificationEnabled ? "full" : "certificate");
-        if (useGeneratedSSLConfig == false) {
+        builder.put(prefix + "xpack.ssl.key", resolveResourcePath(keyPath))
-            builder.put(prefix + "xpack.ssl.key", resolveResourcePath(keyPath))
+                .put(prefix + "xpack.ssl.certificate", resolveResourcePath(certificatePath));
-                    .put(prefix + "xpack.ssl.certificate", resolveResourcePath(certificatePath));
+        if (transportClient) {
-            if (transportClient) {
+            // continue using insecure settings for clients until we figure out what to do there...
-                // continue using insecure settings for clients until we figure out what to do there...
+            builder.put(prefix + "xpack.ssl.key_passphrase", password);
-                builder.put(prefix + "xpack.ssl.key_passphrase", password);
+        } else {
-            } else {
+            addSecureSettings(builder, secureSettings ->
-                addSecureSettings(builder, secureSettings ->
+                secureSettings.setString(prefix + "xpack.ssl.secure_key_passphrase", password));
-                    secureSettings.setString(prefix + "xpack.ssl.secure_key_passphrase", password));
+        }
-            }
 
-            if (trustedCertificates.isEmpty() == false) {
+        if (trustedCertificates.isEmpty() == false) {
-                builder.put(prefix + "xpack.ssl.certificate_authorities",
+            builder.put(prefix + "xpack.ssl.certificate_authorities",
-                        Strings.arrayToCommaDelimitedString(resolvePathsToString(trustedCertificates)));
+                    Strings.arrayToCommaDelimitedString(resolvePathsToString(trustedCertificates)));
-            }
         }
     }
 

plugin/src/test/java/org/elasticsearch/xpack/security/PkiRealmBootstrapCheckTests.java

@@ -26,6 +26,12 @@ public class PkiRealmBootstrapCheckTests extends ESTestCase {
                 .put("path.home", createTempDir())
                 .build();
         Environment env = new Environment(settings);
+        assertTrue(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null)).isFailure());
+
+        // enable transport tls
+        settings = Settings.builder().put(settings)
+                .put("xpack.security.transport.ssl.enabled", true)
+                .build();
         assertFalse(new PkiRealmBootstrapCheck(new SSLService(settings, env)).check(new BootstrapContext(settings, null)).isFailure());
 
         // disable client auth default

plugin/src/test/java/org/elasticsearch/xpack/security/SecurityTribeIT.java

@@ -69,14 +69,14 @@ public class SecurityTribeIT extends NativeRealmIntegTestCase {
 
     private static final String SECOND_CLUSTER_NODE_PREFIX = "node_cluster2_";
     private static InternalTestCluster cluster2;
-    private static boolean useGeneratedSSL;
+    private static boolean useSSL;
 
     private Node tribeNode;
     private Client tribeClient;
 
     @BeforeClass
     public static void setupSSL() {
-        useGeneratedSSL = randomBoolean();
+        useSSL = randomBoolean();
     }
 
     @Override
@@ -84,7 +84,7 @@ public class SecurityTribeIT extends NativeRealmIntegTestCase {
         super.setUp();
         if (cluster2 == null) {
             SecuritySettingsSource cluster2SettingsSource =
-                    new SecuritySettingsSource(defaultMaxNumberOfNodes(), useGeneratedSSL, createTempDir(), Scope.SUITE) {
+                    new SecuritySettingsSource(defaultMaxNumberOfNodes(), useSSL, createTempDir(), Scope.SUITE) {
                         @Override
                         public Settings nodeSettings(int nodeOrdinal) {
                             Settings.Builder builder = Settings.builder()
@@ -118,8 +118,8 @@ public class SecurityTribeIT extends NativeRealmIntegTestCase {
     }
 
     @Override
-    public boolean useGeneratedSSLConfig() {
+    public boolean transportSSLEnabled() {
-        return useGeneratedSSL;
+        return useSSL;
     }
 
