rethink SSL for older versions

Author: sscarduzio

commons/src/main/java/tech/beshu/ror/commons/SSLCertParser.java

@@ -45,10 +45,10 @@ public SSLCertParser(BasicSettings settings, LoggerShim logger, SSLContextCreato
 
   private void createContext(BasicSettings settings) {
     if (!settings.isSSLEnabled()) {
-      logger.info("SSL is disabled");
+      logger.info("ROR SSL: SSL is disabled");
       return;
     }
-    logger.info("SSL: attempting with JKS keystore..");
+    logger.info("ROR SSL: attempting with JKS keystore..");
     try {
       char[] keyStorePassBa = null;
       if (settings.getKeystorePass().isPresent()) {
@@ -80,7 +80,7 @@ private void createContext(BasicSettings settings) {
       if (!settings.getKeyAlias().isPresent()) {
         if (ks.aliases().hasMoreElements()) {
           String inferredAlias = ks.aliases().nextElement();
-          logger.info("SSL ssl.key_alias not configured, took first alias in keystore: " + inferredAlias);
+          logger.info("ROR SSL: ssl.key_alias not configured, took first alias in keystore: " + inferredAlias);
           sslKeyAlias = inferredAlias;
         }
         else {
@@ -103,7 +103,7 @@ private void createContext(BasicSettings settings) {
       sb.append("\n");
       sb.append("---END PRIVATE KEY---");
       String privateKey = sb.toString();
-      logger.info("Discovered key from JKS");
+      logger.info("ROR SSL: Discovered key from JKS");
 
       // Get CertChain from keystore
       Certificate[] cchain = ks.getCertificateChain(sslKeyAlias);
@@ -117,7 +117,7 @@ private void createContext(BasicSettings settings) {
         sb.append("-----END CERTIFICATE-----\n");
       }
       String certChain = sb.toString();
-      logger.info("Discovered cert chain from JKS");
+      logger.info("ROR SSL: Discovered cert chain from JKS");
 
 
       AccessController.doPrivileged(
@@ -127,9 +127,9 @@ private void createContext(BasicSettings settings) {
         });
 
     } catch (Throwable t) {
-      logger.error("Failed to load SSL certs and keys from JKS Keystore!");
+      logger.error("ROR SSL: Failed to load SSL certs and keys from JKS Keystore!");
       if (t instanceof AccessControlException) {
-        logger.error("Check the JKS Keystore path is correct: " + settings.getKeystoreFile());
+        logger.error("ROR SSL: Check the JKS Keystore path is correct: " + settings.getKeystoreFile());
       }
       t.printStackTrace();
     }

es51x/src/main/java/tech/beshu/ror/es/SSLTransportNetty4.java

@@ -22,13 +22,14 @@
  */
 
 import cz.seznam.euphoria.shaded.guava.com.google.common.base.Joiner;
+import io.netty.buffer.ByteBufAllocator;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerContext;
-import io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.netty.handler.ssl.NotSslRecordException;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslHandler;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
@@ -40,15 +41,17 @@
 import tech.beshu.ror.commons.settings.BasicSettings;
 import tech.beshu.ror.commons.shims.es.LoggerShim;
 
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLHandshakeException;
 import java.io.ByteArrayInputStream;
 import java.nio.charset.StandardCharsets;
-import java.util.List;
-import java.util.Optional;
 
 public class SSLTransportNetty4 extends Netty4HttpServerTransport {
 
+  protected final LoggerShim logger;
   private final BasicSettings basicSettings;
-  private final LoggerShim logger;
+  protected SslContext sslContext;
+
 
