From ac83e45a6b75fa0e9daa96647e5cc6e4dee1d624 Mon Sep 17 00:00:00 2001
From: Ioannis Kakavas <ioannis@elastic.co>
Date: Fri, 13 Dec 2019 12:47:53 +0200
Subject: [PATCH] Disable TLS diagnostics in FIPS mode (#49900)

This commit sets xpack.security.ssl.diagnose.trust to false in all
the nodes of our TestClusters when running integTest. This is needed
in 7.x because setting xpack.security.ssl.diagnose.trust to true
wraps SunJSSE TrustManager with our own DiagnosticTrustManager and
this is not allowed when SunJSSE is in FIPS mode.
An alternative would be to set `xpack.security.fips.enabled` to
true which would also implicitly disable
xpack.security.ssl.diagnose.trust but would have additional effects
(would require that we set PBKDF2 for password hashing algorithm in
all test clusters, would prohibit using JKS keystores in nodes even
if relevant tests have been muted in FIPS mode etc.)
---
 .../src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy
index 58a80fbd22f..1129f29b11c 100644
--- a/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy
+++ b/buildSrc/src/main/groovy/org/elasticsearch/gradle/BuildPlugin.groovy
@@ -160,6 +160,8 @@ class BuildPlugin implements Plugin<Project> {
                             testClusters.all { ElasticsearchCluster cluster ->
                                 cluster.systemProperty 'javax.net.ssl.trustStorePassword', 'password'
                                 cluster.systemProperty 'javax.net.ssl.keyStorePassword', 'password'
+                                // Can't use our DiagnosticTrustManager with SunJSSE in FIPS mode
+                                cluster.setting 'xpack.security.ssl.diagnose.trust', 'false'
                             }
                         }
                     }