Only filter out CA certificates for xpack.security.http.ssl keystore #75097
Labels
>feature
:Security/Security
Security issues without another label
Team:Security
Meta label for security team
v8.0.0-alpha2
Comments
BigPandaToo
added
>feature
:Security/Security
|
Pinging @elastic/es-security (Team:Security) |
BigPandaToo
added a commit
that referenced
this issue
Jul 8, 2021
In 8.0, with security on by default, we store the HTTP layer CA PrivateKeyEntry in the http.ssl keystore (along with the node certificate) so that it is available in our Enrollment API transport actions. When loading a keystore, the current behavior is that the X509ExtendedKeyManager will iterate through the PrivateKeyEntry objects and will return the first key/certificate that satisfies the requirements of the client and the server configuration, and lacks any additional logic/filters. We need the KeyManager to deterministically pick the node certificate/key in all cases as this is the intended entry to be used for TLS on the HTTP layer. This change introduces filtering when creating the in-memory keystore the KeyManager is loaded with, so that it will not include PrivateKeyEntry objects when: - there are more than 1 PrivateKeyEntry objects in the keystore - The leaf certificate associated with the PrivateKeyEntry is a CA certificate Related: #75097 Co-authored-by: Ioannis Kakavas <[email protected]>
BigPandaToo
added a commit
to BigPandaToo/elasticsearch
that referenced
this issue
Aug 23, 2021
This change elastic#76636 actually resolved the elastic#75097 by only filtering out the CAs certs/keys from xpack.security.http.ssl keystore This change re-enables the tests previously affected by elastic#75097 Resolves: elastic#75097
BigPandaToo
added a commit
that referenced
this issue
Aug 23, 2021
This change #76636 actually resolved the #75097 by only filtering out the CAs certs/keys from xpack.security.http.ssl keystore This change re-enables the tests previously affected by #75097 Resolves: #75097 Co-authored-by: Elastic Machine <[email protected]>
wjp719
added a commit
to wjp719/elasticsearch
that referenced
this issue
Aug 24, 2021
* master: (21 commits) [Test] More robust assertions for sorting and pagination (elastic#76654) [Test] Fix filename check on Windows (elastic#76807) Upgrade build scan plugin to 3.6.4 (elastic#76784) Remove keystore initial_md5sum (elastic#76835) Don't export docker images on assemble (elastic#76817) Fix testMasterStatsOnSuccessfulUpdate (elastic#76844) AwaitsFix for elastic#76840 Make Releasing Aggregation Buffers Safer (elastic#76741) Re-enable BWC tests after backport of elastic#76771 (elastic#76839) Dispatch large bulk requests to write thread (elastic#76736) Disable BWC tests for elastic#76771 Pull down beats artifacts when performing release tests Add timing stats to publication process (elastic#76771) Fix BanFailureLoggingTests some more (elastic#76668) Mention "warn threshold" in master service slowlog (elastic#76815) Fix DockerTests.test010Install Re-enable tests affected by elastic#75097 (elastic#76814) Fix testRecoveryIsCancelledAfterDeletingTheIndex (elastic#76644) Test fix -WildcardFieldMapperTests bad test data. (elastic#76819) Updating supported version after backporting the feature (elastic#76794) ... # Conflicts: # server/src/main/java/org/elasticsearch/action/bulk/TransportBulkAction.java
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is related to Security on by default feature
development. When handling the case of multiple
keys in the key store (see #73807) we should only
filter out CA certificates if there are multiple entries
and if it is xpack.security.http.ssl keystore.
The detection of the type of the keystore will be easy
after the merge of #72285.
Related: #73807
Depends: #72285
The text was updated successfully, but these errors were encountered: