From d03d83c687d9818c564a51795847c780e12d3cb1 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Thu, 24 Oct 2024 12:28:41 -0400 Subject: [PATCH] Move check to after new certs are validated Signed-off-by: Craig Perkins --- .../security/ssl/SslContextHandler.java | 15 ++++++++------- .../security/ssl/config/SslParameters.java | 14 +++++++------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/src/main/java/org/opensearch/security/ssl/SslContextHandler.java b/src/main/java/org/opensearch/security/ssl/SslContextHandler.java index 336cfefd6b..6cf6f4fb31 100644 --- a/src/main/java/org/opensearch/security/ssl/SslContextHandler.java +++ b/src/main/java/org/opensearch/security/ssl/SslContextHandler.java @@ -74,9 +74,7 @@ void reloadSslContext() throws CertificateException { if (sameCertificates(newCertificates)) { return; } - if (sslConfiguration.sslParameters().isValidateCertsOnReloadEnabled()) { - validateNewCertificates(newCertificates); - } + validateNewCertificates(newCertificates, sslConfiguration.sslParameters().shouldValidateNewCertDNs()); invalidateSessions(); if (sslContext.isClient()) { sslContext = sslConfiguration.buildClientSslContext(false); @@ -143,13 +141,16 @@ private void validateSans(final List newCertificates) throws Certif } } - private void validateNewCertificates(final List newCertificates) throws CertificateException { + private void validateNewCertificates(final List newCertificates, boolean shouldValidateNewCertDNs) + throws CertificateException { for (final var certificate : newCertificates) { certificate.x509Certificate().checkValidity(); } - validateSubjectDns(newCertificates); - validateIssuerDns(newCertificates); - validateSans(newCertificates); + if (shouldValidateNewCertDNs) { + validateSubjectDns(newCertificates); + validateIssuerDns(newCertificates); + validateSans(newCertificates); + } } private void invalidateSessions() { diff --git a/src/main/java/org/opensearch/security/ssl/config/SslParameters.java b/src/main/java/org/opensearch/security/ssl/config/SslParameters.java index 7dbaea1a76..a31b14723b 100644 --- a/src/main/java/org/opensearch/security/ssl/config/SslParameters.java +++ b/src/main/java/org/opensearch/security/ssl/config/SslParameters.java @@ -54,20 +54,20 @@ public class SslParameters { private final List ciphers; - private final boolean validateCertsOnReload; + private final boolean validateCertDNsOnReload; private SslParameters( SslProvider provider, final ClientAuth clientAuth, List protocols, List ciphers, - boolean validateCertsOnReload + boolean validateCertDNsOnReload ) { this.provider = provider; this.ciphers = ciphers; this.protocols = protocols; this.clientAuth = clientAuth; - this.validateCertsOnReload = validateCertsOnReload; + this.validateCertDNsOnReload = validateCertDNsOnReload; } public ClientAuth clientAuth() { @@ -86,8 +86,8 @@ public List allowedProtocols() { return protocols; } - public boolean isValidateCertsOnReloadEnabled() { - return validateCertsOnReload; + public boolean shouldValidateNewCertDNs() { + return validateCertDNsOnReload; } @Override @@ -126,7 +126,7 @@ private SslProvider provider(final Settings settings) { } } - private boolean validateCertsOnReload(final Settings settings) { + private boolean validateCertDNsOnReload(final Settings settings) { return settings.getAsBoolean(ENFORCE_CERT_RELOAD_DN_VERIFICATION, true); } @@ -200,7 +200,7 @@ public SslParameters load(final boolean http) { clientAuth, protocols(provider, sslConfigSettings, http), ciphers(provider, sslConfigSettings), - validateCertsOnReload(sslConfigSettings) + validateCertDNsOnReload(sslConfigSettings) ); if (sslParameters.allowedProtocols().isEmpty()) { throw new OpenSearchSecurityException("No ssl protocols for " + (http ? "HTTP" : "Transport") + " layer");