From 7f13fd87e49cc373d450d43fc5f6ebdbeb05273f Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Fri, 19 Apr 2019 10:39:30 -0600
Subject: [PATCH 01/15] Update TLS ciphers and protocols for JDK 11

This commit updates the default ciphers and TLS protocols that are used
after the minimum supported JDK is JDK 11. The conditionals around
TLSv1.3 and 256-bit cipher support have been removed. JDK 11 no longer
requires an unlimited JCE policy file for 256 bit cipher support and
TLSv1.3 is supported in JDK 11+. New cipher support has been introduced
in the newer JDK versions as well. The ciphers are ordered with PFS
ciphers being most preferred, then AEAD ciphers, and finally those with
mainstream hardware support.
---
 .../settings/security-settings.asciidoc       | 39 +++++++-----
 .../xpack/core/XPackSettings.java             | 62 +++++++------------
 .../xpack/core/XPackSettingsTests.java        | 32 +---------
 3 files changed, 50 insertions(+), 83 deletions(-)

diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc
index b767b7869dbd9..52908459b05da 100644
--- a/docs/reference/settings/security-settings.asciidoc
+++ b/docs/reference/settings/security-settings.asciidoc
@@ -510,8 +510,7 @@ and `full`. Defaults to `full`.
 See <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of these values.
 
 `ssl.supported_protocols`::
-Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.3,TLSv1.2,TLSv1.1` if
-the JVM supports TLSv1.3, otherwise `TLSv1.2,TLSv1.1`.
+Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.3,TLSv1.2,TLSv1.1`.
 
 `ssl.cipher_suites`:: Specifies the cipher suites that should be supported when 
 communicating with the LDAP server. 
@@ -755,8 +754,7 @@ and `full`. Defaults to `full`.
 See <<ssl-tls-settings,`ssl.verification_mode`>> for an explanation of these values.
 
 `ssl.supported_protocols`::
-Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.3,TLSv1.2,TLSv1.1` if
-the JVM supports TLSv1.3, otherwise `TLSv1.2,TLSv1.1`.
+Supported protocols for TLS/SSL (with versions). Defaults to `TLSv1.3,TLSv1.2,TLSv1.1`.
 
 `ssl.cipher_suites`:: Specifies the cipher suites that should be supported when 
 communicating with the Active Directory server. 
@@ -1164,8 +1162,7 @@ Defaults to `full`.
 See <<ssl-tls-settings,`ssl.verification_mode`>> for a more detailed explanation of these values.
 
 `ssl.supported_protocols`::
-Specifies the supported protocols for TLS/SSL. Defaults to `TLSv1.3,TLSv1.2,TLSv1.1` if
-the JVM supports TLSv1.3, otherwise `TLSv1.2,TLSv1.1`.
+Specifies the supported protocols for TLS/SSL. Defaults to `TLSv1.3,TLSv1.2,TLSv1.1`.
 
 `ssl.cipher_suites`::
 Specifies the
@@ -1239,8 +1236,7 @@ settings. For more information, see
 
 `ssl.supported_protocols`::
 Supported protocols with versions. Valid protocols: `SSLv2Hello`,
-`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. Defaults to `TLSv1.3,TLSv1.2,TLSv1.1` if
-the JVM supports TLSv1.3, otherwise `TLSv1.2,TLSv1.1`.
+`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. Defaults to `TLSv1.3,TLSv1.2,TLSv1.1`.
 +
 --
 NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hello` 
@@ -1272,12 +1268,27 @@ The default value is `full`.
 
 `ssl.cipher_suites`::
 Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
-Java Cryptography Architecture documentation]. Defaults to `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
-`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
-`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`. If the _Java Cryptography Extension (JCE) Unlimited Strength
-Jurisdiction Policy Files_ has been installed, the default value also includes `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`,
-`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
-`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`.
+Java Cryptography Architecture documentation]. Defaults to `TLS_AES_256_GCM_SHA384`,
+`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
+`TLS_ECDHE_ECDSA_WITH_AES_256_CCM`, `TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8`,
+`TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384`,
+`TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384`,
+`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`,
+`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
+`TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_256_CCM`, `TLS_RSA_WITH_AES_256_CCM_8`,
+`TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384`, `TLS_RSA_WITH_ARIA_256_GCM_SHA384`,
+`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`,
+`TLS_AES_128_GCM_SHA256`,
+`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` ,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
+`TLS_ECDHE_ECDSA_WITH_AES_128_CCM`, `TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8`,
+`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`,
+`TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256`,
+`TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256`,
+`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
+`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
+`TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_128_CCM`, `TLS_RSA_WITH_AES_128_CCM_8`,
+`TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256`, `TLS_RSA_WITH_ARIA_128_GCM_SHA256`,
+`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
 
 [float]
 [[tls-ssl-key-settings]]
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
index 0eeb173b8b84e..83db99c3cd353 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
@@ -6,7 +6,6 @@
 
 package org.elasticsearch.xpack.core;
 
-import org.apache.logging.log4j.LogManager;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.xpack.core.security.SecurityField;
@@ -15,13 +14,10 @@
 import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
 import org.elasticsearch.xpack.core.ssl.VerificationMode;
 
-import javax.crypto.Cipher;
 import javax.crypto.SecretKeyFactory;
-import javax.net.ssl.SSLContext;
 
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
@@ -38,7 +34,6 @@ private XPackSettings() {
         throw new IllegalStateException("Utility class should not be instantiated");
     }
 
-
     /**
      * Setting for controlling whether or not CCR is enabled.
      */
@@ -122,28 +117,27 @@ private XPackSettings() {
      * SSL settings. These are the settings that are specifically registered for SSL. Many are private as we do not explicitly use them
      * but instead parse based on a prefix (eg *.ssl.*)
      */
-    public static final List<String> DEFAULT_CIPHERS;
-
-    static {
-        List<String> ciphers = Arrays.asList("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
-                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256",
-                "TLS_RSA_WITH_AES_128_CBC_SHA");
-        try {
-            final boolean use256Bit = Cipher.getMaxAllowedKeyLength("AES") > 128;
-            if (use256Bit) {
-                List<String> strongerCiphers = new ArrayList<>(ciphers.size() * 2);
-                strongerCiphers.addAll(Arrays.asList("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
-                        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-                        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA"));
-                strongerCiphers.addAll(ciphers);
-                ciphers = strongerCiphers;
-            }
-        } catch (NoSuchAlgorithmException e) {
-            // ignore it here - there will be issues elsewhere and its not nice to throw in a static initializer
-        }
-
-        DEFAULT_CIPHERS = ciphers;
-    }
+    public static final List<String> DEFAULT_CIPHERS = List.of("TLS_AES_256_GCM_SHA384", // TLSv1.3 cipher has PFS, AEAD, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", // PFS, AEAD, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", // PFS, AEAD, hardware support
+        "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", // PFS, AEAD
+        "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", // PFS, AEAD
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", // PFS, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // PFS, hardware support
+        "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_256_CCM", "TLS_RSA_WITH_AES_256_CCM_8", // AEAD, hardware support
+        "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_RSA_WITH_ARIA_256_GCM_SHA384", // AEAD
+        "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA", // hardware support
+        "TLS_AES_128_GCM_SHA256", // TLSv1.3 cipher has PFS, AEAD, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" ,"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", // PFS, AEAD, hardware support
+        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", // PFS, AEAD
+        "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", // PFS, AEAD
+        "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", // PFS, AEAD
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // PFS, hardware support
+        "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CCM", "TLS_RSA_WITH_AES_128_CCM_8", // AEAD, hardware support
+        "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_WITH_ARIA_128_GCM_SHA256", //AEAD
+        "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA"); // hardware support
 
     /*
      * Do not allow insecure hashing algorithms to be used for password hashing
@@ -164,19 +158,7 @@ private XPackSettings() {
         }
     }, Setting.Property.NodeScope);
 
-    public static final List<String> DEFAULT_SUPPORTED_PROTOCOLS;
-
-    static {
-        boolean supportsTLSv13 = false;
-        try {
-            SSLContext.getInstance("TLSv1.3");
-            supportsTLSv13 = true;
-        } catch (NoSuchAlgorithmException e) {
-            LogManager.getLogger(XPackSettings.class).debug("TLSv1.3 is not supported", e);
-        }
-        DEFAULT_SUPPORTED_PROTOCOLS = supportsTLSv13 ?
-            Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1") : Arrays.asList("TLSv1.2", "TLSv1.1");
-    }
+    public static final List<String> DEFAULT_SUPPORTED_PROTOCOLS = List.of("TLSv1.3", "TLSv1.2", "TLSv1.1");
 
     public static final SSLClientAuth CLIENT_AUTH_DEFAULT = SSLClientAuth.REQUIRED;
     public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NONE;
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/XPackSettingsTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/XPackSettingsTests.java
index 004b46897a48e..924e55be51cb4 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/XPackSettingsTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/XPackSettingsTests.java
@@ -7,30 +7,19 @@
 
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
-import javax.crypto.Cipher;
 import javax.crypto.SecretKeyFactory;
-import javax.net.ssl.SSLContext;
 
 import java.security.NoSuchAlgorithmException;
 
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.hasItem;
-import static org.hamcrest.Matchers.not;
 
 public class XPackSettingsTests extends ESTestCase {
 
-    public void testDefaultSSLCiphers() throws Exception {
+    public void testDefaultSSLCiphers() {
         assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_RSA_WITH_AES_128_CBC_SHA"));
-
-        final boolean useAES256 = Cipher.getMaxAllowedKeyLength("AES") > 128;
-        if (useAES256) {
-            logger.info("AES 256 is available");
-            assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_RSA_WITH_AES_256_CBC_SHA"));
-        } else {
-            logger.info("AES 256 is not available");
-            assertThat(XPackSettings.DEFAULT_CIPHERS, not(hasItem("TLS_RSA_WITH_AES_256_CBC_SHA")));
-        }
+        assertThat(XPackSettings.DEFAULT_CIPHERS, hasItem("TLS_RSA_WITH_AES_256_CBC_SHA"));
     }
 
     public void testPasswordHashingAlgorithmSettingValidation() {
@@ -50,16 +39,10 @@ public void testPasswordHashingAlgorithmSettingValidation() {
             Settings.builder().put(XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey(), bcryptAlgo).build()));
     }
 
-    public void testDefaultSupportedProtocolsWithTLSv13() throws Exception {
-        assumeTrue("current JVM does not support TLSv1.3", supportTLSv13());
+    public void testDefaultSupportedProtocols() {
         assertThat(XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS, contains("TLSv1.3", "TLSv1.2", "TLSv1.1"));
     }
 
-    public void testDefaultSupportedProtocolsWithoutTLSv13() throws Exception {
-        assumeFalse("current JVM supports TLSv1.3", supportTLSv13());
-        assertThat(XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS, contains("TLSv1.2", "TLSv1.1"));
-    }
-
     private boolean isSecretkeyFactoryAlgoAvailable(String algorithmId) {
         try {
             SecretKeyFactory.getInstance(algorithmId);
@@ -68,13 +51,4 @@ private boolean isSecretkeyFactoryAlgoAvailable(String algorithmId) {
             return false;
         }
     }
-
-    private boolean supportTLSv13() {
-        try {
-            SSLContext.getInstance("TLSv1.3");
-            return true;
-        } catch (NoSuchAlgorithmException e) {
-            return false;
-        }
-    }
 }

From 25f812a2ddab0ead11beb300cae89ca8cfb9425e Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Mon, 22 Apr 2019 09:37:14 -0600
Subject: [PATCH 02/15] aria and camellia are defined but not actually
 implemented in the JDK

---
 .../org/elasticsearch/xpack/core/XPackSettings.java | 13 ++-----------
 .../transport/ssl/EllipticCurveSSLTests.java        |  5 ++++-
 2 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
index 83db99c3cd353..b76191af57fa3 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
@@ -119,24 +119,15 @@ private XPackSettings() {
      */
     public static final List<String> DEFAULT_CIPHERS = List.of("TLS_AES_256_GCM_SHA384", // TLSv1.3 cipher has PFS, AEAD, hardware support
         "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", // PFS, AEAD, hardware support
-        "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", // PFS, AEAD, hardware support
-        "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384", // PFS, AEAD
-        "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384", // PFS, AEAD
         "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", // PFS, hardware support
         "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // PFS, hardware support
-        "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_256_CCM", "TLS_RSA_WITH_AES_256_CCM_8", // AEAD, hardware support
-        "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384", "TLS_RSA_WITH_ARIA_256_GCM_SHA384", // AEAD
+        "TLS_RSA_WITH_AES_256_GCM_SHA384", // AEAD, hardware support
         "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA", // hardware support
         "TLS_AES_128_GCM_SHA256", // TLSv1.3 cipher has PFS, AEAD, hardware support
         "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" ,"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
-        "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", // PFS, AEAD, hardware support
-        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", // PFS, AEAD
-        "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256", // PFS, AEAD
-        "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256", // PFS, AEAD
         "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support
         "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // PFS, hardware support
-        "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CCM", "TLS_RSA_WITH_AES_128_CCM_8", // AEAD, hardware support
-        "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256", "TLS_RSA_WITH_ARIA_128_GCM_SHA256", //AEAD
+        "TLS_RSA_WITH_AES_128_GCM_SHA256", // AEAD, hardware support
         "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA"); // hardware support
 
     /*
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java
index 5f0f3c94e36e8..71b3d7a1990b4 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java
@@ -33,7 +33,9 @@
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.atomic.AtomicReference;
 
+import static org.hamcrest.Matchers.anyOf;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
 
 public class EllipticCurveSSLTests extends SecurityIntegTestCase {
 
@@ -106,7 +108,8 @@ public SSLSocket run() throws Exception {
             Certificate[] peerChain = session.getPeerCertificates();
             assertEquals(1, peerChain.length);
             assertEquals(certs[0], peerChain[0]);
-            assertThat(session.getCipherSuite(), containsString("ECDSA"));
+            assertThat(session.getCipherSuite(),
+                anyOf(containsString("ECDSA"), is("TLS_AES_256_GCM_SHA384"), is("TLS_AES_128_GCM_SHA256")));
         }
     }
 

From 4d1967e0c17a6ecac5e8d9a0a86ef133e4dbbe40 Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Mon, 22 Apr 2019 10:34:41 -0600
Subject: [PATCH 03/15] fix docs

---
 .../settings/security-settings.asciidoc       | 23 +++++--------------
 1 file changed, 6 insertions(+), 17 deletions(-)

diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc
index 1548e2d95835a..134e46dab6f66 100644
--- a/docs/reference/settings/security-settings.asciidoc
+++ b/docs/reference/settings/security-settings.asciidoc
@@ -1507,28 +1507,17 @@ Controls the verification of certificates. Valid values are:
 The default value is `full`.
 
 `ssl.cipher_suites`::
-Supported cipher suites can be found in Oracle's http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html[
-Java Cryptography Architecture documentation]. Defaults to `TLS_AES_256_GCM_SHA384`,
+Supported cipher suites can be found in Oracle's
+https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation].
+Defaults to `TLS_AES_256_GCM_SHA384`,
 `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
-`TLS_ECDHE_ECDSA_WITH_AES_256_CCM`, `TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8`,
-`TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384`,
-`TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384`,
 `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`,
 `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
-`TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_256_CCM`, `TLS_RSA_WITH_AES_256_CCM_8`,
-`TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384`, `TLS_RSA_WITH_ARIA_256_GCM_SHA384`,
-`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`,
-`TLS_AES_128_GCM_SHA256`,
-`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` ,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
-`TLS_ECDHE_ECDSA_WITH_AES_128_CCM`, `TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8`,
-`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`,
-`TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256`,
-`TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256`,
+`TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`,
+`TLS_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` ,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
 `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
 `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
-`TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_128_CCM`, `TLS_RSA_WITH_AES_128_CCM_8`,
-`TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256`, `TLS_RSA_WITH_ARIA_128_GCM_SHA256`,
-`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
+`TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
 
 [float]
 [[tls-ssl-key-settings]]

From 5339d47796d3340043b7526db8eaf97e94f8b344 Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Tue, 23 Apr 2019 09:35:05 -0600
Subject: [PATCH 04/15] ensure we trust the testnode_ec cert

---
 .../xpack/core/ssl/SSLService.java            |   6 +-----
 .../xpack/core/ssl/TrustConfig.java           |   5 ++---
 .../transport/ssl/certs/simple/testclient.jks | Bin 3358 -> 3887 bytes
 .../ssl/certs/simple/testnode_ec.pem          |   8 ++++++++
 .../test/SecurityIntegTestCase.java           |   2 --
 .../test/SecuritySettingsSource.java          |   6 ++++--
 .../transport/ssl/certs/simple/testclient.jks | Bin 3358 -> 3887 bytes
 .../transport/ssl/certs/simple/testnode.jks   | Bin 7414 -> 9360 bytes
 .../transport/ssl/certs/simple/testnode.p12   | Bin 2654 -> 2699 bytes
 .../ssl/certs/simple/testnode_ec.crt          |  13 +++++++++++++
 .../ssl/certs/simple/testnode_ec.pem          |   8 ++++++++
 11 files changed, 36 insertions(+), 12 deletions(-)
 create mode 100644 x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.pem
 create mode 100644 x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt
 create mode 100644 x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.pem

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java
index 3611b6663a38f..c2ef104941af7 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java
@@ -57,8 +57,6 @@
 import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
-import static org.elasticsearch.xpack.core.XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS;
-
 /**
  * Provides access to {@link SSLEngine} and {@link SSLSocketFactory} objects based on a provided configuration. All
  * configurations loaded by this service must be configured on construction.
@@ -75,9 +73,7 @@ public class SSLService {
     private static final Map<String, String> ORDERED_PROTOCOL_ALGORITHM_MAP;
     static {
         LinkedHashMap<String, String> protocolAlgorithmMap = new LinkedHashMap<>();
-        if (DEFAULT_SUPPORTED_PROTOCOLS.contains("TLSv1.3")) {
-            protocolAlgorithmMap.put("TLSv1.3", "TLSv1.3");
-        }
+        protocolAlgorithmMap.put("TLSv1.3", "TLSv1.3");
         protocolAlgorithmMap.put("TLSv1.2", "TLSv1.2");
         protocolAlgorithmMap.put("TLSv1.1", "TLSv1.1");
         protocolAlgorithmMap.put("TLSv1", "TLSv1");
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/TrustConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/TrustConfig.java
index a9bc737c94387..f570e0b42ed44 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/TrustConfig.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/TrustConfig.java
@@ -119,9 +119,8 @@ X509ExtendedTrustManager createTrustManager(@Nullable Environment environment) {
 
             try {
                 return CertParsingUtils.trustManager(trustConfigs.stream()
-                        .flatMap((tc) -> Arrays.stream(tc.createTrustManager(environment).getAcceptedIssuers()))
-                        .collect(Collectors.toList())
-                        .toArray(new X509Certificate[0]));
+                    .flatMap((tc) -> Arrays.stream(tc.createTrustManager(environment).getAcceptedIssuers()))
+                    .toArray(X509Certificate[]::new));
             } catch (Exception e) {
                 throw new ElasticsearchException("failed to create trust manager", e);
             }
diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks
index d6dc21c1bd5ff4a248bfba5a171518cd649e278d..b4cf27dfd26a87f36fec50d52d84c81d15d71589 100644
GIT binary patch
delta 369
zcmbOywO)?r-`jt085kItfS7qB&p#eVFo!j_GCQ@Bfq^m0YhLp|2G$5YQv*vN_p?D0
z<9i^UynvaBk%@_=C_};8fQOAktIgw_EekUfD}#a3<TsqkigMz-h86~<hUNyA#%6{F
zQR2KNriKOvMo=z9Rehv^FdI8qFB2ow5N1YpW+w)gcd3%$QuP-t5AQw^<oVp~+r{n&
z;iYzBQwlHD)SuE2>tB;3aA<ktwkvbas%gZ_+(|q(d4`Q;@$;PZRlDrgE;&%SxN(a?
z<3<BnHs(-SJ{B<+5nqPn-S1KrrI$?D(|W;oSByAk{LRTZ?31%mT+i&mVBpH6kY1!;
zmS(9F9(}AeX!EMjTbC+-`kUX;$h-Wk*skxlVkna$!^Pu)p<P$=&PZh)5}EdMR`&K3
oZ@WmRN9PzhxZL>Um9EVVxwbmuJo_8%U0hfG`iI<ipT!&m0BGQVpa1{>

delta 42
wcmZ24H&2S^-`jt085kItKzJk1KOPZ7xA^DtD-_@6?)fvvVUENMk3DX209_~%9smFU

diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.pem b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.pem
new file mode 100644
index 0000000000000..f8f29e47e0d35
--- /dev/null
+++ b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.pem
@@ -0,0 +1,8 @@
+Bag Attributes
+    friendlyName: testnode_ec
+    localKeyID: 54 69 6D 65 20 31 35 35 36 30 33 32 36 30 37 32 33 30 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCCxFwoKqfcGailZhuh0
+xEj3gssdjuEw6BasiC8+zhqHBA==
+-----END PRIVATE KEY-----
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java
index c3e3bddf10e97..d4428c2483a97 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecurityIntegTestCase.java
@@ -243,8 +243,6 @@ protected Settings nodeSettings(int nodeOrdinal) {
         Settings customSettings = customSecuritySettingsSource.nodeSettings(nodeOrdinal);
         builder.put(customSettings, false); // handle secure settings separately
         builder.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial");
-        builder.put(NetworkModule.TRANSPORT_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO);
-        builder.put(NetworkModule.HTTP_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO);
         Settings.Builder customBuilder = Settings.builder().put(customSettings);
         if (customBuilder.getSecureSettings() != null) {
             SecuritySettingsSource.addSecureSettings(builder, secureSettings ->
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java
index a8ad2fbd4aad3..09e1c00cb543e 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java
@@ -218,7 +218,8 @@ public static void addSSLSettingsForNodePEMFiles(Settings.Builder builder, Strin
                 "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/active-directory-ca.crt",
                 "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
                 "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/openldap.crt",
-                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"),
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt"),
             hostnameVerificationEnabled, false);
     }
 
