in src/main/java/com/amazon/dlic/auth/ldap/backend/LDAPAuthorizationBackend.java [495:656]
private static void configureSSL(final ConnectionConfig config, final Settings settings,
final Path configPath) throws Exception {
final boolean isDebugEnabled = log.isDebugEnabled();
final boolean enableSSL = settings.getAsBoolean(ConfigConstants.LDAPS_ENABLE_SSL, false);
final boolean enableStartTLS = settings.getAsBoolean(ConfigConstants.LDAPS_ENABLE_START_TLS, false);
if (enableSSL || enableStartTLS) {
final boolean enableClientAuth = settings.getAsBoolean(ConfigConstants.LDAPS_ENABLE_SSL_CLIENT_AUTH,
ConfigConstants.LDAPS_ENABLE_SSL_CLIENT_AUTH_DEFAULT);
final boolean trustAll = settings.getAsBoolean(ConfigConstants.LDAPS_TRUST_ALL, false);
final boolean verifyHostnames = !trustAll && settings.getAsBoolean(ConfigConstants.LDAPS_VERIFY_HOSTNAMES,
ConfigConstants.LDAPS_VERIFY_HOSTNAMES_DEFAULT);
if (isDebugEnabled) {
log.debug("verifyHostname {}:", verifyHostnames);
log.debug("trustall {}:", trustAll);
}
if (enableStartTLS && !verifyHostnames) {
System.setProperty("jndi.starttls.allowAnyHostname", "true");
}
final boolean pem = settings.get(ConfigConstants.LDAPS_PEMTRUSTEDCAS_FILEPATH, null) != null
|| settings.get(ConfigConstants.LDAPS_PEMTRUSTEDCAS_CONTENT, null) != null;
final SslConfig sslConfig = new SslConfig();
CredentialConfig cc;
if (pem) {
X509Certificate[] trustCertificates = PemKeyReader.loadCertificatesFromStream(
PemKeyReader.resolveStream(ConfigConstants.LDAPS_PEMTRUSTEDCAS_CONTENT, settings));
if (trustCertificates == null) {
trustCertificates = PemKeyReader.loadCertificatesFromFile(PemKeyReader
.resolve(ConfigConstants.LDAPS_PEMTRUSTEDCAS_FILEPATH, settings, configPath, !trustAll));
}
// for client authentication
X509Certificate authenticationCertificate = PemKeyReader.loadCertificateFromStream(
PemKeyReader.resolveStream(ConfigConstants.LDAPS_PEMCERT_CONTENT, settings));
if (authenticationCertificate == null) {
authenticationCertificate = PemKeyReader.loadCertificateFromFile(PemKeyReader
.resolve(ConfigConstants.LDAPS_PEMCERT_FILEPATH, settings, configPath, enableClientAuth));
}
PrivateKey authenticationKey = PemKeyReader.loadKeyFromStream(
settings.get(ConfigConstants.LDAPS_PEMKEY_PASSWORD),
PemKeyReader.resolveStream(ConfigConstants.LDAPS_PEMKEY_CONTENT, settings));
if (authenticationKey == null) {
authenticationKey = PemKeyReader
.loadKeyFromFile(settings.get(ConfigConstants.LDAPS_PEMKEY_PASSWORD), PemKeyReader.resolve(
ConfigConstants.LDAPS_PEMKEY_FILEPATH, settings, configPath, enableClientAuth));
}
cc = CredentialConfigFactory.createX509CredentialConfig(trustCertificates, authenticationCertificate,
authenticationKey);
if (isDebugEnabled) {
log.debug("Use PEM to secure communication with LDAP server (client auth is {})",
authenticationKey != null);
}
} else {
final KeyStore trustStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, settings,
configPath, !trustAll),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE));
final List<String> trustStoreAliases = settings.getAsList(ConfigConstants.LDAPS_JKS_TRUST_ALIAS, null);
// for client authentication
final KeyStore keyStore = PemKeyReader.loadKeyStore(
PemKeyReader.resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, settings,
configPath, enableClientAuth),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE));
final String keyStorePassword = settings.get(
SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD);
final String keyStoreAlias = settings.get(ConfigConstants.LDAPS_JKS_CERT_ALIAS, null);
final String[] keyStoreAliases = keyStoreAlias == null ? null : new String[] { keyStoreAlias };
if (enableClientAuth && keyStoreAliases == null) {
throw new IllegalArgumentException(ConfigConstants.LDAPS_JKS_CERT_ALIAS + " not given");
}
if (isDebugEnabled) {
log.debug("Use Trust-/Keystore to secure communication with LDAP server (client auth is {})",
keyStore != null);
log.debug("trustStoreAliases: {}, keyStoreAlias: {}", trustStoreAliases, keyStoreAlias);
}
cc = CredentialConfigFactory.createKeyStoreCredentialConfig(trustStore,
trustStoreAliases == null ? null : trustStoreAliases.toArray(new String[0]), keyStore,
keyStorePassword, keyStoreAliases);
}
sslConfig.setCredentialConfig(cc);
if (trustAll) {
sslConfig.setTrustManagers(new AllowAnyTrustManager());
}
if (!verifyHostnames) {
sslConfig.setHostnameVerifier(new AllowAnyHostnameVerifier());
final String deiProp = System.getProperty(COM_SUN_JNDI_LDAP_OBJECT_DISABLE_ENDPOINT_IDENTIFICATION);
if (deiProp == null || !Boolean.parseBoolean(deiProp)) {
log.warn("In order to disable host name verification for LDAP connections (verify_hostnames: true), "
+ "you also need to set set the system property "+COM_SUN_JNDI_LDAP_OBJECT_DISABLE_ENDPOINT_IDENTIFICATION+" to true when starting the JVM running OpenSearch. "
+ "This applies for all Java versions released since July 2018.");
// See:
// https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html
// https://www.oracle.com/technetwork/java/javase/10-0-2-relnotes-4477557.html
// https://www.oracle.com/technetwork/java/javase/11-0-1-relnotes-5032023.html
}
System.setProperty(COM_SUN_JNDI_LDAP_OBJECT_DISABLE_ENDPOINT_IDENTIFICATION, "true");
}
final List<String> enabledCipherSuites = settings.getAsList(ConfigConstants.LDAPS_ENABLED_SSL_CIPHERS,
Collections.emptyList());
final List<String> enabledProtocols = settings.getAsList(ConfigConstants.LDAPS_ENABLED_SSL_PROTOCOLS,
DEFAULT_TLS_PROTOCOLS);
if (!enabledCipherSuites.isEmpty()) {
sslConfig.setEnabledCipherSuites(enabledCipherSuites.toArray(new String[0]));
log.debug("enabled ssl cipher suites for ldaps {}", enabledCipherSuites);
}
log.debug("enabled ssl/tls protocols for ldaps {}", enabledProtocols);
sslConfig.setEnabledProtocols(enabledProtocols.toArray(new String[0]));
config.setSslConfig(sslConfig);
}
config.setUseSSL(enableSSL);
config.setUseStartTLS(enableStartTLS);
final long connectTimeout = settings.getAsLong(ConfigConstants.LDAP_CONNECT_TIMEOUT, 5000L); // 0L means TCP
// default timeout
final long responseTimeout = settings.getAsLong(ConfigConstants.LDAP_RESPONSE_TIMEOUT, 0L); // 0L means wait
// infinitely
config.setConnectTimeout(Duration.ofMillis(connectTimeout < 0L ? 0L : connectTimeout)); // 5 sec by default
config.setResponseTimeout(Duration.ofMillis(responseTimeout < 0L ? 0L : responseTimeout));
if (isDebugEnabled) {
log.debug("Connect timeout: " + config.getConnectTimeout() + "/ResponseTimeout: "
+ config.getResponseTimeout());
}
}