From 7291eb55feec5a3404e934c3f15438fff992d513 Mon Sep 17 00:00:00 2001 From: Jay Modi Date: Tue, 1 Aug 2017 07:36:35 -0600 Subject: [PATCH] Automatically enable AES 256 bit TLS ciphers when available (elastic/x-pack-elasticsearch#2137) This commit adds detection of support for AES 256 bit ciphers and enables their use when the JVM supports them. For OpenJDK, this is often the case without any changes but for the Oracle JVM, the unlimited policy file needs to be installed. In order to simplify the work a user would need to do we can detect this support and automatically enable the AES 256 bit versions of the ciphers we already enable. Original commit: elastic/x-pack-elasticsearch@5f23b18a1e164372a54ad9975446061731476efe --- .../enabling-cipher-suites.asciidoc | 7 +++-- docs/en/settings/security-settings.asciidoc | 5 +++- .../elasticsearch/xpack/XPackSettings.java | 29 ++++++++++++++++--- .../xpack/XPackSettingsTests.java | 29 +++++++++++++++++++ 4 files changed, 62 insertions(+), 8 deletions(-) create mode 100644 plugin/src/test/java/org/elasticsearch/xpack/XPackSettingsTests.java diff --git a/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc b/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc index 86691ee83cc..a7d2f7c98a7 100644 --- a/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc +++ b/docs/en/security/securing-communications/enabling-cipher-suites.asciidoc @@ -14,9 +14,10 @@ from Oracle's http://www.oracle.com/technetwork/java/javase/downloads/index.html The _JCE Unlimited Strength Jurisdiction Policy Files`_ are required for encryption with key lengths greater than 128 bits, such as 256-bit AES encryption. -After installation, all cipher suites in the JCE are available for use. To enable -the use of stronger cipher suites with {security}, configure the `cipher_suites` -parameter. See the {ref}/security-settings.html#ssl-tls-settings[Configuration Parameters for TLS/SSL] +After installation, all cipher suites in the JCE are available for use but requires +configuration in order to use them. To enable the use of stronger cipher suites with +{security}, configure the `cipher_suites` parameter. See the +{ref}/security-settings.html#ssl-tls-settings[Configuration Parameters for TLS/SSL] section of this document for specific parameter information. NOTE: The _JCE Unlimited Strength Jurisdiction Policy Files_ must be installed diff --git a/docs/en/settings/security-settings.asciidoc b/docs/en/settings/security-settings.asciidoc index faa26b1945f..cd21cd8182f 100644 --- a/docs/en/settings/security-settings.asciidoc +++ b/docs/en/settings/security-settings.asciidoc @@ -598,7 +598,10 @@ Controls the verification of certificates. Valid values are `none`, Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[ Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, -`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`. +`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`. If the _Java Cryptography Extension (JCE) Unlimited Strength +Jurisdiction Policy Files_ has been installed, the default value also includes `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, +`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, +`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`. [float] [[tls-ssl-key-settings]] diff --git a/plugin/src/main/java/org/elasticsearch/xpack/XPackSettings.java b/plugin/src/main/java/org/elasticsearch/xpack/XPackSettings.java index b6467b29073..71d29147315 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/XPackSettings.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/XPackSettings.java @@ -13,6 +13,8 @@ import org.elasticsearch.xpack.ssl.SSLClientAuth; import org.elasticsearch.xpack.ssl.SSLConfigurationSettings; import org.elasticsearch.xpack.ssl.VerificationMode; +import javax.crypto.Cipher; +import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -84,10 +86,29 @@ public class XPackSettings { * SSL settings. These are the settings that are specifically registered for SSL. Many are private as we do not explicitly use them * but instead parse based on a prefix (eg *.ssl.*) */ - public static final List DEFAULT_CIPHERS = - Arrays.asList("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256", - "TLS_RSA_WITH_AES_128_CBC_SHA"); + public static final List DEFAULT_CIPHERS; + + static { + List ciphers = Arrays.asList("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA"); + try { + final boolean use256Bit = Cipher.getMaxAllowedKeyLength("AES") > 128; + if (use256Bit) { + List strongerCiphers = new ArrayList<>(ciphers.size() * 2); + strongerCiphers.addAll(Arrays.asList("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA")); + strongerCiphers.addAll(ciphers); + ciphers = strongerCiphers; + } + } catch (NoSuchAlgorithmException e) { + // ignore it here - there will be issues elsewhere and its not nice to throw in a static initializer + } + + DEFAULT_CIPHERS = ciphers; + } + public static final List DEFAULT_SUPPORTED_PROTOCOLS = Arrays.asList("TLSv1.2", "TLSv1.1", "TLSv1"); public static final SSLClientAuth CLIENT_AUTH_DEFAULT = SSLClientAuth.REQUIRED; public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NONE; diff --git a/plugin/src/test/java/org/elasticsearch/xpack/XPackSettingsTests.java b/plugin/src/test/java/org/elasticsearch/xpack/XPackSettingsTests.java new file mode 100644 index 00000000000..d968b65bf9f --- /dev/null +++ b/plugin/src/test/java/org/elasticsearch/xpack/XPackSettingsTests.java @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.xpack; + +import org.elasticsearch.test.ESTestCase; + +import javax.crypto.Cipher; + +import static org.hamcrest.Matchers.hasItem; +import static org.hamcrest.Matchers.not; + +public class XPackSettingsTests extends ESTestCase { + + public void testDefaultSSLCiphers() throws Exception { + assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_RSA_WITH_AES_128_CBC_SHA")); + + final boolean useAES256 = Cipher.getMaxAllowedKeyLength("AES") > 128; + if (useAES256) { + logger.info("AES 256 is available"); + assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_RSA_WITH_AES_256_CBC_SHA")); + } else { + logger.info("AES 256 is not available"); + assertThat(XPackSettings.DEFAULT_CIPHERS, not(hasItem("TLS_RSA_WITH_AES_256_CBC_SHA"))); + } + } +}