   public SSLTransportNetty4(Settings settings, NetworkService networkService, BigArrays bigArrays,
                             ThreadPool threadPool) {
@@ -61,15 +64,51 @@ public SSLTransportNetty4(Settings settings, NetworkService networkService, BigA
     if (basicSettings.isSSLEnabled()) {
       logger.info("creating SSL transport");
     }
+
+
+    new SSLCertParser(basicSettings, logger, (certChain, privateKey) -> {
+
+      try {
+        // #TODO expose configuration of sslPrivKeyPem password? Letsencrypt never sets one..
+        SslContextBuilder sslcb = SslContextBuilder.forServer(
+          new ByteArrayInputStream(certChain.getBytes(StandardCharsets.UTF_8)),
+          new ByteArrayInputStream(privateKey.getBytes(StandardCharsets.UTF_8)),
+          null
+        );
+
+        // Creating one SSL engine just for protocol/cipher validation and logging
+        sslContext = sslcb.build();
+        SSLEngine eng = sslContext.newEngine(ByteBufAllocator.DEFAULT);
+        String[] defaultProtocols = eng.getEnabledProtocols();
+
+        logger.info("ROR SSL: Using SSL provider: " + SslContext.defaultServerProvider().name());
+
+        logger.info("ROR SSL: Available ciphers: " + Joiner.on(",").join(sslContext.cipherSuites()));
+        baseSettings.getAllowedSSLProtocols()
+          .ifPresent(_x -> logger.info("ROR SSL: Restricting to ciphers: " + Joiner.on(",").join(eng.getEnabledProtocols())));
+
+        logger.info("ROR SSL: Avaliable SSL protocols: " + Joiner.on(",").join(defaultProtocols));
+        baseSettings.getAllowedSSLCiphers()
+          .ifPresent(_x -> logger.info("ROR SSL: Restricting to SSL protocols: " + Joiner.on(",").join(eng.getEnabledProtocols())));
+
+        logger.info("ROR SSL: Available ciphers: " + Joiner.on(",").join(sslContext.cipherSuites()));
+
+      } catch (Exception e) {
+        logger.error("Failed to load SSL CertChain & private key from Keystore! "
+                       + e.getClass().getSimpleName() + ": " + e.getMessage(), e);
+      }
+    });
   }
 
+
   protected void exceptionCaught(final ChannelHandlerContext ctx, final Throwable cause) throws Exception {
     if (!this.lifecycle.started()) {
       return;
     }
-    if (cause.getCause() instanceof NotSslRecordException) {
+    if (cause.getCause() instanceof NotSslRecordException || cause.getCause() instanceof SSLHandshakeException) {
       logger.warn(cause.getMessage());
     }
+
     else {
       cause.printStackTrace();
       super.exceptionCaught(ctx, cause);
@@ -79,52 +118,26 @@ protected void exceptionCaught(final ChannelHandlerContext ctx, final Throwable
 
   public ChannelHandler configureServerChannelHandler() {
     SSLHandler handler = new SSLHandler(this);
-    logger.info("ROR SSL accepted ciphers: " + Joiner.on(",").join(handler.context.get().cipherSuites()));
     return handler;
   }
 
   private class SSLHandler extends Netty4HttpServerTransport.HttpChannelHandler {
-    private Optional<SslContext> context = Optional.empty();
 
     SSLHandler(final Netty4HttpServerTransport transport) {
       super(transport, SSLTransportNetty4.this.detailedErrorsEnabled, SSLTransportNetty4.this.threadPool.getThreadContext());
-
-      new SSLCertParser(basicSettings, logger, (certChain, privateKey) -> {
-
-        try {
-          // #TODO expose configuration of sslPrivKeyPem password? Letsencrypt never sets one..
-          SslContextBuilder sslcb = SslContextBuilder.forServer(
-            new ByteArrayInputStream(certChain.getBytes(StandardCharsets.UTF_8)),
-            new ByteArrayInputStream(privateKey.getBytes(StandardCharsets.UTF_8)),
-            null
-          );
-
-          basicSettings.getAllowedSSLCiphers().ifPresent(sslcb::ciphers);
-
-          basicSettings.getAllowedSSLProtocols().ifPresent(allowedProtos -> {
-            sslcb.applicationProtocolConfig(new ApplicationProtocolConfig(
-              ApplicationProtocolConfig.Protocol.NONE,
-              ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL,
-              ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
-              allowedProtos
-            ));
-            logger.info("ROR SSL accepted protocols: " + Joiner.on(",").join(allowedProtos));
-          });
-
-          context = Optional.of(sslcb.build());
-        } catch (Exception e) {
-          context = Optional.empty();
-          logger.error("Failed to load SSL CertChain & private key from Keystore! "
-                         + e.getClass().getSimpleName() + ": " + e.getMessage(), e);
-        }
-      });
     }
 
