[QUESTION] Enable specific version of TLS


(Askids) #1

hi,

Is there any way for me to allow only specific version of TLS when using https with ROR? Lets say, i dont want to allow 1.0 for now or tomorrow, I want to allow only 1.2 and above, is there a way to configure it?

Thanks!


(Simone Scarduzio) #2

Nice one, I just committed the feature :slight_smile:

Example conf

readonlyrest:

    ssl:
      keystore_file: "keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest
      allowed_protocols: ["TLSv1.2"]
      allowed_ciphers: ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"]


(Askids) #3

Fantastic. If you can provide a download link, i can test this pre-version.

For current users, i don’t want it to become a pain. But given that 1.0 is nearing end of life soon (in another 6-7 months), I would also like to suggest that for later releases of ROR sometime down the line next year, support for 1.0 is not enabled by default. At least on the windows stack, most OS now default to TLS 1.2. Not sure on the Linux side. So you might want to see, what is a good way to enforce it without troubling too many users.

So essentially, when this property is not configured, you can have one kind default behavior for now, which will allow any version. But later on change that default behavior to say only allow 1.1 and above. Later on when you don’t want users to continue on 1.0, that support can totally be removed.


(Simone Scarduzio) #4

This is how it works now. The “default behaviour” is delegated to the JVM/OS as usual, and as it should be.

It’s still building in CI, what version(s) do you need?


(Askids) #5

I need it for ES 5.5.1.


(Simone Scarduzio) #6

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.16.15-pre2/readonlyrest-1.16.15-pre2_es5.5.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20171220/eu-west-1/s3/aws4_request&X-Amz-Date=20171220T002432Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=33bc4b21774ac38ffea60f86e669169ecb4add03c7945c0fcf26629d9b532b7f


(Askids) #7

Tried it on Win 2008 R2. But it did not work. When I enable specific protocol version, ROR is unable to load the certificate. If I comment out the allowed protocols, then it works without any issue.

ssl:
  enable: true
  # put the keystore in the same dir with elasticsearch.yml 
  key_alias: mydomain.com
  keystore_file: mydomain.com.jks
  keystore_pass: Password1
  key_pass: Password1
  allowed_protocols: ["TLSv1.2"]

Below is the entry from log.

[2017-12-20T16:12:09,078][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL accepted protocols: TLSv1.2
[2017-12-20T16:12:09,110][ERROR][t.b.r.e.SSLTransportNetty4] Failed to load SSL CertChain & private key from Keystore!
[2017-12-20T16:12:09,331][ERROR][o.e.b.Bootstrap          ] [xxxxxxxxx-xxxxxxxxxxxxx] Exception
java.util.NoSuchElementException: No value present
	at java.util.Optional.get(Optional.java:135) ~[?:1.8.0_144]
	at tech.beshu.ror.es.SSLTransportNetty4.configureServerChannelHandler(SSLTransportNetty4.java:83) ~[?:?]
	at org.elasticsearch.http.netty4.Netty4HttpServerTransport.doStart(Netty4HttpServerTransport.java:297) ~[?:?]
	at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.node.Node.start(Node.java:743) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:277) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.Command.main(Command.java:88) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) [elasticsearch-5.5.1.jar:5.5.1]
[2017-12-20T16:12:09,350][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [USTESDIF-WSDNW1QUEOT] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.util.NoSuchElementException: No value present
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:127) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.Command.main(Command.java:88) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) ~[elasticsearch-5.5.1.jar:5.5.1]
Caused by: java.util.NoSuchElementException: No value present
	at java.util.Optional.get(Optional.java:135) ~[?:1.8.0_144]
	at tech.beshu.ror.es.SSLTransportNetty4.configureServerChannelHandler(SSLTransportNetty4.java:83) ~[?:?]
	at org.elasticsearch.http.netty4.Netty4HttpServerTransport.doStart(Netty4HttpServerTransport.java:297) ~[?:?]
	at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.node.Node.start(Node.java:743) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:277) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.5.1.jar:5.5.1]
	... 6 more

(Askids) #8

Tried it on Windows 2012 as well. I get the same error as Win 2008 R2.


(Simone Scarduzio) #9

Can you please see if you also get a "Failed to load SSL CertChain & private key from Keystore!" with a stack trace?


(Askids) #10

Yes I do. Its also present in the line 2 of log entries that I had copied in my previous reply.


(Simone Scarduzio) #11

Yes, but where is the stderr?? Where is the stack trace of that first exception? I don’t get it why it’s lost.

