Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS configuration settings/endpoints for auxiliary transports #5152

Draft
wants to merge 22 commits into
base: main
Choose a base branch
from
Draft

Add TLS configuration settings/endpoints for auxiliary transports #5152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
f87af15
Sort global setting configs by transport type.
finnegancarroll Feb 26, 2025
b9dfbaf
Fix typo in SSL_TRANSPORT_CLIENT_PREFIX. Value of this constant is un…
finnegancarroll Feb 27, 2025
61b5bf7
Fix variable name typo. SSECURITY_SSL_HTTP_CRL_FILE -> SECURITY_SSL_H…
finnegancarroll Feb 27, 2025
21e4080
Spotless apply
finnegancarroll Feb 27, 2025
b2811c9
Remove unnecessary empty string concat.
finnegancarroll Feb 27, 2025
a6db9df
Fill in additional post-fix literals with constants.
finnegancarroll Mar 4, 2025
60d5e93
Spotless apply
finnegancarroll Mar 4, 2025
77b0307
Add aux transport constants.
finnegancarroll Feb 28, 2025
73df09c
Add aux to CertType enum.
finnegancarroll Feb 28, 2025
b593f72
Load aux settings in SslSettingsManager.
finnegancarroll Feb 28, 2025
b1c3d7b
Comment typos.
finnegancarroll Feb 28, 2025
84636d7
Add SECURITY_SSL_AUX_ENABLE_OPENSSL_IF_AVAILABLE to openSslWarnings.
finnegancarroll Mar 3, 2025
af185b1
Consolidate testFailsIfNoConfigDefine tests under single helper.
finnegancarroll Mar 3, 2025
015ce9f
httpConfigFailsIfHttpEnabledButButNotDefined and transportFailsIfNoCo…
finnegancarroll Mar 3, 2025
78c06b8
Replace httpConfigFailsIfBothPemAndJDKSettingsWereSet with transport …
finnegancarroll Mar 3, 2025
c3e9d1e
Replace httpConfigFailsIfClientAuthRequiredAndJdkTrustStoreNotSet wit…
finnegancarroll Mar 3, 2025
0952246
Fix error message for validate keystore/pemstore - Print missing sett…
finnegancarroll Mar 3, 2025
7117d73
Replace httpConfigFailsIfClientAuthRequiredAndPemTrustedCasNotSet wit…
finnegancarroll Mar 3, 2025
a21b90f
Add simple asserts for aux transport to SslSettingsManagerTest.
finnegancarroll Mar 3, 2025
32150b5
Update SSLConfigConstants aux constants with new constants.
finnegancarroll Mar 4, 2025
ed7d249
Refactor SslSettingsManagerReloadListenerTest to abstract helpers for…
finnegancarroll Mar 4, 2025
04ba906
Refactor SslParameters to load from CertType instead of 'ishttp' bool.
finnegancarroll Mar 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -606,7 +606,7 @@ public List<Setting<?>> getSettings() {
Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)
);

settings.add(Setting.simpleString(SSLConfigConstants.SSECURITY_SSL_HTTP_CRL_FILE, Property.NodeScope, Property.Filtered));
settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_FILE, Property.NodeScope, Property.Filtered));
settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATE, false, Property.NodeScope, Property.Filtered));
settings.add(
Setting.boolSetting(
Expand Down
148 changes: 114 additions & 34 deletions src/main/java/org/opensearch/security/ssl/SslSettingsManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,10 @@
import static org.opensearch.security.ssl.util.SSLConfigConstants.PEM_CERT_FILEPATH;
import static org.opensearch.security.ssl.util.SSLConfigConstants.PEM_KEY_FILEPATH;
import static org.opensearch.security.ssl.util.SSLConfigConstants.PEM_TRUSTED_CAS_FILEPATH;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_AUX_ENABLED_DEFAULT;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_AUX_ENABLE_OPENSSL_IF_AVAILABLE;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH;
Expand Down Expand Up @@ -104,6 +101,11 @@
sslConfiguration -> contexts.put(CertType.HTTP, new SslContextHandler(sslConfiguration)),
() -> LOGGER.warn("SSL Configuration for HTTP Layer hasn't been set")
);
Optional.ofNullable(configurations.get(CertType.AUX))
.ifPresentOrElse(
sslConfiguration -> contexts.put(CertType.AUX, new SslContextHandler(sslConfiguration)),
() -> LOGGER.warn("SSL Configuration for optional auxiliary transport hasn't been set")
);
Optional.ofNullable(configurations.get(CertType.TRANSPORT)).ifPresentOrElse(sslConfiguration -> {
contexts.put(CertType.TRANSPORT, new SslContextHandler(sslConfiguration));
final var transportClientConfiguration = Optional.ofNullable(configurations.get(CertType.TRANSPORT_CLIENT))
Expand All @@ -129,19 +131,23 @@
final var settings = environment.settings();
final var httpSettings = settings.getByPrefix(CertType.HTTP.sslConfigPrefix());
final var transportSettings = settings.getByPrefix(CertType.TRANSPORT.sslConfigPrefix());
if (httpSettings.isEmpty() && transportSettings.isEmpty()) {
final var auxTransportSettings = settings.getByPrefix(CertType.AUX.sslConfigPrefix());