@@ -244,7 +245,8 @@ public void addClientSSLSettings(Settings.Builder builder, String prefix) {
                 "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem", "testclient",
                 "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
                 Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
-                              "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"),
+                    "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt",
+                    "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"),
                 hostnameVerificationEnabled, true);
         } else {
             addSSLSettingsForStore(builder, prefix, "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks",
diff --git a/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks b/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.jks
index d6dc21c1bd5ff4a248bfba5a171518cd649e278d..b4cf27dfd26a87f36fec50d52d84c81d15d71589 100644
GIT binary patch
delta 369
zcmbOywO)?r-`jt085kItfS7qB&p#eVFo!j_GCQ@Bfq^m0YhLp|2G$5YQv*vN_p?D0
z<9i^UynvaBk%@_=C_};8fQOAktIgw_EekUfD}#a3<TsqkigMz-h86~<hUNyA#%6{F
zQR2KNriKOvMo=z9Rehv^FdI8qFB2ow5N1YpW+w)gcd3%$QuP-t5AQw^<oVp~+r{n&
z;iYzBQwlHD)SuE2>tB;3aA<ktwkvbas%gZ_+(|q(d4`Q;@$;PZRlDrgE;&%SxN(a?
z<3<BnHs(-SJ{B<+5nqPn-S1KrrI$?D(|W;oSByAk{LRTZ?31%mT+i&mVBpH6kY1!;
zmS(9F9(}AeX!EMjTbC+-`kUX;$h-Wk*skxlVkna$!^Pu)p<P$=&PZh)5}EdMR`&K3
oZ@WmRN9PzhxZL>Um9EVVxwbmuJo_8%U0hfG`iI<ipT!&m0BGQVpa1{>

delta 42
wcmZ24H&2S^-`jt085kItKzJk1KOPZ7xA^DtD-_@6?)fvvVUENMk3DX209_~%9smFU

diff --git a/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks b/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.jks
index 832a23d2dbf09ef4571049b617623200af3dd86d..ebe6146124e8fd607e46a1a3129bdf9b4de0370d 100644
GIT binary patch
delta 2897
zcmZvec{CJy8^>pBEXfkazAHkR>>6v95XQ(DB>RlAjB2vWm=UsMo3c%tvMVK16XW6?
z8e2y8C9Xt>5m!YKUT?Sao_pW>{_&jid(Lk;-}8Kb=XpNshS|1!JIg!E0002A7u>ac
zFhSz}D_Fu6d{_Y18|x1M0R2O+ti<eX65&_j{7_zXC=dcv0|^0v`v8#OYX0r#=(enb
zbkeaxR$;Fx5Rl+tKQSie1z=ptiN|ax@khOhn#~-!)w_}eV>XQEJVH&h*(ImlwQxwy
z$W6fwUQs)BCVD&oE?l+c5gQ}*hT3GO6UHNaF~9dPqf1C*L;r53a$<=q6BbatrvV7q
z=XOjNZn(Gl3?~Cu_JVRB3<82ckjv-g5pX^zw_36d+ZX}{?E}CSDFvb`G6rzn<N9zz
zZN1}g53vI}y2s&gtzYTS6G}vPxG<FK=RFYc*8^Z67x*Lq@(C+}ktFsRwlX@LZRf4m
z`_kWG!cAZ|FZIU}yHsIWkNgCg<?b&AZ}%Kl^_HISWl;)@3<>igPhuKO9+$L4KP1uM
zq*}NP6pWVPhrl2r4gi0~C#-^0Np@q>8;1r@F&^(RiUNp2{F`#H4FGNhk`KJB8G$p@
zz?@|zIoDO8$NQtdBlRa#@dI-NlgupzG)Mu^*N#G`4dGu)1~EnQz83}415TT`pM1{-
za`RgA%P9{3tQp^b4ZTe8-7B5npl7@b0I&}XCqs7s^pyA)Q^}B}ya_*#wNZcDr4E2x
z)phIm<<{t6C|+`|9qPXgI8|F46X)D7pNWf@5mnTf!lq7JAex(g^l2}=Bj6tDDd5At
zaUzsIt+tF#1S0jM-a5{7QC?PvhlG9<T2JqUBfK5&3Iw<Z=%<%<(ju%=J9-OaiDw!l
z85IM4;Vwgu+!K=99U3CaR(Scigq`#Ng!bkibi52UEVy_ULvEDYKo2vTL^lrG1lTgZ
z@!%k|HP>15O1Y)Ww+;+;K!9u6v1?|KG>*P)?rc~+s6eOMBw6;%?QzX(m8+j#omUNw
z+m$~aZ)E7?=IvWXto_ji6p(@tC9t)V`Bh@(PU3j}iP~evMeN_tbDIqLl#&tv5`_$P
zD$8pXrzv!&LuA!sS)prP)7%>9$aD)(?3o_8<D{s&8%(pfZ>P-n(dq5T<oa6k@H_S@
zVy(uVx4k;F##;G8kzhGfd~r~DHvNT^2)9pKoqD6mi6?K_*Lm3Zq1W@oyrADw)L2I#
zEcf<9W}aEb9UruV*Z|Y;YODDcf}UF7O!}Y`2X8q0sAwsQlymG~(|r%9D{(VSgn02(
zyz0}ip&-mX`&*9QkvTAOBwbKd#}c(tK|*|+In@>yDwo-yls)wu@6=3fpO$t>vVn3)
zCC+F;ae(O_Sjdo`RB9vMX^n=2kU4&xgn@d7sq}o8H^VYm<NHw--ythss;emo*$UeZ
z=1Ia<Qa0>(GbB-MbuEqzy`Cbgmp9_RuO{Is;Hb98zA^zH(RH_`H|fS_Faq59w*B0m
zDXHp3gKHcY!m*?6OFeyOG;mfOgqAnb-N(+ppG6rpaV@-ck|93P4(oI<kyd|fssBNN
z|40Be&fGsCys+D*{{g!Py|t-X)4jn={5T`C0;e^>3xYUtT4J1rIP=qN65Rm>G^qv%
ztm|*(-$+MfxSdFSZ~HXfXje-6mKP1O8HO(`A=GDIOmS^+Dj%a8vzaP_Zu!+hq9aEo
z9bZnC2e)gr5Y4C=JhD(;t5*{$r6#GTcawU3I^>lM$!2xA-L$gMJF@hd6PlCL9ae?P
zkCb(eY9>Z?4wgxVqh}En=BEkRQ%~d<J<ZcNv_{DFb0pi)ToF6xL#EaV4vvX0SHD^>
zwtF}xBe}dm9Tz2KMi_<3(`L60fp&`*ufo5`H#X+uh*FukO*eX0*wQ`MDxY|dv0m>i
z1XtHbg@mOSU7K0BjTHCM$jW;qK8RhsSjQ!;V6O4#<Z0N~XdU|1lBX|skj3`~^Wdy$
z*1U4}dxP)X=5tRE7^elUIjPIYO9~S-s#mZ?`DUOlQ}U%oU{L3EtzLuCxA?If1wIz#
zDmr|4k!Y<FVB=MhgML6&F!j@;myU7#l4+morEdmJsN5qzJ6{+ZpR60%X7`(xI3_)*
zyJ;2IaX6elK5WWPm--Us9hY#iZ9|?D@%-(n^@uz0TZCkf=$ULv9IXr`Vuv-kGs-7a
zQ7`SK{2AX|1JfFi7*ov$Z&GQF`)BsOF-k#xBB~zA66F#idT39D;oLQX`=dN6XB^Id
zFd+(JX+p@eDp8xvR54x$+Z{~l_)7UK+N$`08KSPQCVIL#A|kT&_nWwfwmw>+)2}X^
z+D$|rxF4d#{oEyMVg6eKw~`j9!+GoZ*+~s%kDh>pW@gS@L=i5v_r}47Jm~yoDQ%6<
ztU7(sYA)jcbjyIB-O@iaHWIbhHM91HP5M73AQ>3>jtAiAGx)x6YO?`o8813tB+uvf
z=CGISSM!~x@pEHuY|1}ab}e?9iFM1Bdp?fx^X$s4!nAnlN|l&FGxSDXCx-(w9yIS_
z*u?GY@$VdhhgIZfI!#mijidQ#DKU1}!T0dY_+r@Ayo91UQQGBr{UhvB*T)MJr)`ew
z>zfu(%{irCL@N|7R1-qP?;5j#R4K)gJi8`0osaedW`5hePF%D}a7kpkJt2Gi_JN#$
z;w89qPL@NXXg5#dqPj$<X+{H&i!LD|gSh&2<=LYHDeR0x)EN({IJf&ldCZUK?K~UT
zfqt;Q3NN#>%LCRZpdeJQj4U>_AOkmFMI72LFn^H|TQPgmc(h7Z-F~ZvYc*B(+VQ#P
zu9xFDP-VAm#CP2ZBo|Wowizd_!_p(m_~ynBs2Q+U6P*)g;{5p3C6CR-2Y#b+SNtjA
z=RSu^MG7A+rQUaeE?rY;8$o23bF1Xzc=J}C^t31MbMmqnpTa*2iD87FFira#5rB>0
zWUv984Epkm2o#M7LGS}m9-m|zAQt?8kU&TKxWQkL;Ai>^3CKYDp4}RMVu1k!xR=O*
zNF=~E@eD~O{NNGiDZAUpIJ5KXLUd=N6-z*?tZBjv)Zq(O=gbsQTkgg;+%}tEeQkiR
zcT>?JBP2wEj851Z&W9dc=u}#A@7@9=R#1_NWK@pq&{<O75SV#ZMVY7oWGiuf;FWAE
zh^Xr#>;cQsS`YtRqwYJRwz8%OmblYr18fJ00`h&FvP6~kzkZfmPkyj;ZU3s9^w<Ar
z+nBzeG)y)Ay}Pm6Q|~3FKKkYp#^#Ad@^_5=eq%0jAj%z+*)ZsioV&y&NJ^mD!Y(N-
z*sH>X>AgH!869QQMzEN4m$)0M?;h3=W!3A-!gKHsiTgJdbp8I=@{0i~BVL#M(NuxT
zPOV6sn)di`51N~f^Gb+C9|{24BX)Xi)xe}{01zo5(jH%Lbr2XUc0pjWd~kZ7E+O2_
zno??Z3HNOvHshRqzFH?!9zvm(4Y^hHv@Kgc-R{p<iQW%gR1gKKQ~Y}d1$O*|ShSN;
zRl~ggXm=&r_F%oy4}H_}A)gfdTVpx#>em8C9NOe>kEUB(T;+2op3_qQ6lzh0L_MCA
ztHjWY{y|+9YX-~~Fsn_y<f&nSnCEqUfP}yvb>%tz<!gX70dNhF$WhwDg;?Kln4fv}
z@&><p)Z$j_N05l(WVg#Es?Rz0j4Xi=T#Z0cP8V<p`Xl~Ay^Ar+%X7XuMwL3Ue^CDo
DQW*zG