     protected void initChannel(final Channel ch) throws Exception {
       super.initChannel(ch);
-      context.ifPresent(sslCtx -> {
-        ch.pipeline().addFirst("ssl_netty4_handler", sslCtx.newHandler(ch.alloc()));
-      });
+      SSLEngine eng = sslContext.newEngine(ch.alloc());
+
+      basicSettings.getAllowedSSLProtocols()
+        .ifPresent(p -> eng.setEnabledProtocols(p.toArray(new String[p.size()])));
+      basicSettings.getAllowedSSLCiphers()
+        .ifPresent(c -> eng.setEnabledCipherSuites(c.toArray(new String[c.size()])));
+
+      ch.pipeline().addFirst("ssl_netty4_handler", new SslHandler(eng));
+
     }
   }
 }

es52x/src/main/java/tech/beshu/ror/es/SSLTransportNetty4.java

@@ -22,13 +22,14 @@
  */
 
 import cz.seznam.euphoria.shaded.guava.com.google.common.base.Joiner;
+import io.netty.buffer.ByteBufAllocator;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelHandlerContext;
-import io.netty.handler.ssl.ApplicationProtocolConfig;
 import io.netty.handler.ssl.NotSslRecordException;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslHandler;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
@@ -41,15 +42,17 @@
 import tech.beshu.ror.commons.settings.BasicSettings;
 import tech.beshu.ror.commons.shims.es.LoggerShim;
 
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLHandshakeException;
 import java.io.ByteArrayInputStream;
 import java.nio.charset.StandardCharsets;
-import java.util.List;
-import java.util.Optional;
 
 public class SSLTransportNetty4 extends Netty4HttpServerTransport {
 
+  protected final LoggerShim logger;
   private final BasicSettings basicSettings;
-  private final LoggerShim logger;
+  protected SslContext sslContext;
+
 
   public SSLTransportNetty4(Settings settings, NetworkService networkService, BigArrays bigArrays,
                             ThreadPool threadPool, NamedXContentRegistry xContentRegistry) {
@@ -62,15 +65,51 @@ public SSLTransportNetty4(Settings settings, NetworkService networkService, BigA
     if (basicSettings.isSSLEnabled()) {
       logger.info("creating SSL transport");
     }
+
+
+    new SSLCertParser(basicSettings, logger, (certChain, privateKey) -> {
+
+      try {
+        // #TODO expose configuration of sslPrivKeyPem password? Letsencrypt never sets one..
+        SslContextBuilder sslcb = SslContextBuilder.forServer(
+          new ByteArrayInputStream(certChain.getBytes(StandardCharsets.UTF_8)),
+          new ByteArrayInputStream(privateKey.getBytes(StandardCharsets.UTF_8)),
+          null
+        );
+
+        // Creating one SSL engine just for protocol/cipher validation and logging
+        sslContext = sslcb.build();
+        SSLEngine eng = sslContext.newEngine(ByteBufAllocator.DEFAULT);
+        String[] defaultProtocols = eng.getEnabledProtocols();
+
+        logger.info("ROR SSL: Using SSL provider: " + SslContext.defaultServerProvider().name());
+
+        logger.info("ROR SSL: Available ciphers: " + Joiner.on(",").join(sslContext.cipherSuites()));
+        baseSettings.getAllowedSSLProtocols()
+          .ifPresent(_x -> logger.info("ROR SSL: Restricting to ciphers: " + Joiner.on(",").join(eng.getEnabledProtocols())));
+
+        logger.info("ROR SSL: Avaliable SSL protocols: " + Joiner.on(",").join(defaultProtocols));
+        baseSettings.getAllowedSSLCiphers()
+          .ifPresent(_x -> logger.info("ROR SSL: Restricting to SSL protocols: " + Joiner.on(",").join(eng.getEnabledProtocols())));
+
+        logger.info("ROR SSL: Available ciphers: " + Joiner.on(",").join(sslContext.cipherSuites()));
+
+      } catch (Exception e) {
+        logger.error("Failed to load SSL CertChain & private key from Keystore! "
+                       + e.getClass().getSimpleName() + ": " + e.getMessage(), e);
+      }
+    });
   }
 