if (httpSettings.isEmpty() && transportSettings.isEmpty() && auxTransportSettings.isEmpty()) {
throw new OpenSearchException("No SSL configuration found");
}
jceWarnings();
openSslWarnings(settings);

final var httpEnabled = httpSettings.getAsBoolean(ENABLED, SECURITY_SSL_HTTP_ENABLED_DEFAULT);
final var transportEnabled = transportSettings.getAsBoolean(ENABLED, SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT);
final var auxEnabled = auxTransportSettings.getAsBoolean(ENABLED, SECURITY_SSL_AUX_ENABLED_DEFAULT);

final var configurationBuilder = ImmutableMap.<CertType, SslConfiguration>builder();

if (httpEnabled && !clientNode(settings)) {
validateHttpSettings(httpSettings);
final var httpSslParameters = SslParameters.loader(httpSettings).load(true);
validateHttpSettings(settings);
final var httpSslParameters = SslParameters.loader(httpSettings).load(CertType.HTTP);
final var httpTrustAndKeyStore = new SslCertificatesLoader(CertType.HTTP.sslConfigPrefix()).loadConfiguration(environment);
configurationBuilder.put(
CertType.HTTP,
Expand All @@ -150,7 +156,20 @@
LOGGER.info("TLS HTTP Provider : {}", httpSslParameters.provider());
LOGGER.info("Enabled TLS protocols for HTTP layer : {}", httpSslParameters.allowedProtocols());
}
final var transportSslParameters = SslParameters.loader(transportSettings).load(false);

if (auxEnabled && !clientNode(settings)) {
validateAuxSettings(settings);
final var auxSslParameters = SslParameters.loader(auxTransportSettings).load(CertType.AUX);
final var auxTrustAndKeyStore = new SslCertificatesLoader(CertType.AUX.sslConfigPrefix()).loadConfiguration(environment);
configurationBuilder.put(
CertType.AUX,
new SslConfiguration(auxSslParameters, auxTrustAndKeyStore.v1(), auxTrustAndKeyStore.v2())
);
LOGGER.info("TLS auxiliary transport Provider : {}", auxSslParameters.provider());
LOGGER.info("Enabled TLS protocols for auxiliary transport layer : {}", auxSslParameters.allowedProtocols());
}

final var transportSslParameters = SslParameters.loader(transportSettings).load(CertType.TRANSPORT);
if (transportEnabled) {
if (hasExtendedKeyUsageEnabled(transportSettings)) {
validateTransportSettings(transportSettings);
Expand Down Expand Up @@ -235,34 +254,18 @@
return !"node".equals(settings.get(OpenSearchSecuritySSLPlugin.CLIENT_TYPE));
}

private void validateHttpSettings(final Settings httpSettings) {
if (httpSettings == null) return;
/**
* {@link org.opensearch.OpenSearchException} thrown on invalid configuration of HTTP transport pem store/keystore.
* @param settings {@link org.opensearch.env.Environment} settings.
*/
private void validateHttpSettings(final Settings settings) {
final Settings httpSettings = settings.getByPrefix(CertType.HTTP.sslConfigPrefix());
if (httpSettings.isEmpty()) return;
if (!httpSettings.getAsBoolean(ENABLED, SECURITY_SSL_HTTP_ENABLED_DEFAULT)) return;

final var clientAuth = ClientAuth.valueOf(httpSettings.get(CLIENT_AUTH_MODE, ClientAuth.OPTIONAL.name()).toUpperCase(Locale.ROOT));

