Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace custom reloadable Key/TrustManager (#30509) #30639

Merged
merged 1 commit into from
May 16, 2018
Merged

Replace custom reloadable Key/TrustManager (#30509) #30639

merged 1 commit into from
May 16, 2018

Conversation

jkakavas
Copy link
Member

Make SSLContext reloadable

This commit replaces all customKeyManagers and TrustManagers
(ReloadableKeyManager,ReloadableTrustManager,
EmptyKeyManager, EmptyTrustManager) with instances of
X509ExtendedKeyManager and X509ExtendedTrustManager.
This change was triggered by the effort to allow Elasticsearch to
run in a FIPS-140 environment. In JVMs running in FIPS approved
mode, only SunJSSE TrustManagers and KeyManagers can be used.
Reloadability is now ensured by a volatile instance of SSLContext
in SSLContectHolder.
SSLConfigurationReloaderTests use the reloadable SSLContext to
initialize HTTP Clients and Servers and use these for testing the
key material and trust relations.

@jkakavas
Replace custom reloadable Key/TrustManager (elastic#30509)
900b940 
Make SSLContext reloadable

This commit replaces all customKeyManagers and TrustManagers 
(ReloadableKeyManager,ReloadableTrustManager, 
EmptyKeyManager, EmptyTrustManager) with instances of 
X509ExtendedKeyManager and X509ExtendedTrustManager. 
This change was triggered by the effort to allow Elasticsearch to 
run in a FIPS-140 environment. In JVMs running in FIPS approved 
mode, only SunJSSE TrustManagers and KeyManagers can be used. 
Reloadability is now ensured by a volatile instance of SSLContext
in SSLContectHolder.
SSLConfigurationReloaderTests use the reloadable SSLContext to
initialize HTTP Clients and Servers and use these for testing the
key material and trust relations.
@jkakavas jkakavas added the :Security/TLS SSL/TLS, Certificates label May 16, 2018
@jkakavas jkakavas self-assigned this May 16, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@jkakavas
Copy link
Member Author

This has already been reviewed and approved in #30509. Opening it as a PR in 6.x instead of pushing directly so that I can get a full CI run.

@jkakavas jkakavas merged commit ab02bbe into elastic:6.x May 16, 2018
@jkakavas jkakavas deleted the 6.x branch September 14, 2018 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jkakavas jkakavas

Labels
>non-issue :Security/TLS SSL/TLS, Certificates
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jkakavas @elasticmachine @tomcallahan