Disable HTTP compression by default when HTTPS is enabled.

With elastic/elasticsearchelastic/elasticsearch#7309 we enable HTTP compression by default. However, this can pose a security risk for HTTPS traffic (e.g. BREACH attack). Hence, we disable HTTP compression by default again if HTTPS enabled (note that this still allows the user to explicitly enable HTTP compression if they want to). Relates elastic/elaticsearchelastic/elasticsearch#7309 Original commit: elastic/x-pack-elasticsearch@8da100c9a5
2016-05-03 08:54:57 +02:00 · 2016-05-03 08:54:57 +02:00 · 7eebacc884
parent 23ebbed95a
commit 7eebacc884
3 changed files with 37 additions and 0 deletions
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Security.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Security.java
@ -181,6 +181,7 @@ public class Security {
        settingsBuilder.put(NetworkModule.TRANSPORT_TYPE_KEY, Security.NAME);
        settingsBuilder.put(NetworkModule.TRANSPORT_SERVICE_TYPE_KEY, Security.NAME);
        settingsBuilder.put(NetworkModule.HTTP_TYPE_SETTING.getKey(), Security.NAME);
+        ShieldNettyHttpServerTransport.overrideSettings(settingsBuilder, settings);
        addUserSettings(settingsBuilder);
        addTribeSettings(settingsBuilder);
        return settingsBuilder.build();
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java
@ -28,6 +28,7 @@ import javax.net.ssl.SSLEngine;

 import java.util.Collections;

+import static org.elasticsearch.http.HttpTransportSettings.SETTING_HTTP_COMPRESSION;
 import static org.elasticsearch.shield.Security.setting;
 import static org.elasticsearch.shield.transport.SSLExceptionHelper.isCloseDuringHandshakeException;
 import static org.elasticsearch.shield.transport.SSLExceptionHelper.isNotSslRecordException;
@ -138,4 +139,10 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
        settingsModule.registerSetting(CLIENT_AUTH_SETTING);
        settingsModule.registerSetting(DEPRECATED_SSL_SETTING);
    }
+
+    public static void overrideSettings(Settings.Builder settingsBuilder, Settings settings) {
+        if (SSL_SETTING.get(settings) && SETTING_HTTP_COMPRESSION.exists(settings) == false) {
+            settingsBuilder.put(SETTING_HTTP_COMPRESSION.getKey(), false);
+        }
+    }
 }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java
@ -9,6 +9,7 @@ import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.BigArrays;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.http.HttpTransportSettings;
 import org.elasticsearch.http.netty.NettyHttpMockUtil;
 import org.elasticsearch.shield.ssl.SSLConfiguration.Global;
 import org.elasticsearch.shield.ssl.ServerSSLService;
@ -115,4 +116,32 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
        assertThat(customEngine.getEnabledProtocols(), arrayContaining("TLSv1.2"));
        assertThat(customEngine.getEnabledProtocols(), not(equalTo(defaultEngine.getEnabledProtocols())));
    }
+
+    public void testDisablesCompressionByDefaultForSsl() throws Exception {
+        Settings settings = Settings.builder()
+                .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true).build();
+
+        Settings.Builder pluginSettingsBuilder = Settings.builder();
+        ShieldNettyHttpServerTransport.overrideSettings(pluginSettingsBuilder, settings);
+        assertThat(HttpTransportSettings.SETTING_HTTP_COMPRESSION.get(pluginSettingsBuilder.build()), is(false));
+    }
+
+    public void testLeavesCompressionOnIfNotSsl() throws Exception {
+        Settings settings = Settings.builder()
+                .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), false).build();
+        Settings.Builder pluginSettingsBuilder = Settings.builder();
+        ShieldNettyHttpServerTransport.overrideSettings(pluginSettingsBuilder, settings);
+        assertThat(pluginSettingsBuilder.build().isEmpty(), is(true));
+    }
+
+    public void testDoesNotChangeExplicitlySetCompression() throws Exception {
+        Settings settings = Settings.builder()
+                .put(ShieldNettyHttpServerTransport.SSL_SETTING.getKey(), true)
+                .put(HttpTransportSettings.SETTING_HTTP_COMPRESSION.getKey(), true)
+                .build();
+
+        Settings.Builder pluginSettingsBuilder = Settings.builder();
+        ShieldNettyHttpServerTransport.overrideSettings(pluginSettingsBuilder, settings);
+        assertThat(pluginSettingsBuilder.build().isEmpty(), is(true));
+    }
 }