if (hasPemStoreSettings(httpSettings)) {
if (!httpSettings.hasValue(PEM_CERT_FILEPATH) || !httpSettings.hasValue(PEM_KEY_FILEPATH)) {
throw new OpenSearchException(
"Wrong HTTP SSL configuration. "
+ String.join(", ", SECURITY_SSL_HTTP_PEMCERT_FILEPATH, SECURITY_SSL_HTTP_PEMKEY_FILEPATH)
+ " must be set"
);
}
if (clientAuth == ClientAuth.REQUIRE && !httpSettings.hasValue(PEM_TRUSTED_CAS_FILEPATH)) {
throw new OpenSearchException(
"Wrong HTTP SSL configuration. " + SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH + " must be set if client auth is required"
);
}
validatePemStoreSettings(CertType.HTTP, settings);
} else if (hasKeyOrTrustStoreSettings(httpSettings)) {
if (!httpSettings.hasValue(KEYSTORE_FILEPATH)) {
throw new OpenSearchException("Wrong HTTP SSL configuration. " + SECURITY_SSL_HTTP_KEYSTORE_FILEPATH + " must be set");
}
if (clientAuth == ClientAuth.REQUIRE && !httpSettings.hasValue(TRUSTSTORE_FILEPATH)) {
throw new OpenSearchException(
"Wrong HTTP SSL configuration. " + SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH + " must be set if client auth is required"
);
}
validateKeyStoreSettings(CertType.HTTP, settings);
} else {
throw new OpenSearchException(
"Wrong HTTP SSL configuration. One of Keystore and Truststore files or X.509 PEM certificates and "
Expand All @@ -271,6 +274,78 @@
}
}

/**
* {@link org.opensearch.OpenSearchException} thrown on invalid configuration of aux transport pem store/keystore.
* @param settings {@link org.opensearch.env.Environment} settings.
*/
private void validateAuxSettings(final Settings settings) {
final Settings auxSettings = settings.getByPrefix(CertType.AUX.sslConfigPrefix());
if (auxSettings.isEmpty()) return;
if (!auxSettings.getAsBoolean(ENABLED, SECURITY_SSL_AUX_ENABLED_DEFAULT)) return;
if (hasPemStoreSettings(auxSettings)) {
validatePemStoreSettings(CertType.AUX, settings);
} else if (hasKeyOrTrustStoreSettings(auxSettings)) {
validateKeyStoreSettings(CertType.AUX, settings);
} else {
throw new OpenSearchException(
"Wrong auxiliary transport SSL configuration. One of Keystore and Truststore files or X.509 PEM certificates and "
+ "PKCS#8 keys groups should be set to configure auxiliary transport."
);
}
}

/**
* Validate pem store settings for transport of given type.
* Throws an {@link org.opensearch.OpenSearchException} if:
* - Either of the pem certificate or pem private key paths are not set.
* - Client auth is set to REQUIRE but pem trusted certificates filepath is not set.
* @param transportType transport type to validate
* @param settings {@link org.opensearch.env.Environment} settings.
*/
private void validatePemStoreSettings(CertType transportType, final Settings settings) throws OpenSearchException {
final var transportSettings = settings.getByPrefix(transportType.sslConfigPrefix());
final var clientAuth = ClientAuth.valueOf(transportSettings.get(CLIENT_AUTH_MODE, ClientAuth.OPTIONAL.name()).toUpperCase(Locale.ROOT));
if (!transportSettings.hasValue(PEM_CERT_FILEPATH) || !transportSettings.hasValue(PEM_KEY_FILEPATH)) {
throw new OpenSearchException(
"Wrong " + transportType.name().toLowerCase(Locale.ROOT) + " SSL configuration. "
+ String.join(", ", transportSettings.get(PEM_CERT_FILEPATH), transportSettings.get(PEM_KEY_FILEPATH))
+ " must be set"
);
}
if (clientAuth == ClientAuth.REQUIRE && !transportSettings.hasValue(PEM_TRUSTED_CAS_FILEPATH)) {
throw new OpenSearchException(
"Wrong " + transportType.name().toLowerCase(Locale.ROOT) + " SSL configuration. "
+ PEM_TRUSTED_CAS_FILEPATH + " must be set if client auth is required"
);
}
}

