Automatically enable AES 256 bit TLS ciphers when available (elastic/x-pack-elasticsearch#2137)
This commit adds detection of support for AES 256 bit ciphers and enables their use when the JVM supports them. For OpenJDK, this is often the case without any changes but for the Oracle JVM, the unlimited policy file needs to be installed. In order to simplify the work a user would need to do we can detect this support and automatically enable the AES 256 bit versions of the ciphers we already enable. Original commit: elastic/x-pack-elasticsearch@5f23b18a1e
This commit is contained in:
parent
4bf5d9536a
commit
7291eb55fe
|
@ -14,9 +14,10 @@ from Oracle's http://www.oracle.com/technetwork/java/javase/downloads/index.html
|
|||
The _JCE Unlimited Strength Jurisdiction Policy Files`_ are required for
|
||||
encryption with key lengths greater than 128 bits, such as 256-bit AES encryption.
|
||||
|
||||
After installation, all cipher suites in the JCE are available for use. To enable
|
||||
the use of stronger cipher suites with {security}, configure the `cipher_suites`
|
||||
parameter. See the {ref}/security-settings.html#ssl-tls-settings[Configuration Parameters for TLS/SSL]
|
||||
After installation, all cipher suites in the JCE are available for use but requires
|
||||
configuration in order to use them. To enable the use of stronger cipher suites with
|
||||
{security}, configure the `cipher_suites` parameter. See the
|
||||
{ref}/security-settings.html#ssl-tls-settings[Configuration Parameters for TLS/SSL]
|
||||
section of this document for specific parameter information.
|
||||
|
||||
NOTE: The _JCE Unlimited Strength Jurisdiction Policy Files_ must be installed
|
||||
|
|
|
@ -598,7 +598,10 @@ Controls the verification of certificates. Valid values are `none`,
|
|||
Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
|
||||
Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
|
||||
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
|
||||
`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
|
||||
`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`. If the _Java Cryptography Extension (JCE) Unlimited Strength
|
||||
Jurisdiction Policy Files_ has been installed, the default value also includes `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`,
|
||||
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
|
||||
`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`.
|
||||
|
||||
[float]
|
||||
[[tls-ssl-key-settings]]
|
||||
|
|
|
@ -13,6 +13,8 @@ import org.elasticsearch.xpack.ssl.SSLClientAuth;
|
|||
import org.elasticsearch.xpack.ssl.SSLConfigurationSettings;
|
||||
import org.elasticsearch.xpack.ssl.VerificationMode;
|
||||
|
||||
import javax.crypto.Cipher;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
|
@ -84,10 +86,29 @@ public class XPackSettings {
|
|||
* SSL settings. These are the settings that are specifically registered for SSL. Many are private as we do not explicitly use them
|
||||
* but instead parse based on a prefix (eg *.ssl.*)
|
||||
*/
|
||||
public static final List<String> DEFAULT_CIPHERS =
|
||||
Arrays.asList("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA");
|
||||
public static final List<String> DEFAULT_CIPHERS;
|
||||
|
||||
static {
|
||||
List<String> ciphers = Arrays.asList("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA");
|
||||
try {
|
||||
final boolean use256Bit = Cipher.getMaxAllowedKeyLength("AES") > 128;
|
||||
if (use256Bit) {
|
||||
List<String> strongerCiphers = new ArrayList<>(ciphers.size() * 2);
|
||||
strongerCiphers.addAll(Arrays.asList("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
|
||||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA"));
|
||||
strongerCiphers.addAll(ciphers);
|
||||
ciphers = strongerCiphers;
|
||||
}
|
||||
} catch (NoSuchAlgorithmException e) {
|
||||
// ignore it here - there will be issues elsewhere and its not nice to throw in a static initializer
|
||||
}
|
||||
|
||||
DEFAULT_CIPHERS = ciphers;
|
||||
}
|
||||
|
||||
public static final List<String> DEFAULT_SUPPORTED_PROTOCOLS = Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1");
|
||||
public static final SSLClientAuth CLIENT_AUTH_DEFAULT = SSLClientAuth.REQUIRED;
|
||||
public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NONE;
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
/*
|
||||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||
* or more contributor license agreements. Licensed under the Elastic License;
|
||||
* you may not use this file except in compliance with the Elastic License.
|
||||
*/
|
||||
package org.elasticsearch.xpack;
|
||||
|
||||
import org.elasticsearch.test.ESTestCase;
|
||||
|
||||
import javax.crypto.Cipher;
|
||||
|
||||
import static org.hamcrest.Matchers.hasItem;
|
||||
import static org.hamcrest.Matchers.not;
|
||||
|
||||
public class XPackSettingsTests extends ESTestCase {
|
||||
|
||||
public void testDefaultSSLCiphers() throws Exception {
|
||||
assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_RSA_WITH_AES_128_CBC_SHA"));
|
||||
|
||||
final boolean useAES256 = Cipher.getMaxAllowedKeyLength("AES") > 128;
|
||||
if (useAES256) {
|
||||
logger.info("AES 256 is available");
|
||||
assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_RSA_WITH_AES_256_CBC_SHA"));
|
||||
} else {
|
||||
logger.info("AES 256 is not available");
|
||||
assertThat(XPackSettings.DEFAULT_CIPHERS, not(hasItem("TLS_RSA_WITH_AES_256_CBC_SHA")));
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue