Merge pull request #224 from debjanibnrj/removeopenssl

Removed OpenSSL for 7.4

Author: debjanibnrj

src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/DefaultOpenDistroSecurityKeyStore.java

@@ -1,18 +1,18 @@
 /*
  * Copyright 2015-2017 floragunn GmbH
- * 
+ *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
- * 
+ *
  */
 
 package com.amazon.opendistroforelasticsearch.security.ssl;
@@ -54,8 +54,10 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ElasticsearchSecurityException;
+import org.apache.lucene.util.Constants;
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
@@ -88,17 +90,17 @@ private void printJCEWarnings() {
     public final SslProvider sslTransportClientProvider;
     private final boolean httpSSLEnabled;
     private final boolean transportSSLEnabled;
-    
+
     private List<String> enabledHttpCiphersJDKProvider;
     private List<String> enabledHttpCiphersOpenSSLProvider;
     private List<String> enabledTransportCiphersJDKProvider;
     private List<String> enabledTransportCiphersOpenSSLProvider;
-    
+
     private List<String> enabledHttpProtocolsJDKProvider;
     private List<String> enabledHttpProtocolsOpenSSLProvider;
     private List<String> enabledTransportProtocolsJDKProvider;
     private List<String> enabledTransportProtocolsOpenSSLProvider;
-    
+
     private SslContext httpSslContext;
     private SslContext transportServerSslContext;
     private SslContext transportClientSslContext;
@@ -124,7 +126,12 @@ public DefaultOpenDistroSecurityKeyStore(final Settings settings, final Path con
                 .getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true);
 
         if(!OpenDistroSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable() && (settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true) || settings.getAsBoolean(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true) )) {
-            String text = "Support for OpenSSL with Java 12+ has been removed from Open Distro Security since Elasticsearch 7.4.0. Using JDK SSL instead.\n";
+            String text = "Support for OpenSSL has been removed from Open Distro Security since Elasticsearch 7.4.0. Use JDK SSL instead\n";
+            if(Constants.JRE_IS_MINIMUM_JAVA11) {
+                text += "Since you are running Java "+Constants.JAVA_VERSION+" you should not experience any performance impact but maybe not all your ciphers are supported. If you experience problems upgrade to Java 11+";
+            } else {
+                text += "You are running a very old version of Java ("+Constants.JAVA_VERSION+") so you may experience a performance impact and it is strongly advised to update to Java 11+";
+            }
             System.out.println(text);
             log.warn(text);
         }
@@ -171,8 +178,8 @@ public DefaultOpenDistroSecurityKeyStore(final Settings settings, final Path con
                 Arrays.toString(getEnabledSSLProtocols(sslTransportServerProvider, false)));
         log.info("Enabled TLS protocols for HTTP layer      : {}",
                 Arrays.toString(getEnabledSSLProtocols(sslHTTPProvider, true)));
-        
-        
+
+
         log.debug("sslTransportClientProvider:{} with protocols {}", sslTransportClientProvider,
                 getEnabledSSLProtocols(sslTransportClientProvider, false));
         log.debug("sslTransportServerProvider:{} with protocols {}", sslTransportServerProvider,
@@ -191,7 +198,7 @@ public DefaultOpenDistroSecurityKeyStore(final Settings settings, final Path con
         if (transportSSLEnabled && getEnabledSSLCiphers(sslTransportServerProvider, false).isEmpty()) {
             throw new ElasticsearchSecurityException("no ssl protocols for transport protocol");
         }
-        
+
         if (transportSSLEnabled && getEnabledSSLCiphers(sslTransportClientProvider, false).isEmpty()) {
             throw new ElasticsearchSecurityException("no ssl protocols for transport protocol");
         }
@@ -248,11 +255,11 @@ private void initSSLConfig() {
                 final String keystorePassword = settings.get(
                         SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
                         SSLConfigConstants.DEFAULT_STORE_PASSWORD);
-                
+
                 final String keyPassword = settings.get(
                         SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD,
                         keystorePassword);
-                
+
                 final String keystoreAlias = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,
                         null);
 
@@ -296,7 +303,7 @@ private void initSSLConfig() {
                         /*
                          * for (int i = 0; i < transportKeystoreCert.length; i++) { X509Certificate
                          * x509Certificate = transportKeystoreCert[i];
-                         * 
+                         *
                          * if(x509Certificate != null) {
                          * log.info("Transport keystore subject DN no. {} {}",i,x509Certificate.
                          * getSubjectX500Principal()); } }
@@ -383,12 +390,12 @@ trustedTransportCertificates, getEnabledSSLCiphers(sslTransportClientProvider, f
                         DEFAULT_STORE_TYPE);
                 final String keystorePassword = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_PASSWORD,
                         SSLConfigConstants.DEFAULT_STORE_PASSWORD);
-                
+
                 final String keyPassword = settings.get(
                         SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_KEYPASSWORD,
                         keystorePassword);
-                
-                
+
+
                 final String keystoreAlias = settings.get(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_HTTP_KEYSTORE_ALIAS, null);
 
                 log.info("HTTPS client auth mode {}", httpClientAuthMode);
@@ -432,7 +439,7 @@ trustedTransportCertificates, getEnabledSSLCiphers(sslTransportClientProvider, f
                         /*
                          * for (int i = 0; i < httpKeystoreCert.length; i++) { X509Certificate
                          * x509Certificate = httpKeystoreCert[i];
-                         * 
+                         *
                          * if(x509Certificate != null) {
                          * log.info("HTTP keystore subject DN no. {} {}",i,x509Certificate.
                          * getSubjectX500Principal()); } }
@@ -600,7 +607,7 @@ private List<String> getEnabledSSLCiphers(final SslProvider provider, boolean ht
         }
 