I have now prepared another build with more information being logged to regular stdout logging.

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/tmp/readonlyrest-1.16.15-pre3_es5.5.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20171222/eu-west-1/s3/aws4_request&X-Amz-Date=20171222T211705Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=7ef714c5d0629729d69ac05ef4ecfba84ab24ee6faa1d8b0fbaad7e5ac577e32


(Askids) #12

This time, i see some additional text.

Failed to load SSL CertChain & private key from Keystore! UnsupportedOperationException: JDK provider does not support NPN_AND_ALPN protocol

BTW, we are using 64bit jre1.8.0_152.

[2017-12-26T09:40:50,984][INFO ][t.b.r.e.IndexLevelActionFilter] [MYCLUSTER-MYNODE1] Configuration reloaded - ReadonlyREST enabled
[2017-12-26T09:40:50,984][INFO ][t.b.r.e.IndexLevelActionFilter] [MYCLUSTER-MYNODE1] Readonly REST plugin was loaded...
[2017-12-26T09:40:51,810][INFO ][o.e.n.Node               ] [MYCLUSTER-MYNODE1] initialized
[2017-12-26T09:40:51,811][INFO ][o.e.n.Node               ] [MYCLUSTER-MYNODE1] starting ...
[2017-12-26T09:40:52,053][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:40:52,070][INFO ][o.e.t.TransportService   ] [MYCLUSTER-MYNODE1] publish_address {xxx.xxx.xxx.xxx:nnnnn}, bound_addresses {[yyyy::yyyy:yyyy:yyyy:yyyy]:NNNNN}, {xxx.xxx.xxx.xxx:nnnnn}
[2017-12-26T09:40:52,077][INFO ][o.e.b.BootstrapChecks    ] [MYCLUSTER-MYNODE1] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-12-26T09:40:53,058][DEBUG][o.e.a.a.c.h.TransportClusterHealthAction] [MYCLUSTER-MYNODE1] no known master node, scheduling a retry
[2017-12-26T09:40:55,126][INFO ][o.e.c.s.ClusterService   ] [MYCLUSTER-MYNODE1] new_master {MYCLUSTER-MYNODE1}{kX3KiRXSTUiiRmcKKng6DQ}{31wfRO0iQTe8PMY5BlxXxg}{MYNODE1.MYDOMAIN.com}{xxx.xxx.xxx.xxx:nnnnn}, reason: zen-disco-elected-as-master ([0] nodes joined)
[2017-12-26T09:40:55,207][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:40:55,519][INFO ][t.b.r.e.SSLTransportNetty4] SSL: attempting with JKS keystore..
[2017-12-26T09:40:55,521][INFO ][t.b.r.e.SSLTransportNetty4] Discovered key from JKS
[2017-12-26T09:40:55,522][INFO ][t.b.r.e.SSLTransportNetty4] Discovered cert chain from JKS
[2017-12-26T09:40:55,748][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL accepted protocols: TLSv1.2,TLSv1.1
[2017-12-26T09:40:55,784][ERROR][t.b.r.e.SSLTransportNetty4] Failed to load SSL CertChain & private key from Keystore! UnsupportedOperationException: JDK provider does not support NPN_AND_ALPN protocol
[2017-12-26T09:40:56,256][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:40:56,782][ERROR][o.e.b.Bootstrap          ] [MYCLUSTER-MYNODE1] Exception
java.util.NoSuchElementException: No value present
	at java.util.Optional.get(Unknown Source) ~[?:1.8.0_152]
	at tech.beshu.ror.es.SSLTransportNetty4.configureServerChannelHandler(SSLTransportNetty4.java:82) ~[?:?]
	at org.elasticsearch.http.netty4.Netty4HttpServerTransport.doStart(Netty4HttpServerTransport.java:297) ~[?:?]
	at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.node.Node.start(Node.java:743) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:277) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.Command.main(Command.java:88) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) [elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) [elasticsearch-5.5.1.jar:5.5.1]
[2017-12-26T09:40:56,790][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [MYCLUSTER-MYNODE1] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.util.NoSuchElementException: No value present
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:127) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.cli.Command.main(Command.java:88) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) ~[elasticsearch-5.5.1.jar:5.5.1]
Caused by: java.util.NoSuchElementException: No value present
	at java.util.Optional.get(Unknown Source) ~[?:1.8.0_152]
	at tech.beshu.ror.es.SSLTransportNetty4.configureServerChannelHandler(SSLTransportNetty4.java:82) ~[?:?]
	at org.elasticsearch.http.netty4.Netty4HttpServerTransport.doStart(Netty4HttpServerTransport.java:297) ~[?:?]
	at org.elasticsearch.common.component.AbstractLifecycleComponent.start(AbstractLifecycleComponent.java:69) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.node.Node.start(Node.java:743) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Bootstrap.start(Bootstrap.java:277) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.5.1.jar:5.5.1]
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.5.1.jar:5.5.1]
	... 6 more
[2017-12-26T09:40:57,483][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:40:58,325][INFO ][o.e.l.LicenseService     ] [MYCLUSTER-MYNODE1] license [ba783f1c-2684-4722-911c-3fce7ab7e7c3] mode [basic] - valid
[2017-12-26T09:40:58,340][INFO ][o.e.g.GatewayService     ] [MYCLUSTER-MYNODE1] recovered [58] indices into cluster_state
[2017-12-26T09:40:58,573][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:40:59,588][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:00,622][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:01,746][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:02,754][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:03,769][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:04,773][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:05,938][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:07,082][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:08,113][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:09,120][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:10,123][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:11,129][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:12,195][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:13,207][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:14,226][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:15,283][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready...
[2017-12-26T09:41:16,148][INFO ][o.e.c.r.a.AllocationService] [MYCLUSTER-MYNODE1] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[ucrdb][1], [ucrdb][2]] ...]).
[2017-12-26T09:41:16,323][INFO ][t.b.r.e.SettingsObservableImpl] [CLUSTERWIDE SETTINGS] index settings not found. Will keep on using the local YAML file. Learn more about clusterwide settings at https://readonlyrest.com/pro.html 
[2017-12-26T09:42:41,642][INFO ][o.e.n.Node               ] [MYCLUSTER-MYNODE1] stopping ...
[2017-12-26T09:42:42,185][INFO ][o.e.n.Node               ] [MYCLUSTER-MYNODE1] stopped
[2017-12-26T09:42:42,186][INFO ][o.e.n.Node               ] [MYCLUSTER-MYNODE1] closing ...
[2017-12-26T09:42:42,192][INFO ][t.b.r.c.s.e.ESShutdownObservable] Shutting down ROR resources...
[2017-12-26T09:42:42,194][INFO ][o.e.n.Node               ] [MYCLUSTER-MYNODE1] closed