/**
* Validate key store settings for transport of given type.
* Throws an {@link org.opensearch.OpenSearchException} if:
* - Keystore filepath is not set.
* - Client auth is set to REQUIRE but trust store filepath is not set.
* @param transportType transport type to validate
* @param settings {@link org.opensearch.env.Environment} settings.
*/
private void validateKeyStoreSettings(CertType transportType, final Settings settings) throws OpenSearchException {
final var transportSettings = settings.getByPrefix(transportType.sslConfigPrefix());
final var clientAuth = ClientAuth.valueOf(transportSettings.get(CLIENT_AUTH_MODE, ClientAuth.OPTIONAL.name()).toUpperCase(Locale.ROOT));
if (!transportSettings.hasValue(KEYSTORE_FILEPATH)) {
throw new OpenSearchException(
"Wrong " + transportType.name().toLowerCase(Locale.ROOT) + " SSL configuration. "
+ transportSettings.get(KEYSTORE_FILEPATH)

Check warning on line 337 in src/main/java/org/opensearch/security/ssl/SslSettingsManager.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/ssl/SslSettingsManager.java#L335-L337 

Added lines #L335 - L337 were not covered by tests
+ " must be set"
);
}
if (clientAuth == ClientAuth.REQUIRE && !transportSettings.hasValue(TRUSTSTORE_FILEPATH)) {
throw new OpenSearchException(
"Wrong " + transportType.name().toLowerCase(Locale.ROOT) + " SSL configuration. "
+ TRUSTSTORE_FILEPATH + " must be set if client auth is required"
);
}
}

private void validateTransportSettings(final Settings transportSettings) {
if (!hasExtendedKeyUsageEnabled(transportSettings)) {
if (hasPemStoreSettings(transportSettings)) {
Expand Down Expand Up @@ -397,6 +472,7 @@
if (!OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED
&& OpenSsl.isAvailable()
&& (settings.getAsBoolean(SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true)
|| settings.getAsBoolean(SECURITY_SSL_AUX_ENABLE_OPENSSL_IF_AVAILABLE, true)
|| settings.getAsBoolean(SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true))) {
if (PlatformDependent.javaVersion() < 12) {
LOGGER.warn(
Expand Down Expand Up @@ -432,6 +508,10 @@
openSslIsEnabled |= Booleans.parseBoolean(settings.get(SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE));
}

if (settings.hasValue(SECURITY_SSL_AUX_ENABLE_OPENSSL_IF_AVAILABLE) == true) {
openSslIsEnabled |= Booleans.parseBoolean(settings.get(SECURITY_SSL_AUX_ENABLE_OPENSSL_IF_AVAILABLE));

Check warning on line 512 in src/main/java/org/opensearch/security/ssl/SslSettingsManager.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/ssl/SslSettingsManager.java#L512 

Added line #L512 was not covered by tests
}

if (settings.hasValue(SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE) == true) {
openSslIsEnabled |= Booleans.parseBoolean(settings.get(SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE));
}
Expand Down
4 changes: 3 additions & 1 deletion src/main/java/org/opensearch/security/ssl/config/CertType.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,16 @@
import java.util.Set;
import java.util.stream.Collectors;

import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_AUX_PREFIX;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_HTTP_PREFIX;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_CLIENT_PREFIX;
import static org.opensearch.security.ssl.util.SSLConfigConstants.SSL_TRANSPORT_PREFIX;

public enum CertType {
HTTP(SSL_HTTP_PREFIX),
TRANSPORT(SSL_TRANSPORT_PREFIX),
TRANSPORT_CLIENT(SSL_TRANSPORT_CLIENT_PREFIX);
TRANSPORT_CLIENT(SSL_TRANSPORT_CLIENT_PREFIX),
AUX(SSL_AUX_PREFIX);

public static Set<String> TYPES = Arrays.stream(CertType.values())
.map(CertType::name)
Expand Down
30 changes: 20 additions & 10 deletions src/main/java/org/opensearch/security/ssl/config/SslParameters.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslProvider;

import static org.opensearch.security.ssl.util.SSLConfigConstants.ALLOWED_OPENSSL_AUX_PROTOCOLS;
import static org.opensearch.security.ssl.util.SSLConfigConstants.ALLOWED_OPENSSL_AUX_PROTOCOLS_PRIOR_OPENSSL_1_1_1_BETA_9;
import static org.opensearch.security.ssl.util.SSLConfigConstants.ALLOWED_OPENSSL_HTTP_PROTOCOLS;
import static org.opensearch.security.ssl.util.SSLConfigConstants.ALLOWED_OPENSSL_HTTP_PROTOCOLS_PRIOR_OPENSSL_1_1_1_BETA_9;
import static org.opensearch.security.ssl.util.SSLConfigConstants.ALLOWED_OPENSSL_TRANSPORT_PROTOCOLS;
Expand Down Expand Up @@ -130,16 +132,24 @@
return settings.getAsBoolean(ENFORCE_CERT_RELOAD_DN_VERIFICATION, true);
}