delta 1342
zcmV-E1;P4|N%lDm{_Xzl0000200006u?!Xve+YDCb98QRWMu#V0Z;plEZP771p_dG
z1phD&1_~<%0R#am0uccL1pows1nbfbWN*zrx&<qcRI<083E)_!FPCZpgtSSu6bIn1
zh7mz^po=F*_QD-eg;n9IZ-<D6hWtP77&DZAYrS!9wHPx}M+MOCuo5I2J+V2?=HSh7
ze?ul&mEoGuuQd10R^ZRqES>SXT0unF*xCSPT@5_DPje5+@%_*1OJhygSbb({5*pB2
z*wJ@rdy$!PMj)AgZ?%cS*FIBG$9n0%Ywh+?cO#r!06X-ZiGeI3&hq(!U5Pz#%x{jR
zgdR!XCt&+NzV{-bN!jlGUx}N^1z1~he@d7!`y`OK11BLPf6dOh<EM)e7QBkBe*K{M
zPLt?^SCCV)?SrE6eM>>?RO{cRn-EU!mC|wxG?s4{+CSo_7v?~0B<Nlmpmvd)K;?#M
zL7ca=S<larYC%koAVpZ@Ai1JNK|gegH(wuBEerp#xec0u#~;fm!8jgn&L9)oe{%GV
z65nD%OO!8+oQi(mO@eHL&S{stE&WSfkDl*R1-|$-rW};H@7#yGDthM0<rh)v7}JYM
z5f+2eifUq?!ojALkVCS{C6Zm%mE5Eq6Authc#{ix0W}_tSlx?L7)i{DIoP8&U1D_@
zAOQ|+vmRkIJv$w!_=)3Y&e#&$f0q6c*-(8@Ief%*)4IG22NRyI64sZ4EjGn0Lqipx
z<&N{0|DJjM$<=M~2aQO4wPNnKSSkbGc~9i?oYh(--ot@qd?_AQjPU|@H7he@r<+@4
zrvdvE)FS@zokHgUc(7cv9TMvpc>Jv$0$||%{RgsqprD)jB-uC0tesmce>sH1{B_;0
zx@PWGT)}4l-;mDul~E8@QyG7qLql9+$QyzxX$FS3Tf7qdhmZk2#(d=f&6`@oU9tZ~
znJ%q|RT%TNU_}5;6&#XbGw}2lTb%)F1E=E$AYv?<=+_X%#}W<|WF1$lK3k4SY%m@)
z-<eB}p(VZQG5L(rAW->)f1{|56u1)-a{oF#^68+!J9SSlIt%I1eFqqEhkteJ_VlDG
zItsD$U@iRaI@l<!t*1BS|3k02T++Em+%36^PMV-qKr4`XBv~qtp*|H1JVSQNtPKp6
z;Z0$g7Vz98P(j_q(KO<Jx+cv>4$J}VMD#Q^u*Hehv4m<~s#us<f9Yh~cPe1_2go7U
zR$-+sGx}{FGc#Y3;PMJDs4UZx+o=_Sp!ITj<-<k|#536Vq11gqUyIBT+^uM){beBC
z1B`T1tH)N!p1$1Fxmqh)Gy+z8VTC^+nO-VLJ=L~IiZ10XJp^#m4dWM2T`~2B8>U+j
z8*+Ffi$yaZ0^Ehqf9q82%eJg`Y^0x4tM^vy|2P@))*Xtjo0*DzZE<>>#lz(C1xf#(
zd5+m;&1XdmU$@pF1Dy5+9R*k>__fc=hcc`36ryy?O}Y>;*R_>GY-X$CdX1(L(y=E^
zdqsIdjVOM|$xgVhDF-I{V%#JpYTu@H9K?IY{6*kz$POX0f4xpTT0IfS5yCu;2$U>m
zixYzb!e*z`f|eh}AFy3`f1Gfvu}N@WM6JFk8S+{tdcl!l+gIGx@C$t+iW}dxF@2ZV
z#(8f=^j$4JCRsmhNgE3=8moJcZ{A*}IL{@yw1~|I4+-!>#;Qa#IPF|&+esHK;;cq0
z;Ww#1|BD-l4(SfN%XHt<9!cF$TJ!a@$QQf^6zzA$e(cN7!8229b%VR4rA47A^3kq@
AEC2ui

diff --git a/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12 b/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.p12
index 2ac8125b58d3113e25351f95999241ae2d4ef031..0e6bcaa4f8b7685d7f5b99df290a52949500367c 100644
GIT binary patch
literal 2699
zcmY+EcRUn~AIHxvxg!ZDdnQ5-@f_K^jLyjF%3eh{GeRBCx{iku*?VT3QF0lF=%lQ;
z&bU;PE##==@%z1gzvp>9e|*>H`}uzVd?RtNL?8<YiG%4v+0Nok@k|aDR+b_hObLvG
zDICeNNE{^eUn__g7zc4XlCK|y6BPcxD|Q$Qum}hKiNt}KNLeWC|MJmuK`>AJl$c_2
zOs_(AcG)+k<MvZU;6)E02+)fL<G_Pi59PM&0NMrdrK{Q)c1~gOLi#VDUq+l3NgaIC
zjnj_Ew%Ujn8p?Lap%x5pR|gQce&sE+iRDX$o~|)@9W-$5N0}JMriHWt^73y${JFA(
z-?y5D2Bt%7%Kv;(Ck|Cf5#>^y8jh>BG51{h)vU1VFvNWaR%(b%#g|>xYrGgpK)hsH
zCt{3cF4Tu9dA@#Bh<xR;5mU*hT~#{8E4qpm&DaWO@b8~dZ($xYZJA@};%vQjKx-aB
zY9{xq&z6{D*mkm8+f(}}3RYK(i)*PF2WxkH`P$cGsQph2bBG+ZU4?eU{ogmn9$5iY
z(=Zd(&7rJAnVfGey9oL)od(K4K$r8v4{F2M<AIDv=%hJQ+YkF$mDrZWX`MMAIa`zB
zHzboEYUHb*B;zn$j$LWo>0t$}=mWoVCe<Ef{)hS!FUx>(i*`dJb7Hz&E=p2<eC3x{
zzkkX5{;<@<&sl4Hc5+ssO$Rf4Q~A#&w$vMjm5buqaMvIwcN8o}W!LWl;{Bv`AuT7=
z(GuK`Ehug-M<mDjmFSpZv+tN>SMdSDr8(BZ-5oZQ8e2V&hiQ5&_I+j`a=T08Q*Re8
z@!UG_@%dJqRaY@6WlZfEb-c2%p&@wA)yaKaCZ1r_FFC2y(4&8z!gFm(;d*c`%}MO*
z-0<FFHzmz`gNgr>QR-ujLkLiM3a?jy8V7>i>~b<kH7wc(GwGWhzLlrI327%~rp=+B
zC4(UolWarSbyAeY53~z6{^|Kr_U=$2Z(i9rWI6;Go7<U8?z8`i6BP@rrfSyca*Q>;
zG>v$X&;bmA40q>l-Q+C2Rqh+8>D0g$uT1U{jtm${qpl(s@7N2EE{MxScYZwML^=C|
z#}+2{r8r_J`tndT?|J*k1ws_DCR?rGl5$E&TUCJ%4bZf4JHCb0(Is2NHeVCfZ!_D9
z_hn(vw?FN`J^tkcKn`H-5TUQgZ(`sg{h4)hXTSTqBzZBUfuwP7tlb}U4rWf^=_53v
zNrDs`a|QNu&t7Og@{+Bv4@`V7(!AO3Zu6i9dq1DNLK7V}^tI+PLQGBM33@}OIfP3U
zkY!lvdFdTZ$ZXLmbb9+}Xv`I-Koe@Nd1AWWh0MLVwwAheIdj$mBJ$NVyuPQeNZtoi
z^x9%M`1Gi2Z}4n8DcdUM_y|7pbFW+HKHlu=xE1*gd2`fK`vvP;f;WdcQ(it{Hg*wl
zAJTLWM(!zGEc7&{^>UslCK-!3jv`m+Yjh1~^}gOd;_!%(aG>lO9FKNsK9(}2Wgg@m
zFuN|S+c4HW{rqu*HK-(d%k^$V<6U<%HJ1g9vNIqd^kXkMXwOIEW|rmXm8b}t2W9cp
zx?zHX$YYbZXvZ^tp?bdbUExS$HSCg`vkkt_j#&&dW2CGi6s*^Bgr(r<8QXxq-Nb%b
z2h4FjHxKhgO*cY{n$z2R{A<%1?<FleTSqU};=qk~^*3RbTMxbKvVKP)xqT$PPsE<N
zo(BSP6f79?hWMBC)j;kh?6Wn;>@)jXYSV-w=dM+(TGj0<+Y6hv1^e@lio>JZH<j5T
zcmAm5;`=BSVWCu=&@AyW&ef)f;{MF~0a)1LynQ-dhDDE8?xnWpqlG%Ne0laUZ6$N$
znZHrV#-k)4ataUv@B{=O<y(LNfX7kq48R`Eu1N8JjJ!%b;FGq#{+?n=s>-S=DrzWY
zbrtnLjzC)Xw}};c#Mb;HDF?^`I4T+cY*_w9Tj+miyMlr*D<xS5gp8dj%|#hcInfum
z|4ZAuIIx3jM$Yt#O4ZmNJhphUE(mDhpW<SxYxYLxQFPh2osOF~S<v;Lm0esExk*)m
z6O&o{9^!-t5i)Yeg;gD&VL`{9BMxtM6uhA)QT!z6&o?)O0*DPWW+}HPViHFV5H@Jd
z)(~evRA2CA!!xR;7y0L#l~yxpZFaxsA+XR7J=g1L;p+;hKZqPZmDbxmf&Sf-^T+lJ
zucGXNzt~Ve38%ec`#z$iXlJN{shr1TfVVTqMytn1zdx}jp`vcrY90E$bllz63|%pC
z<jetP;;f23luM9eX5k;Y6XtJE@n4tYUf-{B#~Oc~4IjhVD-Oc}2bX_l(4cDaP=mE_
z@yBhR7dFQi-UsDqd;6|st}yK!`ij3camR?1DD(uIVXT>`&Dfc^P{(?~WdDL-%2~Jg
zoVceNZ(d&!(jLVVnuzCeLt$OxTp~sOyYB=x)F1k#FC|=ZZfSa1MpH&$)+F+<-VAfc
zT-L1{VHNBj&mNBdR6aDg<vV_>NoFJP{;wg&99h$6bP}?hy1p=gJ#-#3PwJ==fG1h}
zxVO+r_i~7yzQ_1+z$u@|&_uPWPSTX~V5fHwajw!GP$tu>1O3W;Ds)tjz*~Q4F}$M%
zSB>mmOCLy`&zMVTs_JY|YxD}g_N>1MF;6cB!l~shQ7wDlrdz+F$8KJ=k8i3xC-il%
zjBn3U|Nex~48Or73<p^p>KepF1W`wCk94~Y6X|6RTXRn#SGV4i4XglR%=7~&8oDrD
zE1G|(&*Ga}8Sp@7OKi+&fc1&7RDDf*NPbvJ$EnvNz(RrqkV$+h=U%<?{jTlQ<B`@u
z2eoi;@=R_&k7NUDo%GJ0O2=&86e{)ZF@{NW99z3nM8sb63X7E;PoNd5c*395H!Z##
zMFY(=4YaX#3BVaVL568s@A$W{O<eZ}FSteeQam~n<|>jtxnnr-Y>7Hqx0N^gM|gX+
zc1vR`s5ML4htZ|=6ah}qwdW&N>3W+&<aJp_1n;ljq~$C>C(D_w{`Du%UFAg@Pd~Q%
znR3ct@UsD}uq)@oGUVYYey9>>*(DA6x;Zn|>n;SoJi>v`IPDtLmzQA13pO}q#JD7o
zuSHXR`zdH{k%KF;ni}xIFd*#h3F)zmZS!vZBwJT6<Z_7+fV%?JG)<rv@~cJfEO51|
zJS;slJy;+U?VkQbY`2NMXOs^$)|09R1?X(A6<$A~Qnv3i1c~3f_|PY1bek^nS0Z^{
z)F!7c0RkpkrffJ7?_AU~6NuGPrx8m7a$T!QopN=_;crRGdX<c^j#Z}z?^&o`9*102
z03UJ>$Bq}O1T|TGNc1K)iqIphB+yqj%};ywFHUgj%xf*n&uc1fXow^90K@8mRTYL|
zIrnNnKChAr)jnI)8kx<65@sU!C0+>W*AIW~NRM^KFRy%5H1-U4zf2#=)TiY2UXmBQ
zA$A=6j?+%}q^G7f*z!xcRL2d$7u!P3SCHCBaU>fQB6l1F6o3H0JcWT7PnvxAQJh;Z
o(V~<xzgHQI=U|=-z0z`+a-&4aM#o7}wb*P+_<Al7#DXvS3lR+e>Hq)$

