honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix SSLContext pinning to TLSV1.2 in reload tests (#38341) 

This commit fixes the pinning of SSLContexts to TLSv1.2 in the
SSLConfigurationReloaderTests. The pinning was added for the initial
creation of clients and webservers but the updated contexts would
default to TLSv1.3, which is known to cause hangs with the
MockWebServer that we use.

Relates #38103
Closes #38247
This commit is contained in:
Jay Modi 2019-02-04 14:34:37 -07:00 committed by GitHub
parent 0ced775389
commit c3cdf84c04
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java
View File

@ -91,6 +91,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
final Settings settings = Settings.builder()
.put("path.home", createTempDir())
.put("xpack.security.transport.ssl.keystore.path", keystorePath)
.put("xpack.security.transport.ssl.supported_protocols", "TLSv1.2")
.setSecureSettings(secureSettings)
.build();
final Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
@ -149,6 +150,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
.put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.security.transport.ssl.certificate", certPath)
.putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString())
.put("xpack.security.transport.ssl.supported_protocols", "TLSv1.2")
.setSecureSettings(secureSettings)
.build();
final Environment env = randomBoolean() ? null :
@ -193,7 +195,6 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
* Tests the reloading of SSLContext when the trust store is modified. The same store is used as a TrustStore (for the
* reloadable SSLContext used in the HTTPClient) and as a KeyStore for the MockWebServer
*/
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/38247")
public void testReloadingTrustStore() throws Exception {
assumeFalse("Can't run in a FIPS JVM", inFipsJvm());
Path tempDir = createTempDir();
@ -206,6 +207,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.security.transport.ssl.truststore.path", trustStorePath)
.put("xpack.security.transport.ssl.supported_protocols", "TLSv1.2")
.put("path.home", createTempDir())
.setSecureSettings(secureSettings)
.build();
@ -241,10 +243,10 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
validateSSLConfigurationIsReloaded(settings, env, trustMaterialPreChecks, modifier, trustMaterialPostChecks);
}
}
/**
* Test the reloading of SSLContext whose trust config is backed by PEM certificate files.
*/
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/38247")
public void testReloadingPEMTrustConfig() throws Exception {
Path tempDir = createTempDir();
Path serverCertPath = tempDir.resolve("testnode.crt");
@ -257,6 +259,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_updated.crt"), updatedCert);
Settings settings = Settings.builder()
.putList("xpack.security.transport.ssl.certificate_authorities", serverCertPath.toString())
.put("xpack.security.transport.ssl.supported_protocols", "TLSv1.2")
.put("path.home", createTempDir())
.build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);
@ -305,6 +308,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
secureSettings.setString("xpack.security.transport.ssl.keystore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.security.transport.ssl.keystore.path", keystorePath)
.put("xpack.security.transport.ssl.supported_protocols", "TLSv1.2")
.setSecureSettings(secureSettings)
.put("path.home", createTempDir())
.build();
@ -346,6 +350,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
.put("xpack.security.transport.ssl.key", keyPath)
.put("xpack.security.transport.ssl.certificate", certPath)
.putList("xpack.security.transport.ssl.certificate_authorities", certPath.toString(), clientCertPath.toString())
.put("xpack.security.transport.ssl.supported_protocols", "TLSv1.2")
.put("path.home", createTempDir())
.setSecureSettings(secureSettings)
.build();
@ -381,6 +386,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
secureSettings.setString("xpack.security.transport.ssl.truststore.secure_password", "testnode");
Settings settings = Settings.builder()
.put("xpack.security.transport.ssl.truststore.path", trustStorePath)
.put("xpack.security.transport.ssl.supported_protocols", "TLSv1.2")
.put("path.home", createTempDir())
.setSecureSettings(secureSettings)
.build();
@ -414,6 +420,7 @@ public class SSLConfigurationReloaderTests extends ESTestCase {
Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath);
Settings settings = Settings.builder()
.putList("xpack.security.transport.ssl.certificate_authorities", clientCertPath.toString())
.put("xpack.security.transport.ssl.supported_protocols", "TLSv1.2")
.put("path.home", createTempDir())
.build();
Environment env = randomBoolean() ? null : TestEnvironment.newEnvironment(settings);