+
   protected void exceptionCaught(final ChannelHandlerContext ctx, final Throwable cause) throws Exception {
     if (!this.lifecycle.started()) {
       return;
     }
-    if (cause.getCause() instanceof NotSslRecordException) {
+    if (cause.getCause() instanceof NotSslRecordException || cause.getCause() instanceof SSLHandshakeException) {
       logger.warn(cause.getMessage());
     }
+
     else {
       cause.printStackTrace();
       super.exceptionCaught(ctx, cause);
@@ -80,56 +119,26 @@ protected void exceptionCaught(final ChannelHandlerContext ctx, final Throwable
 
   public ChannelHandler configureServerChannelHandler() {
     SSLHandler handler = new SSLHandler(this);
-    logger.info("ROR SSL accepted ciphers: " + Joiner.on(",").join(handler.context.get().cipherSuites()));
     return handler;
   }
 
   private class SSLHandler extends Netty4HttpServerTransport.HttpChannelHandler {
-    private Optional<SslContext> context = Optional.empty();
 
     SSLHandler(final Netty4HttpServerTransport transport) {
       super(transport, SSLTransportNetty4.this.detailedErrorsEnabled, SSLTransportNetty4.this.threadPool.getThreadContext());
-
-      new SSLCertParser(basicSettings, logger, (certChain, privateKey) -> {
-        try {
-          // #TODO expose configuration of sslPrivKeyPem password? Letsencrypt never sets one..
-          SslContextBuilder sslcb = SslContextBuilder.forServer(
-            new ByteArrayInputStream(certChain.getBytes(StandardCharsets.UTF_8)),
-            new ByteArrayInputStream(privateKey.getBytes(StandardCharsets.UTF_8)),
-            null
-          );
-
-          if (basicSettings.getAllowedSSLCiphers().isPresent()) {
-            sslcb.ciphers(basicSettings.getAllowedSSLCiphers().get());
-          }
-
-          if (basicSettings.getAllowedSSLProtocols().isPresent()) {
-            List<String> protocols = basicSettings.getAllowedSSLProtocols().get();
-            sslcb.applicationProtocolConfig(new ApplicationProtocolConfig(
-              ApplicationProtocolConfig.Protocol.NONE,
-              ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL,
-              ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
-              protocols
-            ));
-
-            logger.info("ROR SSL accepted protocols: " + Joiner.on(",").join(protocols));
-          }
-
-          context = Optional.of(sslcb.build());
-
-        } catch (Exception e) {
-          context = Optional.empty();
-          logger.error("Failed to load SSL CertChain & private key from Keystore! "
-                         + e.getClass().getSimpleName() + ": " + e.getMessage(), e);
-        }
-      });
     }
 
     protected void initChannel(final Channel ch) throws Exception {
       super.initChannel(ch);
-      context.ifPresent(sslCtx -> {
-        ch.pipeline().addFirst("ssl_netty4_handler", sslCtx.newHandler(ch.alloc()));
-      });
+      SSLEngine eng = sslContext.newEngine(ch.alloc());
+
+      basicSettings.getAllowedSSLProtocols()
+        .ifPresent(p -> eng.setEnabledProtocols(p.toArray(new String[p.size()])));
+      basicSettings.getAllowedSSLCiphers()
+        .ifPresent(c -> eng.setEnabledCipherSuites(c.toArray(new String[c.size()])));
+
+      ch.pipeline().addFirst("ssl_netty4_handler", new SslHandler(eng));
+
     }
   }
 }