literal 2654
zcmY+^cRU-476<Tzh=@HBD`wPeHBqBzqehLYt%?Y)QF|0IN-JWImTJ`|T(oAatG9NI
zhO1WX5nGIlR;{+LxbElk-n;MpanAXCe&>A7pI;OaYD)*CM-ic-U?$l({kRiWAR~}O
zgmQw2P}Yl>2}J}I{<8v;h@iBKD1{CPxEQhjY=9^P82axIEI=@d4Fth?eb^ZL!y%oH
z4gw$$LDq`jJk_1T5QaMGtd=(u2#y|^LmKzTTT`4}!ar^_diUL%7tc?oK0&4`B>VFF
zJ|XvHFe~Ep4=1CkRh2t>)Gx0;O~-SD;HU3ch-k`P>93>)TS|O7sc{yZ+)vnGP%yB$
zdgEz*Erd;I`Qc&-7+X%a@c<LR6MH6`SN5>&6r<45b+nhcid1hqnc{5Lh+&GI79dwo
zI;WqWkQ2_GiWV5ju(3|>xj2_ltu0%RZ86P~h+UMKoVvR2$SHUCo0i}>GXlotNfg0k
zrCOvuc9<hCw{<e=*KN$s%bf*W-R4bNR3Zbw=Dw@S^$B_(<$3dL?%;v<P{31xT^{F&
ziEnmCKioz-fECpqQ-JKyx2&|0M@&6}rCNK!iqBiME}K0-T``Rrl8QT4H%;FAh*7QT
zQ)CYma7W7aSnCxD21MM9p|U<r3tCrO2J=Kd%J*h}A1k?VBNs8{QFbq&ftw4GlgwF7
z`RsSdl`haM+#+mC8=YBwI1)i-<`{zBPyP{3;E#I@_tj3o<P4LQ)`o}GR3~R&u>A(6
z&N1xskA;ys-x{6hM1y7(&{EXP4CQt_&y6z9a~kqesUE7u$R&F}27FMsx!dg$LJLw2
zko=YHmn{~tW!&3FsHfg*J#APlr8R0Bh53_6+EVyFK9MJs>@Oro`q$TetSoh7D2uu+
zqS+IN(>Lx=xxN~@)6?e7@D@?|Ef9-3lz+phPs1NSHrhm4k?QhbOnQ4JQ#1QV@j4;(
zwR<`hwkC`1`>G#`EI^FEy{PS%q%m&HgoXX`^o1PEeKc^#p(*Jn<48$E<sDoI4~G7#
zK)UIA(IEC9#z`M<IwK8`y}x3!H2R}f_<SF+yA6knbtf(+*t*p)m#Mu+SXnCLrwL?#
zCyVh1<cjfQrRnc47qYuqTPdp$PJne<@4e~A0)RAoL$uO?_7$3Y)QVX7?^THfKh~W2
z6(yWrGOD<LpjW-zQV?#L9=xBO(~(wSJ`%Ay@sQa;RzwIz@VnOXF>g=1VEBkV+@B$M
zUVQsYo2^MIx}M?!ed-=IS(GHPeMRE&uF;|PjHe%MWbh@&*}bb~(nC9(dOyB#TWvm*
ze$>@erzGsAjKH9LBmKv!y9nnX!BJ|Uw3|am7gg+taAO2()Hkc=w5b)9{)|(fmHA6Q
z4}P_hMk{{TdacXTrlnPqEiyr#;!ZmCFP3YrO^1!cEHwFtg&Rs0+X<dMjm}Y6oDZC0
zZ9Nr&Pg~EW+=~~Ih6|oXMF|}C>~K#ZzB%Gc58X2&-r$zR9i|)S&;x;2RVHb}@l*;V
zzIj*P8zask)7nXZyB=58T9nX>s`PhEAhN=42gg?{v0h3Ej{a_j7J-jN@11#GvwEiE
zMrT*c;$xBfr{BG?t#wD;K!zK&Id*fYcb}Sw8vIo62CTQ+oH%kl3|TEsZyzmQBZdWD
zD|IYf<_OJACtWe$R%od7&OA<0m1*{JLJ=99{s$rwk--8)WH7mi4KGR$%={mgpg_6{
zzxFQR+WtSS=>OL06?~eK2`*m!TPqL|)K_TLiH(+JYGojaKd>|Ya6~n{-nHp05f+`O
zz?4J;8jJvKK58ev`M%`eUSKz=Jr1#C4*G%Zc+$m}*feG%V-w>gG+)2JO`$(iN@AYN
zTVt+v!K!LiN(W00=z1jFl9&$QwT2qUI&M6}gyE(%IGI~d`ci+s6{`wnRr9_X#JE*F
z5xRM-B|M<+>5}aJF26;uO3EHK*{UAU0G@@V?iOMdDG2YM9KC~%07Y+I@tv02{5V0^
z{?Uouxr%{`mI-ZEX@XSq0PBpr$<~{r0oQ#lu8j=oPR9f+<Y4e+d2@yna`7bPNP&Wt
z^{6@U3>0f`Ivu4Ed9jPU@bM<4B6ghJce4qy?mSXPry60#5|ZMZ))&rv;4p@)XbAb4
zQKEFm#d><HeeMiV0pnE367j#AbqQoaAIcr%-{DGPj@$AbOoOa!acZqeKYeZ+p1JsF
zl)S1DR5`0)CHiE*EQACuyJ6usklld^5A!~`H80$gQXnuGw=*HqH6UK0m$doL^3&-d
zN!Lf_D=o+vf{7qUESI5g<-b$)FL*d@ZQm4SAkYnrwftQ=v3O(W?kDdqnK0Lx)dE<1
z)tbk^==mLFQheZVzFQeqNO*zHB{7%8mYBS$n}u%uiQMN7`p30iFVGu1H60d`MK+Ap
z)+p01c+szdP0t$iUlFEr<2@X2&yTSr;9fC~o(6(xPIxezh|jAM(KfEVD8AdJn|0kM
z{K%rb1jfT$74axZb>}JmV6Vpp0z<4<G@b3*zRIhanj43xgCK4aKO~9_t%S%>q;%c^
z-@5Wk_Uq8CS@Rm_C9gECfH8sY5E0(TahVz;dI8eBqL@fU2gR&`NK}i@HI0Qwy7pTL
zwPfhQBH`h_XE^2jbI8KNUJsxd&=>t{w~iB+`k!t2xjk?0^vdVwOFM)H?~Ydc6c<eo
za%J>?DQbco@TwH-ZOv+dVP@;9Q%$T_%>)(5h3w4*@`j=MT?I9c5>mClbe<h$T}Q9&
zc%NQkA5s9Rzb?56E~Vg^YNAiVnif32r=CE{4)gh_J)CtP8_FWy{gHY=j;wfJZb8#e
zM4$_9`6}R(zx0i1@FHIMoSQ!rl1+Y%AA@a~7vE@mi>tQEHav7t^J^YTAM7k#&kB|+
zblnt}*ZdUKXuy}it+KSqZK7cri7=p+M=~zKQgpvcb-qZ?ex_<v2v!&#50c<kjxl5h
zd3S|8F}A>lv4qO(r4~e!zlwh}@ZhQh`h^d42!i#%$nEE9zAV;jC$dUNTpxF2H$2#S
zmYj4jcC=ued>^!XEoZ^s6kDdvNbpq6@0$kbsOBhj8YS`i*UJ6@#H)<3`!vk4&zzMq
zFDbJ$n%Y(d;l3RyigC6Gw`MmEm%{_vdIR1OB{{81Z)Wz2x86RB(3atqraxSXxv>t<
z`ELLDc~VKek_@Ry?DX!fTPtmvm%VlG?xc9u-3Mn^Rv8Hxb9{p8d|hh=vL(aH5-RFr
zvMh#FNNC7X?}}FclB;sqS}B?^;-de=ez}5+Xf>cE>awFp$07E3p}&%=+pHAt!OEeD
z(Qo`|PhV+8<3`v;T?*%Z?q!BQrtxL>DPSqp%b&4j2aS%R5WUw);&pru*;6@ZF*6Hj
zU6jawb!6f}a|v?*f&i|7z>Dq+@B_F2Tv5n>4q#|Fh(}-ws&R0@(dfSdY)s7Mr?+E+
z#iP(DF%%P+L5_`{PJjUb;%PkiJv;_~SIQ&Cv_`mEBE2JL&H)5D>1{%}NTz)Lo6)}j
D&}!D=

