From 7eebacc88413d98cf6da644ceb27956169befb34 Mon Sep 17 00:00:00 2001 From: Daniel Mitterdorfer Date: Tue, 3 May 2016 08:54:57 +0200 Subject: [PATCH] Disable HTTP compression by default when HTTPS is enabled. With elastic/elasticsearchelastic/elasticsearch#7309 we enable HTTP compression by default. However, this can pose a security risk for HTTPS traffic (e.g. BREACH attack). Hence, we disable HTTP compression by default again if HTTPS enabled (note that this still allows the user to explicitly enable HTTP compression if they want to). Relates elastic/elaticsearchelastic/elasticsearch#7309 Original commit: elastic/x-pack-elasticsearch@8da100c9a5105b2c73c84a1d2725f8e52bb14d74 --- .../org/elasticsearch/shield/Security.java | 1 + .../netty/ShieldNettyHttpServerTransport.java | 7 +++++ .../ShieldNettyHttpServerTransportTests.java | 29 +++++++++++++++++++ 3 files changed, 37 insertions(+) diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Security.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Security.java index b362ac41796..f4476b4f78c 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Security.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Security.java @@ -181,6 +181,7 @@ public class Security { settingsBuilder.put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME); settingsBuilder.put(NetworkModule.TRANSPORT_SERVICE_TYPE_KEY, Security.NAME); settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Security.NAME); + ShieldNettyHttpServerTransport.overrideSettings(settingsBuilder, settings); addUserSettings(settingsBuilder); addTribeSettings(settingsBuilder); return settingsBuilder.build(); diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java index be4e4346704..3c46a19b16e 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java @@ -28,6 +28,7 @@ import javax.net.ssl.SSLEngine; import java.util.Collections; +import static org.elasticsearch.http.HttpTransportSettings.SETTING_HTTP_COMPRESSION; import static org.elasticsearch.shield.Security.setting; import static org.elasticsearch.shield.transport.SSLExceptionHelper.isCloseDuringHandshakeException; import static org.elasticsearch.shield.transport.SSLExceptionHelper.isNotSslRecordException; @@ -138,4 +139,10 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport { settingsModule.registerSetting(CLIENT_AUTH_SETTING); settingsModule.registerSetting(DEPRECATED_SSL_SETTING); } + + public static void overrideSettings(Settings.Builder settingsBuilder, Settings settings) { + if (SSL_SETTING.get(settings) && SETTING_HTTP_COMPRESSION.exists(settings) == false) { + settingsBuilder.put(SETTING_HTTP_COMPRESSION.getKey(), false); + } + } } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java index 58f5e9a28d3..c769b49cf52 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java @@ -9,6 +9,7 @@ import org.elasticsearch.common.network.NetworkService; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.BigArrays; import org.elasticsearch.env.Environment; +import org.elasticsearch.http.HttpTransportSettings; import org.elasticsearch.http.netty.NettyHttpMockUtil; import org.elasticsearch.shield.ssl.SSLConfiguration.Global; import org.elasticsearch.shield.ssl.ServerSSLService; @@ -115,4 +116,32 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase { assertThat(customEngine.getEnabledProtocols(), arrayContaining("TLSv1.2")); assertThat(customEngine.getEnabledProtocols(), not(equalTo(defaultEngine.getEnabledProtocols()))); } + + public void testDisablesCompressionByDefaultForSsl() throws Exception { + Settings settings = Settings.builder() + .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true).build(); + + Settings.Builder pluginSettingsBuilder = Settings.builder(); + ShieldNettyHttpServerTransport.overrideSettings(pluginSettingsBuilder, settings); + assertThat(HttpTransportSettings.SETTING_HTTP_COMPRESSION.get(pluginSettingsBuilder.build()), is(false)); + } + + public void testLeavesCompressionOnIfNotSsl() throws Exception { + Settings settings = Settings.builder() + .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), false).build(); + Settings.Builder pluginSettingsBuilder = Settings.builder(); + ShieldNettyHttpServerTransport.overrideSettings(pluginSettingsBuilder, settings); + assertThat(pluginSettingsBuilder.build().isEmpty(), is(true)); + } + + public void testDoesNotChangeExplicitlySetCompression() throws Exception { + Settings settings = Settings.builder() + .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true) + .put(HttpTransportSettings.SETTING_HTTP_COMPRESSION.getKey(), true) + .build(); + + Settings.Builder pluginSettingsBuilder = Settings.builder(); + ShieldNettyHttpServerTransport.overrideSettings(pluginSettingsBuilder, settings); + assertThat(pluginSettingsBuilder.build().isEmpty(), is(true)); + } }