     @AfterClass
@@ -216,7 +216,7 @@ public class SecurityTribeIT extends NativeRealmIntegTestCase {
 
     private void setupTribeNode(Settings settings) throws Exception {
         SecuritySettingsSource cluster2SettingsSource =
-                new SecuritySettingsSource(1, useGeneratedSSL, createTempDir(), Scope.TEST) {
+                new SecuritySettingsSource(1, useSSL, createTempDir(), Scope.TEST) {
                     @Override
                     public Settings nodeSettings(int nodeOrdinal) {
                         return Settings.builder()

plugin/src/test/java/org/elasticsearch/xpack/security/audit/index/AuditTrailTests.java

@@ -35,7 +35,6 @@ import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 
 import static org.elasticsearch.test.SecuritySettingsSource.TEST_PASSWORD_SECURE_STRING;
-import static org.hamcrest.Matchers.arrayContaining;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
@@ -79,7 +78,7 @@ public class AuditTrailTests extends SecurityIntegTestCase {
     }
 
     @Override
-    public boolean useGeneratedSSLConfig() {
+    public boolean transportSSLEnabled() {
         return true;
     }
 

plugin/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java

@@ -84,6 +84,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
     public static final String SECOND_CLUSTER_NODE_PREFIX = "remote_" + SUITE_CLUSTER_NODE_PREFIX;
 
     private static boolean remoteIndexing;
+    private static boolean useSSL;
     private static InternalTestCluster remoteCluster;
     private static Settings remoteSettings;
 
@@ -99,6 +100,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
 
     @BeforeClass
     public static void configureBeforeClass() {
+        useSSL = randomBoolean();
         remoteIndexing = randomBoolean();
         if (remoteIndexing == false) {
             remoteSettings = Settings.EMPTY;
@@ -114,6 +116,11 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
         remoteSettings = null;
     }
 
+    @Override
+    protected boolean transportSSLEnabled() {
+        return useSSL;
+    }
+
     @Before
     public void initializeRemoteClusterIfNecessary() throws Exception {
         if (remoteIndexing == false) {
@@ -131,11 +138,11 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
         // Setup a second test cluster with randomization for number of nodes, security enabled, and SSL
         final int numNodes = randomIntBetween(1, 2);
         final boolean useSecurity = randomBoolean();
-        final boolean useGeneratedSSL = useSecurity && randomBoolean();
+        final boolean remoteUseSSL = useSecurity && useSSL;
-        logger.info("--> remote indexing enabled. security enabled: [{}], SSL enabled: [{}], nodes: [{}]", useSecurity, useGeneratedSSL,
+        logger.info("--> remote indexing enabled. security enabled: [{}], SSL enabled: [{}], nodes: [{}]", useSecurity, useSSL,
                 numNodes);
         SecuritySettingsSource cluster2SettingsSource =
-                new SecuritySettingsSource(numNodes, useGeneratedSSL, createTempDir(), Scope.SUITE) {
+                new SecuritySettingsSource(numNodes, useSSL, createTempDir(), Scope.SUITE) {
             @Override
             public Settings nodeSettings(int nodeOrdinal) {
                 Settings.Builder builder = Settings.builder()
@@ -192,8 +199,9 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
                 .put("xpack.security.audit.index.client.xpack.security.user", SecuritySettingsSource.TEST_USER_NAME + ":" +
                         SecuritySettingsSource.TEST_PASSWORD);
 
-        if (useGeneratedSSL == false) {
+        if (remoteUseSSL) {
             cluster2SettingsSource.addClientSSLSettings(builder, "xpack.security.audit.index.client.");
+            builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", true);
         }
         if (useSecurity == false && builder.get(NetworkModule.TRANSPORT_TYPE_KEY) == null) {
             builder.put("xpack.security.audit.index.client." + NetworkModule.TRANSPORT_TYPE_KEY, getTestTransportType());

plugin/src/test/java/org/elasticsearch/xpack/security/audit/index/RemoteIndexAuditTrailStartingTests.java

@@ -28,7 +28,6 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
-import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.StreamSupport;
@@ -50,13 +49,13 @@ public class RemoteIndexAuditTrailStartingTests extends SecurityIntegTestCase {
 
     private InternalTestCluster remoteCluster;
 
-    private final boolean useGeneratedSSL = randomBoolean();
+    private final boolean sslEnabled = randomBoolean();
     private final boolean localAudit = randomBoolean();
     private final String outputs = randomFrom("index", "logfile", "index,logfile");
 
     @Override
-    public boolean useGeneratedSSLConfig() {
+    public boolean transportSSLEnabled() {
-        return useGeneratedSSL;
+        return sslEnabled;
     }
 
     @Override
@@ -90,7 +89,7 @@ public class RemoteIndexAuditTrailStartingTests extends SecurityIntegTestCase {
         // Setup a second test cluster with a single node, security enabled, and SSL
         final int numNodes = 1;
         SecuritySettingsSource cluster2SettingsSource =
-                new SecuritySettingsSource(numNodes, useGeneratedSSL, createTempDir(), Scope.TEST) {
+                new SecuritySettingsSource(numNodes, sslEnabled, createTempDir(), Scope.TEST) {
             @Override
             public Settings nodeSettings(int nodeOrdinal) {
                 Settings.Builder builder = Settings.builder()
@@ -104,6 +103,7 @@ public class RemoteIndexAuditTrailStartingTests extends SecurityIntegTestCase {
                         .put("xpack.security.audit.index.client.xpack.security.user", TEST_USER_NAME + ":" + TEST_PASSWORD);
 
                 addClientSSLSettings(builder, "xpack.security.audit.index.client.");
+                builder.put("xpack.security.audit.index.client.xpack.security.transport.ssl.enabled", sslEnabled);
                 return builder.build();
             }
         };

plugin/src/test/java/org/elasticsearch/xpack/security/authc/RunAsIntegTests.java

@@ -83,8 +83,8 @@ public class RunAsIntegTests extends SecurityIntegTestCase {
     }
 
     @Override
-    public boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return true;
+        return false;
     }
 
     public void testUserImpersonation() throws Exception {

plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/ESNativeMigrateToolTests.java

@@ -17,7 +17,6 @@ import org.elasticsearch.test.SecuritySettingsSource;
 import org.elasticsearch.xpack.security.SecurityLifecycleService;
 import org.elasticsearch.xpack.security.authc.support.CharArrays;
 import org.elasticsearch.xpack.security.client.SecurityClient;
-import org.junit.AfterClass;
 import org.junit.BeforeClass;
 
 import java.nio.charset.StandardCharsets;
@@ -52,9 +51,9 @@ public class ESNativeMigrateToolTests extends NativeRealmIntegTestCase {
     }
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
         // don't use autogenerated when we expect a different cert
-        return useSSL == false;
+        return useSSL;
     }
 
     @Override

plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java

@@ -15,7 +15,6 @@ import org.elasticsearch.action.index.IndexResponse;
 import org.elasticsearch.client.transport.NoNodeAvailableException;
 import org.elasticsearch.client.transport.TransportClient;
 import org.elasticsearch.common.network.NetworkModule;
-import org.elasticsearch.common.settings.MockSecureSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.http.HttpServerTransport;
@@ -73,8 +72,8 @@ public class PkiAuthenticationTests extends SecurityIntegTestCase {
     }
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     public void testTransportClientCanAuthenticateViaPki() {

plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiOptionalClientAuthTests.java

@@ -66,8 +66,8 @@ public class PkiOptionalClientAuthTests extends SecurityIntegTestCase {
     }
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     public void testRestClientWithoutClientCertificate() throws Exception {

plugin/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java

@@ -13,8 +13,6 @@ import org.elasticsearch.common.network.NetworkAddress;
 import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.TransportAddress;
-import org.elasticsearch.common.unit.TimeValue;
-import org.elasticsearch.discovery.MasterNotDiscoveredException;
 import org.elasticsearch.node.MockNode;
 import org.elasticsearch.node.Node;
 import org.elasticsearch.node.NodeValidationException;
@@ -42,7 +40,6 @@ import java.nio.file.Path;
 import java.util.Arrays;
 import java.util.concurrent.CountDownLatch;
 
-import static java.util.Collections.singletonMap;
 import static org.elasticsearch.test.SecuritySettingsSource.addSSLSettingsForStore;
 import static org.elasticsearch.xpack.security.test.SecurityTestUtils.writeFile;
 import static org.hamcrest.CoreMatchers.equalTo;
@@ -57,10 +54,9 @@ public class ServerTransportFilterIntegrationTests extends SecurityIntegTestCase
         randomClientPort = randomIntBetween(49000, 65500); // ephemeral port
     }
 