(Simone Scarduzio) #13

This is not supported by JDK SSL provider. See this:

https://crypto.stackexchange.com/questions/37138/secure-cipher-suites-supported-by-jdk-versions


(Askids) #14

@sscarduzio I have not explicitly selected this or any other cypher. I am just setting the allowed protocols of TLS v1.2. Looks like this is what ROR is somehow trying to use. Moreover, this happens only when I specify the allowed protocol option. Even, if I include all protocols for that matter, say allowed_protocols: [“TLSv1.2”,“TLSv1.1”,“TLSv1.0”], this issue still happens. SSL option works fine as long as I don’t include this parameter “allowed_protocols” in the config file. So somehow the protocols that ROR uses by default compared to what it tries to use, when “allowed_protocols” is present is different. So you might want to check why is there a difference.

Also, just FYI, I am doing the same for Searchguard SSL(for transport layer) to enforce only specific version of TLS. That works fine. When I don’t specify any version, it defaults to TLS 1.2 and 1.1. But I am also able to successfully specify TLS v1.2. It lists some 57 ciphers as supported by JVM and also shows the ciphers it defaults to. I am copying that part of the log for your reference as they are also ending up having to use JDK SSL only.

[2017-12-26T09:40:46,577][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: io.netty.internal.tcnative.SSL
[2017-12-26T09:40:46,578][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_152
[2017-12-26T09:40:46,578][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-12-26T09:40:46,578][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-12-26T09:40:46,578][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-12-26T09:40:46,578][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-12-26T09:40:46,578][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot(TM) 64-Bit Server VM
[2017-12-26T09:40:46,578][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-12-26T09:40:46,579][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-12-26T09:40:46,579][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-12-26T09:40:46,579][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-12-26T09:40:46,579][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Windows Server 2012 R2
[2017-12-26T09:40:46,579][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-12-26T09:40:46,579][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 6.3
[2017-12-26T09:40:46,786][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers for https [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
[2017-12-26T09:40:46,789][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers for transport [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
[2017-12-26T09:40:46,790][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is D:\Apps\Program Files\Elasticsearch-5.5.1\config/, from there the key- and truststore files are resolved relatively
[2017-12-26T09:40:46,794][INFO ][c.f.s.s.u.SSLCertificateHelper] No alias given, use the first one: mydomain.com
[2017-12-26T09:40:46,794][WARN ][c.f.s.s.u.SSLCertificateHelper] Certificate chain for alias mydomain.com contains a root certificate
[2017-12-26T09:40:46,809][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit.. That is not an issue, it just limits possible encryption strength. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'
[2017-12-26T09:40:46,810][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2017-12-26T09:40:46,811][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2017-12-26T09:40:46,811][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTPProvider:null with ciphers []
[2017-12-26T09:40:46,811][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2]
[2017-12-26T09:40:46,811][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