private List<String> protocols(final SslProvider provider, final Settings settings, boolean http) {
private List<String> protocols(final SslProvider provider, final Settings settings, CertType certType) {
final var allowedProtocols = settings.getAsList(ENABLED_PROTOCOLS, List.of(ALLOWED_SSL_PROTOCOLS));
if (provider == SslProvider.OPENSSL) {
final String[] supportedProtocols;
if (OpenSsl.version() > OPENSSL_1_1_1_BETA_9) {
supportedProtocols = http ? ALLOWED_OPENSSL_HTTP_PROTOCOLS : ALLOWED_OPENSSL_TRANSPORT_PROTOCOLS;
switch (certType) {
case HTTP -> supportedProtocols = ALLOWED_OPENSSL_HTTP_PROTOCOLS;
case AUX -> supportedProtocols = ALLOWED_OPENSSL_AUX_PROTOCOLS;
case TRANSPORT -> supportedProtocols = ALLOWED_OPENSSL_TRANSPORT_PROTOCOLS;
default -> throw new OpenSearchSecurityException("Unsupported certificate type: " + certType);

Check warning on line 144 in src/main/java/org/opensearch/security/ssl/config/SslParameters.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/ssl/config/SslParameters.java#L141-L144 

Added lines #L141 - L144 were not covered by tests
}
} else {
supportedProtocols = http
? ALLOWED_OPENSSL_HTTP_PROTOCOLS_PRIOR_OPENSSL_1_1_1_BETA_9
: ALLOWED_OPENSSL_TRANSPORT_PROTOCOLS_PRIOR_OPENSSL_1_1_1_BETA_9;
switch (certType) {
case HTTP -> supportedProtocols = ALLOWED_OPENSSL_HTTP_PROTOCOLS_PRIOR_OPENSSL_1_1_1_BETA_9;
case AUX -> supportedProtocols = ALLOWED_OPENSSL_AUX_PROTOCOLS_PRIOR_OPENSSL_1_1_1_BETA_9;
case TRANSPORT -> supportedProtocols = ALLOWED_OPENSSL_TRANSPORT_PROTOCOLS_PRIOR_OPENSSL_1_1_1_BETA_9;
default -> throw new OpenSearchSecurityException("Unsupported certificate type: " + certType);

Check warning on line 151 in src/main/java/org/opensearch/security/ssl/config/SslParameters.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/ssl/config/SslParameters.java#L148-L151 

Added lines #L148 - L151 were not covered by tests
}
}
return openSslProtocols(allowedProtocols, supportedProtocols);
} else {
Expand Down Expand Up @@ -189,24 +199,24 @@
return allowedCiphers.sorted(String::compareTo).collect(Collectors.toList());
}

public SslParameters load(final boolean http) {
final var clientAuth = http
public SslParameters load(final CertType certType) {
final var clientAuth = certType == CertType.HTTP || certType == CertType.AUX
? ClientAuth.valueOf(sslConfigSettings.get(CLIENT_AUTH_MODE, ClientAuth.OPTIONAL.name()).toUpperCase(Locale.ROOT))
: ClientAuth.REQUIRE;

final var provider = provider(sslConfigSettings);
final var sslParameters = new SslParameters(
provider,
clientAuth,
protocols(provider, sslConfigSettings, http),
protocols(provider, sslConfigSettings, certType),
ciphers(provider, sslConfigSettings),
validateCertDNsOnReload(sslConfigSettings)
);
if (sslParameters.allowedProtocols().isEmpty()) {
throw new OpenSearchSecurityException("No ssl protocols for " + (http ? "HTTP" : "Transport") + " layer");
throw new OpenSearchSecurityException("No ssl protocols for " + certType.name().toLowerCase(Locale.ROOT) + " layer");

Check warning on line 216 in src/main/java/org/opensearch/security/ssl/config/SslParameters.java

View check run for this annotation

Codecov / codecov/patch

src/main/java/org/opensearch/security/ssl/config/SslParameters.java#L216 

Added line #L216 was not covered by tests
}
if (sslParameters.allowedCiphers().isEmpty()) {
throw new OpenSearchSecurityException("No valid cipher suites for " + (http ? "HTTP" : "Transport") + " layer");
throw new OpenSearchSecurityException("No valid cipher suites for " + certType.name().toLowerCase(Locale.ROOT) + " layer");
}
return sslParameters;
}
Expand Down
Loading
Loading