-    // don't use it here to simplify the settings we need
     @Override
-    public boolean useGeneratedSSLConfig() {
+    public boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     @Override

plugin/src/test/java/org/elasticsearch/xpack/security/transport/netty4/DNSOnlyHostnameVerificationTests.java

@@ -87,8 +87,8 @@ public class DNSOnlyHostnameVerificationTests extends SecurityIntegTestCase {
     }
 
     @Override
-    public boolean useGeneratedSSLConfig() {
+    public boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     @Override

plugin/src/test/java/org/elasticsearch/xpack/security/transport/netty4/IPHostnameVerificationTests.java

@@ -23,8 +23,8 @@ public class IPHostnameVerificationTests extends SecurityIntegTestCase {
     Path keystore;
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     @Override

plugin/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4TransportTests.java

@@ -42,6 +42,7 @@ public class SecurityNetty4TransportTests extends ESTestCase {
         MockSecureSettings secureSettings = new MockSecureSettings();
         secureSettings.setString("xpack.ssl.keystore.secure_password", "testnode");
         Settings settings = Settings.builder()
+                .put("xpack.security.transport.ssl.enabled", true)
                 .put("xpack.ssl.keystore.path", testnodeStore)
                 .setSecureSettings(secureSettings)
                 .put("path.home", createTempDir())
@@ -51,12 +52,13 @@ public class SecurityNetty4TransportTests extends ESTestCase {
     }
 
     private SecurityNetty4Transport createTransport() {
-        return createTransport(Settings.EMPTY);
+        return createTransport(Settings.builder().put("xpack.security.transport.ssl.enabled", true).build());
     }
 
     private SecurityNetty4Transport createTransport(Settings additionalSettings) {
         final Settings settings =
                 Settings.builder()
+                        .put("xpack.security.transport.ssl.enabled", true)
                         .put(additionalSettings)
                         .build();
         return new SecurityNetty4Transport(
@@ -185,6 +187,7 @@ public class SecurityNetty4TransportTests extends ESTestCase {
         secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
         secureSettings.setString("xpack.ssl.truststore.secure_password", "truststore-testnode-only");
         Settings.Builder builder = Settings.builder()
+                .put("xpack.security.transport.ssl.enabled", true)
                 .put("xpack.security.transport.ssl.keystore.path",
                         getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks"))
                 .put("xpack.security.transport.ssl.client_authentication", "none")

plugin/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SslHostnameVerificationTests.java

@@ -27,8 +27,8 @@ import static org.hamcrest.Matchers.containsString;
 public class SslHostnameVerificationTests extends SecurityIntegTestCase {
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     @Override

plugin/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java

@@ -66,8 +66,8 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase {
     }
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     public void testConnection() throws Exception {

plugin/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslIntegrationTests.java

@@ -51,8 +51,8 @@ public class SslIntegrationTests extends SecurityIntegTestCase {
     }
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     // no SSL exception as this is the exception is returned when connecting

plugin/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslMultiPortTests.java

@@ -73,8 +73,8 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
     }
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     private TransportClient createTransportClient(Settings additionalSettings) {
@@ -82,6 +82,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
                 .put(transportClientSettings().filter(s -> s.startsWith("xpack.ssl") == false))
                 .put("node.name", "programmatic_transport_client")
                 .put("cluster.name", internalCluster().getClusterName())
+                .put("xpack.security.transport.ssl.enabled", true)
                 .put(additionalSettings)
                 .build();
         return new TestXPackTransportClient(settings);
@@ -105,6 +106,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
     public void testThatStandardTransportClientCanConnectToNoClientAuthProfile() throws Exception {
         try(TransportClient transportClient = new TestXPackTransportClient(Settings.builder()
                 .put(transportClientSettings())
+                .put("xpack.security.transport.ssl.enabled", true)
                 .put("node.name", "programmatic_transport_client")
                 .put("cluster.name", internalCluster().getClusterName())
                 .build())) {
@@ -247,6 +249,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
         Settings settings = Settings.builder()
                 .put(Security.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
                 .put("cluster.name", internalCluster().getClusterName())
+                .put("xpack.security.transport.ssl.enabled", true)
                 .put("xpack.ssl.truststore.path",
                         getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks"))
                 .put("xpack.ssl.truststore.password", "truststore-testnode-only")
@@ -254,7 +257,6 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
         try (TransportClient transportClient = new TestXPackTransportClient(settings)) {
             transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(),
                     getProfilePort("no_client_auth")));
-            assertGreenClusterState(transportClient);
         }
     }
 
