Skip to content

Replace custom reloadable Key/TrustManager (#30509) #30639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 16, 2018
Merged

Replace custom reloadable Key/TrustManager (#30509) #30639

merged 1 commit into from
May 16, 2018

Conversation

@jkakavas
Copy link
Contributor

@jkakavas jkakavas commented May 16, 2018

Make SSLContext reloadable

This commit replaces all customKeyManagers and TrustManagers
(ReloadableKeyManager,ReloadableTrustManager,
EmptyKeyManager, EmptyTrustManager) with instances of
X509ExtendedKeyManager and X509ExtendedTrustManager.
This change was triggered by the effort to allow Elasticsearch to
run in a FIPS-140 environment. In JVMs running in FIPS approved
mode, only SunJSSE TrustManagers and KeyManagers can be used.
Reloadability is now ensured by a volatile instance of SSLContext
in SSLContectHolder.
SSLConfigurationReloaderTests use the reloadable SSLContext to
initialize HTTP Clients and Servers and use these for testing the
key material and trust relations.

@jkakavas
Replace custom reloadable Key/TrustManager (elastic#30509)
900b940 
Make SSLContext reloadable

This commit replaces all customKeyManagers and TrustManagers 
(ReloadableKeyManager,ReloadableTrustManager, 
EmptyKeyManager, EmptyTrustManager) with instances of 
X509ExtendedKeyManager and X509ExtendedTrustManager. 
This change was triggered by the effort to allow Elasticsearch to 
run in a FIPS-140 environment. In JVMs running in FIPS approved 
mode, only SunJSSE TrustManagers and KeyManagers can be used. 
Reloadability is now ensured by a volatile instance of SSLContext
in SSLContectHolder.
SSLConfigurationReloaderTests use the reloadable SSLContext to
initialize HTTP Clients and Servers and use these for testing the
key material and trust relations.
@jkakavas jkakavas added the :Security/TLS SSL/TLS, Certificates label May 16, 2018
@jkakavas jkakavas self-assigned this May 16, 2018
@elasticmachine
Copy link
Collaborator

elasticmachine commented May 16, 2018

Pinging @elastic/es-security

@jkakavas
Copy link
Contributor Author

jkakavas commented May 16, 2018

This has already been reviewed and approved in #30509. Opening it as a PR in 6.x instead of pushing directly so that I can get a full CI run.

@jkakavas jkakavas merged commit ab02bbe into elastic:6.x May 16, 2018
@jkakavas jkakavas deleted the 6.x branch September 14, 2018 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jkakavas jkakavas

Labels

>non-issue :Security/TLS SSL/TLS, Certificates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jkakavas @elasticmachine @tomcallahan