diff --git a/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt b/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt
new file mode 100644
index 0000000000000..f4c9a6a7aaca8
--- /dev/null
+++ b/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB7zCCAZOgAwIBAgIEcmggOzAMBggqhkjOPQQDAgUAMCIxIDAeBgNVBAMTF0Vs
+YXN0aWNzZWFyY2ggVGVzdCBOb2RlMB4XDTE4MDUxNzA5MzYxMFoXDTQ1MTAwMjA5
+MzYxMFowIjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwWTATBgcq
+hkjOPQIBBggqhkjOPQMBBwNCAATuZRlXGn/ROcO7yFJJ50b20YvgV3U+FpRx0nx/
+yigWj6xiEMKnWbbUnM0mKF8c3GHGk5g8OXPnbK96uj6tpMB5o4G0MIGxMB0GA1Ud
+DgQWBBRNAGO77mUhG6SQvIXQTbpcFwlf2TCBjwYDVR0RBIGHMIGEgglsb2NhbGhv
+c3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFpboIKbG9jYWxob3N0NIIXbG9jYWxob3N0
+NC5sb2NhbGRvbWFpbjSCCmxvY2FsaG9zdDaCF2xvY2FsaG9zdDYubG9jYWxkb21h
+aW42hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAwGCCqGSM49BAMCBQADSAAwRQIg
+Z3IvdmY5LFdbxoVSs6pV2tJ5+U833Chu0+ZzPo77IVUCIQDRx1FVitVuzBpqwhSW
++Zprt2RLPllC4s4BCApGDh8i1g==
+-----END CERTIFICATE-----
diff --git a/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.pem b/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.pem
new file mode 100644
index 0000000000000..f8f29e47e0d35
--- /dev/null
+++ b/x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.pem
@@ -0,0 +1,8 @@
+Bag Attributes
+    friendlyName: testnode_ec
+    localKeyID: 54 69 6D 65 20 31 35 35 36 30 33 32 36 30 37 32 33 30 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCCxFwoKqfcGailZhuh0
+xEj3gssdjuEw6BasiC8+zhqHBA==
+-----END PRIVATE KEY-----

From 52edf579acb37a8b550f769eb965031bc8221f4d Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Wed, 24 Apr 2019 15:13:15 -0600
Subject: [PATCH 05/15] fix nio transport issue and pin renegotiation test to
 TLSv1.2

---
 .../elasticsearch/xpack/security/transport/nio/SSLDriver.java | 2 +-
 .../transport/AbstractSimpleSecurityTransportTestCase.java    | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SSLDriver.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SSLDriver.java
index 93978bcc6a359..97961e6dc292d 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SSLDriver.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/nio/SSLDriver.java
@@ -468,7 +468,7 @@ public void read(InboundChannelBuffer buffer) throws SSLException {
                 SSLEngineResult result = unwrap(buffer);
                 boolean renegotiationRequested = result.getStatus() != SSLEngineResult.Status.CLOSED
                     && maybeRenegotiation(result.getHandshakeStatus());
-                continueUnwrap = result.bytesProduced() > 0 && renegotiationRequested == false;
+                continueUnwrap = result.bytesConsumed() > 0 && renegotiationRequested == false;
             }
         }
 
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java
index ca548251d3713..1b7a7f8d870f2 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/AbstractSimpleSecurityTransportTestCase.java
@@ -155,7 +155,9 @@ public void testTcpHandshake() {
 
     @SuppressForbidden(reason = "Need to open socket connection")
     public void testRenegotiation() throws Exception {
-        SSLService sslService = createSSLService();
+        // force TLSv1.2 since renegotiation is not supported by 1.3
+        SSLService sslService =
+            createSSLService(Settings.builder().put("xpack.security.transport.ssl.supported_protocols", "TLSv1.2").build());
         final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
         SocketFactory factory = sslService.sslSocketFactory(sslConfiguration);
         try (SSLSocket socket = (SSLSocket) factory.createSocket()) {

From 079cd3a6091cb61b3ed963de993c564c64159ebe Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Thu, 25 Apr 2019 12:24:19 -0600
Subject: [PATCH 06/15] update in ssl lib and reorder

---
 .../settings/security-settings.asciidoc       | 19 +++---
 .../common/ssl/SslConfiguration.java          |  8 +--
 .../common/ssl/SslConfigurationLoader.java    | 65 +++++--------------
 .../xpack/core/XPackSettings.java             | 23 ++++---
 4 files changed, 38 insertions(+), 77 deletions(-)

diff --git a/docs/reference/settings/security-settings.asciidoc b/docs/reference/settings/security-settings.asciidoc
index 7f32e791ce38c..9ce723d2815fb 100644
--- a/docs/reference/settings/security-settings.asciidoc
+++ b/docs/reference/settings/security-settings.asciidoc
@@ -1519,15 +1519,16 @@ The default value is `full`.
 `ssl.cipher_suites`::
 Supported cipher suites can be found in Oracle's
 https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation].
-Defaults to `TLS_AES_256_GCM_SHA384`,
-`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
-`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`,
-`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
-`TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`,
-`TLS_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` ,`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
-`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
-`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
-`TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
+Defaults to `TLS_AES_256_GCM_SHA384`, `TLS_AES_128_GCM_SHA256`,
+`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`,
+`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
+`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`,
+`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
+`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`,
+`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
+`TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_128_GCM_SHA256`,
+`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA256`,
+`TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
 
 [float]
 [[tls-ssl-key-settings]]
diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java
index 68df7d248340d..52c1e8151f49d 100644
--- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java
+++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java
@@ -24,7 +24,6 @@
 import javax.net.ssl.X509ExtendedTrustManager;
 import java.nio.file.Path;
 import java.security.GeneralSecurityException;
-import java.security.NoSuchAlgorithmException;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@@ -52,12 +51,7 @@ public class SslConfiguration {
     static final Map<String, String> ORDERED_PROTOCOL_ALGORITHM_MAP;
     static {
         LinkedHashMap<String, String> protocolAlgorithmMap = new LinkedHashMap<>();
-        try {
-            SSLContext.getInstance("TLSv1.3");
-            protocolAlgorithmMap.put("TLSv1.3", "TLSv1.3");
-        } catch (NoSuchAlgorithmException e) {
-            // ignore since we support JVMs that do not support TLSv1.3
-        }
+        protocolAlgorithmMap.put("TLSv1.3", "TLSv1.3");
         protocolAlgorithmMap.put("TLSv1.2", "TLSv1.2");
         protocolAlgorithmMap.put("TLSv1.1", "TLSv1.1");
         protocolAlgorithmMap.put("TLSv1", "TLSv1");
diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationLoader.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationLoader.java
index 6e511565a9f53..a880090a048ef 100644
--- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationLoader.java
+++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationLoader.java
@@ -19,21 +19,15 @@
 
 package org.elasticsearch.common.ssl;
 
-import javax.crypto.Cipher;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
 import java.nio.file.Path;
-import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
 import static org.elasticsearch.common.ssl.KeyStoreUtil.inferKeyStoreType;
-import static org.elasticsearch.common.ssl.SslConfiguration.ORDERED_PROTOCOL_ALGORITHM_MAP;
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.CERTIFICATE;
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.CERTIFICATE_AUTHORITIES;
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.CIPHERS;
@@ -70,10 +64,22 @@
  */
 public abstract class SslConfigurationLoader {
 
-    static final List<String> DEFAULT_PROTOCOLS = Collections.unmodifiableList(
-        ORDERED_PROTOCOL_ALGORITHM_MAP.containsKey("TLSv1.3") ?
-            Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1") : Arrays.asList("TLSv1.2", "TLSv1.1"));
-    static final List<String> DEFAULT_CIPHERS = loadDefaultCiphers();
+    static final List<String> DEFAULT_PROTOCOLS = List.of("TLSv1.3", "TLSv1.2", "TLSv1.1");
+
+    /**
+     * This list has been created with ordering
+     */
+    static final List<String> DEFAULT_CIPHERS = List.of(
+        "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", // TLSv1.3 cipher has PFS, AEAD, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", // PFS, hardware support
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // PFS, hardware support
+        "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", // AEAD, hardware support
+        "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", // hardware support
+        "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA"); // hardware support
     private static final char[] EMPTY_PASSWORD = new char[0];
 
     private final String settingPrefix;
@@ -141,9 +147,6 @@ public void setDefaultClientAuth(SslClientAuthenticationMode defaultClientAuth)
 