@@ -268,6 +270,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
         Settings settings = Settings.builder()
                 .put(Security.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
                 .put("cluster.name", internalCluster().getClusterName())
+                .put("xpack.security.transport.ssl.enabled", true)
                 .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
                 .put("xpack.ssl.truststore.path",
                         getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks"))
@@ -292,6 +295,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
         Settings settings = Settings.builder()
                 .put(Security.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
                 .put("cluster.name", internalCluster().getClusterName())
+                .put("xpack.security.transport.ssl.enabled", true)
                 .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
                 .put("xpack.ssl.truststore.path",
                         getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/truststore-testnode-only.jks"))
@@ -316,6 +320,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
                 .put(Security.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
                 .put("cluster.name", internalCluster().getClusterName())
                 .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
+                .put("xpack.security.transport.ssl.enabled", true)
                 .build();
         try (TransportClient transportClient = new TestXPackTransportClient(settings)) {
             transportClient.addTransportAddress(randomFrom(internalCluster().getInstance(Transport.class).boundAddress().boundAddresses()));
@@ -336,6 +341,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
                 .put(Security.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
                 .put("cluster.name", internalCluster().getClusterName())
                 .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
+                .put("xpack.security.transport.ssl.enabled", true)
                 .build();
         try (TransportClient transportClient = new TestXPackTransportClient(settings)) {
             transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(), getProfilePort("client")));
@@ -356,6 +362,7 @@ public class SslMultiPortTests extends SecurityIntegTestCase {
                 .put(Security.USER_SETTING.getKey(), TEST_USER_NAME + ":" + TEST_PASSWORD)
                 .put("cluster.name", internalCluster().getClusterName())
                 .put("xpack.ssl.client_authentication", SSLClientAuth.REQUIRED)
+                .put("xpack.security.transport.ssl.enabled", true)
                 .build();
         try (TransportClient transportClient = new TestXPackTransportClient(settings)) {
             transportClient.addTransportAddress(new TransportAddress(InetAddress.getLoopbackAddress(),

plugin/src/test/java/org/elasticsearch/xpack/security/transport/ssl/SslNullCipherTests.java

@@ -17,7 +17,7 @@ import org.elasticsearch.test.SecurityIntegTestCase;
 public class SslNullCipherTests extends SecurityIntegTestCase {
 
     @Override
-    public boolean useGeneratedSSLConfig() {
+    public boolean transportSSLEnabled() {
         return true;
     }
 
@@ -25,7 +25,7 @@ public class SslNullCipherTests extends SecurityIntegTestCase {
     public Settings nodeSettings(int nodeOrdinal) {
         Settings settings = super.nodeSettings(nodeOrdinal);
         Settings.Builder builder = Settings.builder()
-                .put(settings.filter((s) -> s.startsWith("xpack.ssl") == false));
+                .put(settings);
         builder.put("xpack.security.transport.ssl.cipher_suites", "TLS_RSA_WITH_NULL_SHA256");
         return builder.build();
     }
@@ -34,7 +34,7 @@ public class SslNullCipherTests extends SecurityIntegTestCase {
     public Settings transportClientSettings() {
         Settings settings = super.transportClientSettings();
         Settings.Builder builder = Settings.builder()
-                .put(settings.filter((s) -> s.startsWith("xpack.ssl") == false));
+                .put(settings);
 
         builder.put("xpack.security.transport.ssl.cipher_suites", "TLS_RSA_WITH_NULL_SHA256");
         return builder.build();

