Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove TLSv1.2 pinning in ssl reload tests #38651

Merged
merged 1 commit into from
Feb 12, 2019
Merged

Remove TLSv1.2 pinning in ssl reload tests #38651

merged 1 commit into from
Feb 12, 2019

Conversation

jaymode
Copy link
Member

@jaymode jaymode commented Feb 8, 2019

This change removes the pinning of TLSv1.2 in the
SSLConfigurationReloaderTests that had been added to workaround an
issue with the MockWebServer and Apache HttpClient when using TLSv1.3.
The way HttpClient closes the socket causes issues with the TLSv1.3
SSLEngine implementation that causes the MockWebServer to loop
endlessly trying to send the close message back to the client. This
change wraps the created http connection in a way that allows us to
override the closing behavior of HttpClient.

An upstream request with HttpClient has been opened at
https://issues.apache.org/jira/browse/HTTPCORE-571 to see if the method
of closing can be special cased for SSLSocket instances.

Relates #38646

@jaymode
Remove TLSv1.2 pinning in ssl reload tests
cb05c4d 
This change removes the pinning of TLSv1.2 in the
SSLConfigurationReloaderTests that had been added to workaround an
issue with the MockWebServer and Apache HttpClient when using TLSv1.3.
The way HttpClient closes the socket causes issues with the TLSv1.3
SSLEngine implementation that causes the MockWebServer to loop
endlessly trying to send the close message back to the client. This
change wraps the created http connection in a way that allows us to
override the closing behavior of HttpClient.

An upstream request with HttpClient has been opened at
https://issues.apache.org/jira/browse/HTTPCORE-571 to see if the method
of closing can be special cased for SSLSocket instances.

Relates elastic#38646
@jaymode jaymode added >test Issues or PRs that are addressing/adding tests v7.0.0 :Security/TLS SSL/TLS, Certificates v8.0.0 v7.2.0 labels Feb 8, 2019
@jaymode jaymode requested a review from jkakavas February 8, 2019 21:01
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

jkakavas
jkakavas approved these changes Feb 11, 2019
View reviewed changes
Copy link
Member

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, verified that there are no issues in a FIPS 140 JVM also

@jaymode jaymode merged commit 3cae269 into elastic:master Feb 12, 2019
@jaymode jaymode deleted the unpin_reload_ssl_tests branch February 12, 2019 15:43
jaymode added a commit that referenced this pull request Feb 12, 2019
@jaymode
Remove TLSv1.2 pinning in ssl reload tests (#38651)
f04bd4a 
This change removes the pinning of TLSv1.2 in the
SSLConfigurationReloaderTests that had been added to workaround an
issue with the MockWebServer and Apache HttpClient when using TLSv1.3.
The way HttpClient closes the socket causes issues with the TLSv1.3
SSLEngine implementation that causes the MockWebServer to loop
endlessly trying to send the close message back to the client. This
change wraps the created http connection in a way that allows us to
override the closing behavior of HttpClient.

An upstream request with HttpClient has been opened at
https://issues.apache.org/jira/browse/HTTPCORE-571 to see if the method
of closing can be special cased for SSLSocket instances.

This is caused by a JDK bug, JDK-8214418 which is fixed by
https://hg.openjdk.java.net/jdk/jdk12/rev/5022a4915fe9.

Relates #38646
jaymode added a commit that referenced this pull request Feb 12, 2019
@jaymode
Remove TLSv1.2 pinning in ssl reload tests (#38651)
daffce1 
This change removes the pinning of TLSv1.2 in the
SSLConfigurationReloaderTests that had been added to workaround an
issue with the MockWebServer and Apache HttpClient when using TLSv1.3.
The way HttpClient closes the socket causes issues with the TLSv1.3
SSLEngine implementation that causes the MockWebServer to loop
endlessly trying to send the close message back to the client. This
change wraps the created http connection in a way that allows us to
override the closing behavior of HttpClient.

An upstream request with HttpClient has been opened at
https://issues.apache.org/jira/browse/HTTPCORE-571 to see if the method
of closing can be special cased for SSLSocket instances.

This is caused by a JDK bug, JDK-8214418 which is fixed by
https://hg.openjdk.java.net/jdk/jdk12/rev/5022a4915fe9.

Relates #38646
jasontedor added a commit to jasontedor/elasticsearch that referenced this pull request Feb 13, 2019
@jasontedor
Merge branch 'master' into soft-delete-policy-off-by-one
6d23d8f 
* master:
  Remove _type term filters from cluster alert watches (elastic#38819)
  Adjust log and unmute testFailOverOnFollower (elastic#38762)
  Fix line separators in JSON logging tests (elastic#38771)
  Fix synchronization in LocalCheckpointTracker#contains (elastic#38755)
  muted test
  Remove TLSv1.2 pinning in ssl reload tests (elastic#38651)
  Don't fail init script if `/proc/.../max_map_count` absent (elastic#35933)
  Format Watcher.status.lastChecked and lastMetCondition (elastic#38626)
  SQL: Implement `::` cast operator (elastic#38774)
  Ignore failing test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkakavas jkakavas jkakavas approved these changes

Assignees
No one assigned
Labels
:Security/TLS SSL/TLS, Certificates >test Issues or PRs that are addressing/adding tests v7.0.0-rc1 v7.2.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jaymode @elasticmachine @jkakavas @jakelandis @michaelbaamonde