     /**
      * Change the default supported ciphers.
-     * The initial cipher list depends on the availability of {@link #has256BitAES() 256 bit AES}.
-     *
-     * @see #loadDefaultCiphers()
      */
     public void setDefaultCiphers(List<String> defaultCiphers) {
         this.defaultCiphers = defaultCiphers;
@@ -336,40 +339,4 @@ private <V> List<V> resolveListSetting(String key, Function<String, V> parser, L
             throw new SslConfigException("cannot retrieve setting [" + settingPrefix + key + "]", e);
         }
     }
-
-    private static List<String> loadDefaultCiphers() {
-        final List<String> ciphers128 = Arrays.asList(
-            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
-            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-            "TLS_RSA_WITH_AES_128_CBC_SHA256",
-            "TLS_RSA_WITH_AES_128_CBC_SHA"
-        );
-        final List<String> ciphers256 = Arrays.asList(
-            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
-            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
-            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-            "TLS_RSA_WITH_AES_256_CBC_SHA256",
-            "TLS_RSA_WITH_AES_256_CBC_SHA"
-        );
-        if (has256BitAES()) {
-            List<String> ciphers = new ArrayList<>(ciphers256.size() + ciphers128.size());
-            ciphers.addAll(ciphers256);
-            ciphers.addAll(ciphers128);
-            return ciphers;
-        } else {
-            return ciphers128;
-        }
-    }
-
-    private static boolean has256BitAES() {
-        try {
-            return Cipher.getMaxAllowedKeyLength("AES") > 128;
-        } catch (NoSuchAlgorithmException e) {
-            // No AES? Things are going to be very weird, but technically that means we don't have 256 bit AES, so ...
-            return false;
-        }
-    }
 }
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
index b76191af57fa3..92f8915e922f1 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
@@ -117,18 +117,17 @@ private XPackSettings() {
      * SSL settings. These are the settings that are specifically registered for SSL. Many are private as we do not explicitly use them
      * but instead parse based on a prefix (eg *.ssl.*)
      */
-    public static final List<String> DEFAULT_CIPHERS = List.of("TLS_AES_256_GCM_SHA384", // TLSv1.3 cipher has PFS, AEAD, hardware support
-        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", // PFS, AEAD, hardware support
-        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", // PFS, hardware support
-        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", // PFS, hardware support
-        "TLS_RSA_WITH_AES_256_GCM_SHA384", // AEAD, hardware support
-        "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA", // hardware support
-        "TLS_AES_128_GCM_SHA256", // TLSv1.3 cipher has PFS, AEAD, hardware support
-        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" ,"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
-        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support
-        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // PFS, hardware support
-        "TLS_RSA_WITH_AES_128_GCM_SHA256", // AEAD, hardware support
-        "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA"); // hardware support
+    public static final List<String> DEFAULT_CIPHERS = List.of(
+        "TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", // TLSv1.3 cipher has PFS, AEAD, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // PFS, AEAD, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", // PFS, hardware support
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", // PFS, hardware support
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", // PFS, hardware support
+        "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", // AEAD, hardware support
+        "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", // hardware support
+        "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA"); // hardware support
 
     /*
      * Do not allow insecure hashing algorithms to be used for password hashing

From 8bad4fdd5c79f9669957a525755293a14a34d4fb Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Fri, 26 Apr 2019 08:41:10 -0600
Subject: [PATCH 07/15] update test certs

---
 .../ServerTransportFilterIntegrationTests.java        | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java
index f8bf1f47a38f1..6357da3c2fc18 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java
@@ -19,7 +19,6 @@
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.test.MockHttpTransport;
 import org.elasticsearch.test.SecurityIntegTestCase;
-import org.elasticsearch.test.SecuritySettingsSource;
 import org.elasticsearch.test.SecuritySettingsSourceField;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.ConnectionProfile;
@@ -40,6 +39,7 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.List;
 import java.util.concurrent.CountDownLatch;
 
 import static org.elasticsearch.discovery.SettingsBasedSeedHostsProvider.DISCOVERY_SEED_HOSTS_SETTING;
@@ -80,8 +80,7 @@ protected Settings nodeSettings(int nodeOrdinal) {
             settingsBuilder.put("transport.profiles.default.xpack.security.type", "node"); // this is default lets set it randomly
         }
 
-        SecuritySettingsSource.addSecureSettings(settingsBuilder, secureSettings ->
-            secureSettings.setString("transport.profiles.client.xpack.security.ssl.keystore.secure_password", "testnode"));
+        logger.error("node {} settings {}", nodeOrdinal, settingsBuilder.build());
         return settingsBuilder.build();
     }
 
@@ -112,7 +111,8 @@ public void testThatConnectionToServerTypeConnectionWorks() throws IOException,
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem",
             "testnode",
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
-            Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
+            List.of("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt"));
         try (Node node = new MockNode(nodeSettings.build(), mockPlugins)) {
             node.start();
             ensureStableCluster(cluster().size() + 1);
@@ -151,7 +151,8 @@ public void testThatConnectionToClientTypeConnectionIsRejected() throws IOExcept
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem",
             "testnode",
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
-            Collections.singletonList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
+            List.of("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt"));
         try (Node node = new MockNode(nodeSettings.build(), mockPlugins)) {
             node.start();
             TransportService instance = node.injector().getInstance(TransportService.class);

From 844e597db0143f2b35b90ecd82c4ea99dcd93701 Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Mon, 29 Apr 2019 13:26:49 -0600
Subject: [PATCH 08/15] remove unnecessary log statement

---
 .../transport/ServerTransportFilterIntegrationTests.java         | 1 -
 1 file changed, 1 deletion(-)

diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java
index 6357da3c2fc18..8bf5bf1d0af77 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ServerTransportFilterIntegrationTests.java
@@ -80,7 +80,6 @@ protected Settings nodeSettings(int nodeOrdinal) {
             settingsBuilder.put("transport.profiles.default.xpack.security.type", "node"); // this is default lets set it randomly
         }
 
-        logger.error("node {} settings {}", nodeOrdinal, settingsBuilder.build());
         return settingsBuilder.build();
     }
 

From ad12647c1de36af0f7bd210f7a350551b256eeb1 Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Mon, 29 Apr 2019 14:28:11 -0600
Subject: [PATCH 09/15] busted trust restrictions tests

---
 .../java/org/elasticsearch/test/SecuritySettingsSource.java   | 2 +-
 .../elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java    | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java
index 09e1c00cb543e..bda0f78d8bf21 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java
@@ -126,7 +126,7 @@ public Settings nodeSettings(int nodeOrdinal) {
 
         Settings.Builder builder = Settings.builder()
                 .put(XPackSettings.SECURITY_ENABLED.getKey(), true)
-                .put(NetworkModule.TRANSPORT_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO)
+                .put(NetworkModule.TRANSPORT_TYPE_KEY, SecurityField.NIO)//randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO)
                 .put(NetworkModule.HTTP_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO)
                 //TODO: for now isolate security tests from watcher & monitoring (randomize this later)
                 .put(XPackSettings.WATCHER_ENABLED.getKey(), false)
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
index a89b8fcdd6981..d2fb12e7ba9a6 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
@@ -179,6 +179,7 @@ public void testCertificateWithUntrustedNameFails() throws Exception {
             tryConnect(untrustedCert);
             fail("handshake should have failed, but was successful");
         } catch (SSLException | SocketException ex) {
+            logger.info("caught expected exception", ex);
             // expected
         }
     }
@@ -237,6 +238,9 @@ private void tryConnect(CertificateInfo certificate) throws Exception {
         TransportAddress address = internalCluster().getInstance(Transport.class, node).boundAddress().publishAddress();
         try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) {
             assertThat(socket.isConnected(), is(true));
+            // Need to not use client mode for TLSv1.3; otherwise the handshake completes prior to the trust restrictions
+            // causing the server to close the connection
+            socket.setUseClientMode(false);
             // The test simply relies on this (synchronously) connecting (or not), so we don't need a handshake handler
             socket.startHandshake();
         }

From 31afd194b20f8bb12f414469c4baf90c073dd13e Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Mon, 29 Apr 2019 15:21:49 -0600
Subject: [PATCH 10/15] fixed mistake

---
 .../xpack/ssl/SSLTrustRestrictionsTests.java  | 26 ++++++++++++-------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
index d2fb12e7ba9a6..066f1b7b9df48 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
@@ -30,7 +30,9 @@
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 import java.io.IOException;
+import java.io.OutputStream;
 import java.net.SocketException;
+import java.net.SocketTimeoutException;
 import java.nio.file.AtomicMoveNotSupportedException;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -165,7 +167,7 @@ protected boolean transportSSLEnabled() {
     public void testCertificateWithTrustedNameIsAccepted() throws Exception {
         writeRestrictions("*.trusted");
         try {
-            tryConnect(trustedCert);
+            tryConnect(trustedCert, false);
         } catch (SSLException | SocketException ex) {
             logger.warn(new ParameterizedMessage("unexpected handshake failure with certificate [{}] [{}]",
                     trustedCert.certificate.getSubjectDN(), trustedCert.certificate.getSubjectAlternativeNames()), ex);
@@ -176,10 +178,9 @@ public void testCertificateWithTrustedNameIsAccepted() throws Exception {
     public void testCertificateWithUntrustedNameFails() throws Exception {
         writeRestrictions("*.trusted");
         try {
-            tryConnect(untrustedCert);
+            tryConnect(untrustedCert, true);
             fail("handshake should have failed, but was successful");
         } catch (SSLException | SocketException ex) {
-            logger.info("caught expected exception", ex);
             // expected
         }
     }
@@ -188,7 +189,7 @@ public void testRestrictionsAreReloaded() throws Exception {
         writeRestrictions("*");
         assertBusy(() -> {
             try {
-                tryConnect(untrustedCert);
+                tryConnect(untrustedCert, false);
             } catch (SSLException | SocketException ex) {
                 fail("handshake should have been successful, but failed with " + ex);
             }
@@ -197,7 +198,7 @@ public void testRestrictionsAreReloaded() throws Exception {
         writeRestrictions("*.trusted");
         assertBusy(() -> {
             try {
-                tryConnect(untrustedCert);
+                tryConnect(untrustedCert, true);
                 fail("handshake should have failed, but was successful");
             } catch (SSLException | SocketException ex) {
                 // expected
@@ -222,7 +223,7 @@ private void runResourceWatcher() {
         }
     }
 
-    private void tryConnect(CertificateInfo certificate) throws Exception {
+    private void tryConnect(CertificateInfo certificate, boolean shouldFail) throws Exception {
         Settings settings = Settings.builder()
                 .put("path.home", createTempDir())
                 .put("xpack.security.transport.ssl.key", certificate.getKeyPath())
@@ -238,11 +239,18 @@ private void tryConnect(CertificateInfo certificate) throws Exception {
         TransportAddress address = internalCluster().getInstance(Transport.class, node).boundAddress().publishAddress();
         try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) {
             assertThat(socket.isConnected(), is(true));
-            // Need to not use client mode for TLSv1.3; otherwise the handshake completes prior to the trust restrictions
-            // causing the server to close the connection
-            socket.setUseClientMode(false);
             // The test simply relies on this (synchronously) connecting (or not), so we don't need a handshake handler
             socket.startHandshake();
+
+            // blocking read for TLSv1.3 to see if the other side closed the connection
+            if (socket.getSession().getProtocol().equals("TLSv1.3")) {
+                if (shouldFail) {
+                    socket.getInputStream().read();
+                } else {
+                    socket.setSoTimeout(1000); // 1 second timeout
+                    expectThrows(SocketTimeoutException.class, () -> socket.getInputStream().read());
+                }
+            }
         }
     }
 