plugin/src/test/java/org/elasticsearch/xpack/ssl/GeneratedKeyConfigTests.java

@@ -1,45 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.xpack.ssl;
-
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.node.Node;
-import org.elasticsearch.test.ESTestCase;
-
-import javax.net.ssl.X509ExtendedKeyManager;
-
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
-import java.security.interfaces.RSAPrivateKey;
-
-import static org.hamcrest.Matchers.empty;
-import static org.hamcrest.Matchers.instanceOf;
-import static org.hamcrest.Matchers.is;
-
-public class GeneratedKeyConfigTests extends ESTestCase {
-
-    public void testGenerating() throws Exception {
-        Settings settings = Settings.builder().put(Node.NODE_NAME_SETTING.getKey(), randomAlphaOfLengthBetween(1, 8)).build();
-        GeneratedKeyConfig keyConfig = new GeneratedKeyConfig(settings);
-        assertThat(keyConfig.filesToMonitor(null), is(empty()));
-        X509ExtendedKeyManager keyManager = keyConfig.createKeyManager(null);
-        assertNotNull(keyManager);
-        assertNotNull(keyConfig.createTrustManager(null));
-
-        String[] aliases = keyManager.getServerAliases("RSA", null);
-        assertEquals(1, aliases.length);
-        PrivateKey privateKey = keyManager.getPrivateKey(aliases[0]);
-        assertNotNull(privateKey);
-        assertThat(privateKey, instanceOf(RSAPrivateKey.class));
-        X509Certificate[] certificates = keyManager.getCertificateChain(aliases[0]);
-        assertEquals(2, certificates.length);
-        assertEquals(GeneratedKeyConfig.readCACert(), certificates[1]);
-
-        X509Certificate generatedCertificate = certificates[0];
-        assertEquals("CN=" + Node.NODE_NAME_SETTING.get(settings), generatedCertificate.getSubjectX500Principal().getName());
-        assertEquals(certificates[1].getSubjectX500Principal(), generatedCertificate.getIssuerX500Principal());
-    }
-}

plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLBootstrapCheckTests.java

@@ -1,93 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.xpack.ssl;
-
-import org.elasticsearch.bootstrap.BootstrapContext;
-import org.elasticsearch.common.settings.MockSecureSettings;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.env.Environment;
-import org.elasticsearch.test.ESTestCase;
-
-public class SSLBootstrapCheckTests extends ESTestCase {
-
-    public void testSSLBootstrapCheckWithNoKey() throws Exception {
-        SSLService sslService = new SSLService(Settings.EMPTY, null);
-        SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(sslService, null);
-        assertTrue(bootstrapCheck.check(new BootstrapContext(Settings.EMPTY, null)).isFailure());
-    }
-
-    public void testSSLBootstrapCheckWithKey() throws Exception {
-        final String keyPrefix = randomBoolean() ? "security.transport." : "";
-        MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack." + keyPrefix + "ssl.secure_key_passphrase", "testclient");
-        Settings settings = Settings.builder()
-                .put("path.home", createTempDir())
-                .put("xpack." + keyPrefix + "ssl.key",
-                        getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem"))
-                .put("xpack." + keyPrefix + "ssl.certificate",
-                        getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"))
-                .setSecureSettings(secureSettings)
-                .build();
-        final Environment env = randomBoolean() ? new Environment(settings) : null;
-        SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env);
-        assertFalse(bootstrapCheck.check(new BootstrapContext(settings, null)).isFailure());
-    }
-
-    public void testSSLBootstrapCheckWithDefaultCABeingTrusted() throws Exception {
-        final String keyPrefix = randomBoolean() ? "security.transport." : "";
-        MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack." + keyPrefix + "ssl.secure_key_passphrase", "testclient");
-        Settings settings = Settings.builder()
-                .put("path.home", createTempDir())
-                .put("xpack." + keyPrefix + "ssl.key",
-                        getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem"))
-                .put("xpack." + keyPrefix + "ssl.certificate",
-                        getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"))
-                .putArray("xpack." + keyPrefix + "ssl.certificate_authorities",
-                        getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt").toString(),
-                        getDataPath("/org/elasticsearch/xpack/ssl/ca.pem").toString())
-                .setSecureSettings(secureSettings)
-                .build();
-        final Environment env = randomBoolean() ? new Environment(settings) : null;
-        SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env);
-        assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null)).isFailure());
-
-        settings = Settings.builder().put(settings.filter((s) -> s.contains(".certificate_authorities")))
-                .put("xpack.security.http.ssl.certificate_authorities",
-                        getDataPath("/org/elasticsearch/xpack/ssl/ca.pem").toString())
-                .build();
-        bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env);
-        assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null)).isFailure());
-    }
-
-    public void testSSLBootstrapCheckWithDefaultKeyBeingUsed() throws Exception {
-        final String keyPrefix = randomBoolean() ? "security.transport." : "";
-        MockSecureSettings secureSettings = new MockSecureSettings();
-        secureSettings.setString("xpack." + keyPrefix + "ssl.secure_key_passphrase", "testclient");
-        Settings settings = Settings.builder()
-                .put("path.home", createTempDir())
-                .put("xpack." + keyPrefix + "ssl.key",
-                        getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem"))
-                .put("xpack." + keyPrefix + "ssl.certificate",
-                        getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"))
-                .put("xpack.security.http.ssl.key", getDataPath("/org/elasticsearch/xpack/ssl/private.pem").toString())
-                .put("xpack.security.http.ssl.certificate", getDataPath("/org/elasticsearch/xpack/ssl/ca.pem").toString())
-                .setSecureSettings(secureSettings)
-                .build();
-        final Environment env = randomBoolean() ? new Environment(settings) : null;
-        SSLBootstrapCheck bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env);
-        assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null)).isFailure());
-
-        settings = Settings.builder().put(settings.filter((s) -> s.contains(".http.ssl.")))
-                .put("xpack.security.transport.profiles.foo.xpack.security.ssl.key",
-                        getDataPath("/org/elasticsearch/xpack/ssl/private.pem").toString())
-                .put("xpack.security.transport.profiles.foo.xpack.security.ssl.certificate",
-                        getDataPath("/org/elasticsearch/xpack/ssl/ca.pem").toString())
-                .build();
-        bootstrapCheck = new SSLBootstrapCheck(new SSLService(settings, env), env);
-        assertTrue(bootstrapCheck.check(new BootstrapContext(settings, null)).isFailure());
-    }
-}

plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java

@@ -56,8 +56,8 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
     }
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     public void testThatHttpFailsWithoutSslClientAuth() throws IOException {
@@ -93,6 +93,7 @@ public class SSLClientAuthTests extends SecurityIntegTestCase {
         MockSecureSettings secureSettings = new MockSecureSettings();
         secureSettings.setString("xpack.ssl.keystore.secure_password", "testclient-client-profile");
         Settings settings = Settings.builder()
+                .put("xpack.security.transport.ssl.enabled", true)
                 .put("xpack.ssl.client_authentication", SSLClientAuth.NONE)
                 .put("xpack.ssl.keystore.path", store)
                 .setSecureSettings(secureSettings)

plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLConfigurationReloaderTests.java

@@ -219,15 +219,12 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
                 .setSecureSettings(secureSettings)
                 .build();
         Environment env = randomBoolean() ? null : new Environment(settings);
-        final X500Principal expectedPrincipal = new X500Principal("CN=xpack public development ca");
 
         final SetOnce<Integer> trustedCount = new SetOnce<>();
         final BiConsumer<X509ExtendedTrustManager, SSLConfiguration> trustManagerPreChecks = (trustManager, config) -> {
             // trust manager checks
             Certificate[] certificates = trustManager.getAcceptedIssuers();
             trustedCount.set(certificates.length);
-            assertTrue(Arrays.stream(trustManager.getAcceptedIssuers())
-                    .anyMatch((cert) -> expectedPrincipal.equals(cert.getSubjectX500Principal())));
         };
 