     }
-    
+
     private String[] getEnabledSSLProtocols(final SslProvider provider, boolean http) {
         if (provider == null) {
             return new String[0];
@@ -629,8 +636,8 @@ private void initEnabledSSLCiphers() {
                     openSSLSecureHttpCiphers.add(secure);
                 }
             }
-            
-            
+
+
             log.debug("OPENSSL "+OpenSsl.versionString()+" supports the following ciphers (java-style) {}", OpenSsl.availableJavaCipherSuites());
             log.debug("OPENSSL "+OpenSsl.versionString()+" supports the following ciphers (openssl-style) {}", OpenSsl.availableOpenSslCipherSuites());
 
@@ -653,15 +660,15 @@ private void initEnabledSSLCiphers() {
         } else {
             enabledTransportCiphersOpenSSLProvider = Collections.emptyList();
         }
-        
+
         if(OpenDistroSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable() && OpenSsl.version() > 0x10101009L) {
             enabledHttpProtocolsOpenSSLProvider = new ArrayList(Arrays.asList("TLSv1.3","TLSv1.2","TLSv1.1","TLSv1"));
             enabledHttpProtocolsOpenSSLProvider.retainAll(secureHttpSSLProtocols);
             enabledTransportProtocolsOpenSSLProvider = new ArrayList(Arrays.asList("TLSv1.3","TLSv1.2","TLSv1.1"));
             enabledTransportProtocolsOpenSSLProvider.retainAll(secureTransportSSLProtocols);
-            
+
             log.info("OpenSSL supports TLSv1.3");
-            
+
         } else if(OpenDistroSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()){
             enabledHttpProtocolsOpenSSLProvider = new ArrayList(Arrays.asList("TLSv1.2","TLSv1.1","TLSv1"));
             enabledHttpProtocolsOpenSSLProvider.retainAll(secureHttpSSLProtocols);
@@ -685,11 +692,11 @@ private void initEnabledSSLCiphers() {
                     jdkSupportedProtocols);
             log.debug("JVM supports the following {} ciphers {}", jdkSupportedCiphers.size(),
                     jdkSupportedCiphers);
-            
+
             if(jdkSupportedProtocols.contains("TLSv1.3")) {
                 log.info("JVM supports TLSv1.3");
             }
-            
+
         } catch (final Throwable e) {
             log.error("Unable to determine supported ciphers due to " + e, e);
         } finally {
@@ -706,16 +713,16 @@ private void initEnabledSSLCiphers() {
         if(jdkSupportedCiphers == null || jdkSupportedCiphers.isEmpty() || jdkSupportedProtocols == null || jdkSupportedProtocols.isEmpty()) {
             throw new ElasticsearchException("Unable to determine supported ciphers or protocols");
         }
-        
+
         enabledHttpCiphersJDKProvider = new ArrayList<String>(jdkSupportedCiphers);
         enabledHttpCiphersJDKProvider.retainAll(secureHttpSSLCiphers);
-        
+
         enabledTransportCiphersJDKProvider = new ArrayList<String>(jdkSupportedCiphers);
         enabledTransportCiphersJDKProvider.retainAll(secureTransportSSLCiphers);
-        
+
         enabledHttpProtocolsJDKProvider = new ArrayList<String>(jdkSupportedProtocols);
         enabledHttpProtocolsJDKProvider.retainAll(secureHttpSSLProtocols);
-        
+
         enabledTransportProtocolsJDKProvider = new ArrayList<String>(jdkSupportedProtocols);
         enabledTransportProtocolsJDKProvider.retainAll(secureTransportSSLProtocols);
     }

src/main/java/com/amazon/opendistroforelasticsearch/security/ssl/OpenDistroSecuritySSLPlugin.java

@@ -82,7 +82,8 @@
 //For ES5 this class has only effect when SSL only plugin is installed
 public class OpenDistroSecuritySSLPlugin extends Plugin implements ActionPlugin, NetworkPlugin {
 
-    public static final boolean OPENSSL_SUPPORTED = PlatformDependent.javaVersion() < 12;
+    // Not supporting OPENSSL for ES7.4+
+    public static final boolean OPENSSL_SUPPORTED = false;
     protected final Logger log = LogManager.getLogger(this.getClass());
     protected static final String CLIENT_TYPE = "client.type";
     protected final boolean client;