From 9e4672df22e226cbb7c625d424e9dd9db237b56a Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Tue, 30 Apr 2019 07:44:31 -0600
Subject: [PATCH 11/15] unused import

---
 .../org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java   | 1 -
 1 file changed, 1 deletion(-)

diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
index 066f1b7b9df48..944c3306763a6 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLTrustRestrictionsTests.java
@@ -30,7 +30,6 @@
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 import java.io.IOException;
-import java.io.OutputStream;
 import java.net.SocketException;
 import java.net.SocketTimeoutException;
 import java.nio.file.AtomicMoveNotSupportedException;

From d13407a1fa024bca65831f5595c1dc8c0e3faf3f Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Tue, 30 Apr 2019 08:02:32 -0600
Subject: [PATCH 12/15] debugging leftover

---
 .../java/org/elasticsearch/test/SecuritySettingsSource.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java
index bda0f78d8bf21..09e1c00cb543e 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java
@@ -126,7 +126,7 @@ public Settings nodeSettings(int nodeOrdinal) {
 
         Settings.Builder builder = Settings.builder()
                 .put(XPackSettings.SECURITY_ENABLED.getKey(), true)
-                .put(NetworkModule.TRANSPORT_TYPE_KEY, SecurityField.NIO)//randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO)
+                .put(NetworkModule.TRANSPORT_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO)
                 .put(NetworkModule.HTTP_TYPE_KEY, randomBoolean() ? SecurityField.NAME4 : SecurityField.NIO)
                 //TODO: for now isolate security tests from watcher & monitoring (randomize this later)
                 .put(XPackSettings.WATCHER_ENABLED.getKey(), false)

From 1082da25e2a80e3fe5f1b96407996fa231b40752 Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Tue, 30 Apr 2019 08:07:03 -0600
Subject: [PATCH 13/15] test fix

---
 .../java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java
index dd6985889d7ee..3eeaca1a3f114 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLReloadIntegTests.java
@@ -115,6 +115,10 @@ public void testThatSSLConfigurationReloadsOnModification() throws Exception {
         try (SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(address.getAddress(), address.getPort())) {
             assertThat(socket.isConnected(), is(true));
             socket.startHandshake();
+            if (socket.getSession().getProtocol().equals("TLSv1.3")) {
+                // blocking read for TLSv1.3 to see if the other side closed the connection
+                socket.getInputStream().read();
+            }
             fail("handshake should not have been successful!");
         } catch (SSLException | SocketException expected) {
             logger.trace("expected exception", expected);

From b6bb085fab72094b326981ebfa88b70a8efc0c50 Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Tue, 30 Apr 2019 11:53:30 -0600
Subject: [PATCH 14/15] some test fixes

---
 .../authc/pki/PkiAuthenticationTests.java         | 15 +++++++++------
 .../xpack/ssl/SSLClientAuthTests.java             |  8 +++++---
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java
index 52c87c75a13a7..1ef36f4fdbdf7 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiAuthenticationTests.java
@@ -66,8 +66,9 @@ protected Settings nodeSettings() {
             .put("xpack.security.http.ssl.client_authentication", sslClientAuth)
             .put("xpack.security.authc.realms.file.file.order", "0")
             .put("xpack.security.authc.realms.pki.pki1.order", "1")
-            .put("xpack.security.authc.realms.pki.pki1.certificate_authorities",
-                getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"))
+            .putList("xpack.security.authc.realms.pki.pki1.certificate_authorities",
+                getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt").toString(),
+                getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt").toString())
             .put("xpack.security.authc.realms.pki.pki1.files.role_mapping", getDataPath("role_mapping.yml"));
         return builder.build();
     }
@@ -91,8 +92,8 @@ public void testTransportClientCanAuthenticateViaPki() {
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem",
             "testnode",
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
-            Arrays.asList
-                ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
+            Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt"));
         try (TransportClient client = createTransportClient(builder.build())) {
             client.addTransportAddress(randomFrom(node().injector().getInstance(Transport.class).boundAddress().boundAddresses()));
             IndexResponse response = client.prepareIndex("foo", "bar").setSource("pki", "auth").get();
@@ -119,7 +120,8 @@ public void testRestAuthenticationViaPki() throws Exception {
             "testnode",
             "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
             Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
-                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt"));
         try (CloseableHttpClient client = HttpClients.custom().setSSLContext(context).build()) {
             HttpPut put = new HttpPut(getNodeUrl() + "foo");
             try (CloseableHttpResponse response = SocketAccess.doPrivileged(() -> client.execute(put))) {
@@ -133,7 +135,8 @@ public void testRestAuthenticationFailure() throws Exception {
         SSLContext context = getRestSSLContext("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem",
             "testclient", "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
             Arrays.asList("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt",
-                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt"));
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt",
+                "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt"));
         try (CloseableHttpClient client = HttpClients.custom().setSSLContext(context).build()) {
             HttpPut put = new HttpPut(getNodeUrl() + "foo");
             try (CloseableHttpResponse response = SocketAccess.doPrivileged(() -> client.execute(put))) {
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java
index 7075a677a26ce..33d75ecb1d9ac 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/ssl/SSLClientAuthTests.java
@@ -135,6 +135,7 @@ public void testThatTransportWorksWithoutSslClientAuth() throws IOException {
         Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient-client-profile.pem");
         Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient-client-profile.crt");
         Path nodeCertPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
+        Path nodeEcCertPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt");
 
         if (Files.notExists(keyPath) || Files.notExists(certPath)) {
             throw new ElasticsearchException("key or certificate path doesn't exist");
@@ -147,7 +148,7 @@ public void testThatTransportWorksWithoutSslClientAuth() throws IOException {
             .put("xpack.security.transport.ssl.client_authentication", SSLClientAuth.NONE)
             .put("xpack.security.transport.ssl.key", keyPath)
             .put("xpack.security.transport.ssl.certificate", certPath)
-            .put("xpack.security.transport.ssl.certificate_authorities", nodeCertPath)
+            .putList("xpack.security.transport.ssl.certificate_authorities", nodeCertPath.toString(), nodeEcCertPath.toString())
             .setSecureSettings(secureSettings)
             .put("cluster.name", internalCluster().getClusterName())
             .put(SecurityField.USER_SETTING.getKey(), transportClientUsername() + ":" + new String(transportClientPassword().getChars()))
@@ -165,12 +166,13 @@ private SSLContext getSSLContext() {
         try {
             String certPath = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt";
             String nodeCertPath = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt";
+            String nodeEcCertPath = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_ec.crt";
             String keyPath = "/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.pem";
             TrustManager tm = CertParsingUtils.trustManager(CertParsingUtils.readCertificates(Arrays.asList(getDataPath
-                (certPath), getDataPath(nodeCertPath))));
+                (certPath), getDataPath(nodeCertPath), getDataPath(nodeEcCertPath))));
             KeyManager km = CertParsingUtils.keyManager(CertParsingUtils.readCertificates(Collections.singletonList(getDataPath
                 (certPath))), PemUtils.readPrivateKey(getDataPath(keyPath), "testclient"::toCharArray), "testclient".toCharArray());
-            SSLContext context = SSLContext.getInstance("TLSv1.2");
+            SSLContext context = SSLContext.getInstance(randomFrom("TLSv1.3", "TLSv1.2"));
             context.init(new KeyManager[] { km }, new TrustManager[] { tm }, new SecureRandom());
             return context;
         } catch (Exception e) {

From fc57894fb7b8c7646495672b7ed1d0e5df6cdccc Mon Sep 17 00:00:00 2001
From: jaymode <jay@elastic.co>
Date: Tue, 30 Apr 2019 12:38:54 -0600
Subject: [PATCH 15/15] pin reindex client tests to tlsv1.2 since mockwebserver
 has issues with TLSv1.3

---
 .../index/reindex/ReindexRestClientSslTests.java              | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/reindex/src/test/java/org/elasticsearch/index/reindex/ReindexRestClientSslTests.java b/modules/reindex/src/test/java/org/elasticsearch/index/reindex/ReindexRestClientSslTests.java
index 7c94b94bbb1d5..a2e00e66fd218 100644
--- a/modules/reindex/src/test/java/org/elasticsearch/index/reindex/ReindexRestClientSslTests.java
+++ b/modules/reindex/src/test/java/org/elasticsearch/index/reindex/ReindexRestClientSslTests.java
@@ -120,6 +120,7 @@ public void testClientFailsWithUntrustedCertificate() throws IOException {
         final List<Thread> threads = new ArrayList<>();
         final Settings settings = Settings.builder()
             .put("path.home", createTempDir())
+            .put("reindex.ssl.supported_protocols", "TLSv1.2")
             .build();
         final Environment environment = TestEnvironment.newEnvironment(settings);
         final ReindexSslConfig ssl = new ReindexSslConfig(settings, environment, mock(ResourceWatcherService.class));
@@ -134,6 +135,7 @@ public void testClientSucceedsWithCertificateAuthorities() throws IOException {
         final Settings settings = Settings.builder()
             .put("path.home", createTempDir())
             .putList("reindex.ssl.certificate_authorities", ca.toString())
+            .put("reindex.ssl.supported_protocols", "TLSv1.2")
             .build();
         final Environment environment = TestEnvironment.newEnvironment(settings);
         final ReindexSslConfig ssl = new ReindexSslConfig(settings, environment, mock(ResourceWatcherService.class));
@@ -149,6 +151,7 @@ public void testClientSucceedsWithVerificationDisabled() throws IOException {
         final Settings settings = Settings.builder()
             .put("path.home", createTempDir())
             .put("reindex.ssl.verification_mode", "NONE")
+            .put("reindex.ssl.supported_protocols", "TLSv1.2")
             .build();
         final Environment environment = TestEnvironment.newEnvironment(settings);
         final ReindexSslConfig ssl = new ReindexSslConfig(settings, environment, mock(ResourceWatcherService.class));
@@ -169,6 +172,7 @@ public void testClientPassesClientCertificate() throws IOException {
             .put("reindex.ssl.certificate", cert)
             .put("reindex.ssl.key", key)
             .put("reindex.ssl.key_passphrase", "client-password")
+            .put("reindex.ssl.supported_protocols", "TLSv1.2")
             .build();
         AtomicReference<Certificate[]> clientCertificates = new AtomicReference<>();
         handler = https -> {