(Askids) #15

I was doing some further reading. Looks like when using JDK SSL on Java 8, there is no support for NPN_AND_ALPN protocol. That is supported only on Open SSL. Native ALPN support is apparently going to be available on JDK 9.

I checked the code in SSLTransportNetty4.java. When the allowed protocol option is present on the config, NPN_ANDA_ALPN protocol is hard coded. That is why, we are getting this error. You might have to modify it to check if we are using Open SSL or JDK SSL and accordingly set the application protocols. Until we start using Java 9, this part of the code will always throw error for people using JDK SSL.

basicSettings.getAllowedSSLProtocols().ifPresent(allowedProtos -> {
            sslcb.applicationProtocolConfig(new ApplicationProtocolConfig(
              ApplicationProtocolConfig.Protocol.NPN_AND_ALPN,
              ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL,
              ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
              allowedProtos
            ));
            logger.info("ROR SSL accepted protocols: " + Joiner.on(",").join(allowedProtos));
          });

(Simone Scarduzio) #16

You are right, that’s the problem! For the older versions of ES (sub 6.0) I had to specify a cusotm Applicaiton Protocol Config and that NPN_AND_ALPN sneaked in from a netty example. Gosh that was lame.

So after reading this
https://netty.io/wiki/requirements-for-4.x.html#benefits-of-using-openssl

And understanding that both NPN and ALPN are off limits for the JDK SSL Provider, I set up the only remaining option which is NONE. I’ll give you a build soon.

BTW I’m trying to use the JDK SSL Provider for as long as possible because it requires platform specific dependencies and I would need to either start creating packages for windows, linux and mac for each version or letting the users download the jars manually. Both of the two options suck badly.


(Askids) #17

Thanks. You might want to check the Searchguard SSL codebase as they also use netty. They do try to use OpenSSL when available, else fall back to JDK SSL. Based on the SSL that they use, they validate which are valid ciphers and protocols. At this time, they have set application protocol to disabled. I couldn’t make much of it :wink: but you might be able to get better idea.

Like you said, trying to package ROR for separate OS or needing users to manually download jar are both bad options. So let’s try to see what is the simplest way to support it at this time, without breaking too much sweat :D.

Given that Java 9 is already released, were there any plans already drawn on that front for ROR, irrespective of this request ?


(Simone Scarduzio) #18

OK in this new pre4 version, we load the “default ssl provider”, so Netty will select OpenSSL if ever available.
ROR will leave it to the user to optionally add the jars to $ES_HOME/plugins/readonlyrest if they require specific ciphers or protocols.

For now the application protocol will stay NONE (no ALPN, nor NPN, nor ALPN_AND_NPN) to keep it simple. In the future we might want to add a setting to enable those options only if the native OpenSSL jar is available.

Here is the pre4 build for ES 5.5.1


(Simone Scarduzio) #19

I will look into moving Java 9 ASAP after I release this one. Good point.
By the way @askids thanks for helping out so much, as usual :raised_hands:


(Askids) #20

You are welcome.

BTW, i tried the pre4 build. I am getting the following error - “protocol (NONE) must not be NONE”. I think that you will need to set the application protocol config to disabled like its being done on SG-SSL.

[2017-12-29T12:46:32,520][ERROR][t.b.r.e.SSLTransportNetty4] Failed to load SSL CertChain & private key from Keystore! IllegalArgumentException: protocol (NONE) must not be NONE.
[2017-12-29T12:46:32,789][ERROR][o.e.b.Bootstrap          ] [USTESSE-WSDIE3JLE] Exception
java.util.NoSuchElementException: No value present
	at java.util.Optional.get(Unknown Source) ~[?:1.8.0_152]
	at tech.beshu.ror.es.SSLTransportNetty4.configureServerChannelHandler(SSLTransportNetty4.java:83) ~[?:?]