Disable TLS diagnostics in FIPS mode (#49900)

This commit sets xpack.security.ssl.diagnose.trust to false in all the nodes of our TestClusters when running integTest. This is needed in 7.x because setting xpack.security.ssl.diagnose.trust to true wraps SunJSSE TrustManager with our own DiagnosticTrustManager and this is not allowed when SunJSSE is in FIPS mode. An alternative would be to set `xpack.security.fips.enabled` to true which would also implicitly disable xpack.security.ssl.diagnose.trust but would have additional effects (would require that we set PBKDF2 for password hashing algorithm in all test clusters, would prohibit using JKS keystores in nodes even if relevant tests have been muted in FIPS mode etc.)
2019-12-13 12:47:53 +02:00 · 2019-12-13 12:47:53 +02:00 · ac83e45a6b
parent c0216f9a06
commit ac83e45a6b
1 changed files with 2 additions and 0 deletions
--- a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy
+++ b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy
@ -160,6 +160,8 @@ class BuildPlugin implements Plugin<Project> {
                            testClusters.all { ElasticsearchCluster cluster ->
                                cluster.systemProperty 'javax.net.ssl.trustStorePassword', 'password'
                                cluster.systemProperty 'javax.net.ssl.keyStorePassword', 'password'
+                                // Can't use our DiagnosticTrustManager with SunJSSE in FIPS mode
+                                cluster.setting 'xpack.security.ssl.diagnose.trust', 'false'
                            }
                        }
                    }