 
@@ -247,8 +244,6 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
 
         final BiConsumer<X509ExtendedTrustManager, SSLConfiguration> trustManagerPostChecks = (updatedTrustManager, config) -> {
             assertThat(trustedCount.get() - updatedTrustManager.getAcceptedIssuers().length, is(5));
-            assertTrue(Arrays.stream(updatedTrustManager.getAcceptedIssuers())
-                    .anyMatch((cert) -> expectedPrincipal.equals(cert.getSubjectX500Principal())));
         };
 
         validateTrustConfigurationIsReloaded(settings, env, trustManagerPreChecks, modifier, trustManagerPostChecks);
@@ -267,15 +262,12 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
                 .put("path.home", createTempDir())
                 .build();
         Environment env = randomBoolean() ? null : new Environment(settings);
-        final X500Principal expectedPrincipal = new X500Principal("CN=xpack public development ca");
 
         final BiConsumer<X509ExtendedTrustManager, SSLConfiguration> trustManagerPreChecks = (trustManager, config) -> {
             // trust manager checks
             Certificate[] certificates = trustManager.getAcceptedIssuers();
-            assertThat(certificates.length, is(2));
+            assertThat(certificates.length, is(1));
             assertThat(((X509Certificate)certificates[0]).getSubjectX500Principal().getName(), containsString("Test Client"));
-            assertTrue(Arrays.stream(trustManager.getAcceptedIssuers())
-                    .anyMatch((cert) -> expectedPrincipal.equals(cert.getSubjectX500Principal())));
         };
 
         final Runnable modifier = () -> {
@@ -291,10 +283,8 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
 
         final BiConsumer<X509ExtendedTrustManager, SSLConfiguration> trustManagerPostChecks = (updatedTrustManager, config) -> {
             Certificate[] updatedCerts = updatedTrustManager.getAcceptedIssuers();
-            assertThat(updatedCerts.length, is(2));
+            assertThat(updatedCerts.length, is(1));
             assertThat(((X509Certificate)updatedCerts[0]).getSubjectX500Principal().getName(), containsString("Test Node"));
-            assertTrue(Arrays.stream(updatedTrustManager.getAcceptedIssuers())
-                    .anyMatch((cert) -> expectedPrincipal.equals(cert.getSubjectX500Principal())));
         };
 
         validateTrustConfigurationIsReloaded(settings, env, trustManagerPreChecks, modifier, trustManagerPostChecks);

plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java

@@ -85,8 +85,8 @@ public class SSLReloadIntegTests extends SecurityIntegTestCase {
     }
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     public void testThatSSLConfigurationReloadsOnModification() throws Exception {

plugin/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java

@@ -134,8 +134,8 @@ public class SSLTrustRestrictionsTests extends SecurityIntegTestCase {
     }
 
     @Override
-    protected boolean useGeneratedSSLConfig() {
+    protected boolean transportSSLEnabled() {
-        return false;
+        return true;
     }
 
     public void testCertificateWithTrustedNameIsAccepted() throws Exception {

qa/rolling-upgrade/build.gradle

@@ -159,6 +159,7 @@ subprojects {
       unicastTransportUri = { seedNode, node, ant -> oldClusterTest.nodes.get(0).transportUri() }
       dataDir = { nodeNumber -> oldClusterTest.nodes[1].dataDir }
       waitCondition = waitWithAuth
+      setting 'xpack.security.transport.ssl.enabled', 'true'
       setting 'xpack.ssl.keystore.path', 'testnode.jks'
       keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
       setting 'node.attr.upgraded', 'first'
@@ -190,6 +191,7 @@ subprojects {
       unicastTransportUri = { seedNode, node, ant -> mixedClusterTest.nodes.get(0).transportUri() }
       dataDir = { nodeNumber -> oldClusterTest.nodes[0].dataDir }
       waitCondition = waitWithAuth
+      setting 'xpack.security.transport.ssl.enabled', 'true'
       setting 'xpack.ssl.keystore.path', 'testnode.jks'
       keystoreSetting 'xpack.ssl.keystore.secure_password', 'testnode'
       setting 'xpack.security.authc.token.enabled', 'true'

qa/smoke-test-plugins-ssl/build.gradle

@@ -154,6 +154,8 @@ processTestResources.dependsOn(
         importNodeCertificateInClientKeyStore, importClientCertificateInNodeKeyStore
 )
 
+integTestCluster.dependsOn(importClientCertificateInNodeKeyStore)
+
 ext.pluginsCount = 1 // we install xpack explicitly
 project.rootProject.subprojects.findAll { it.path.startsWith(':plugins:') }.each { subproj ->
   // need to get a non-decorated project object, so must re-lookup the project by path