fix defaulted supported versions

jakelandis · Nov 1, 2023 · cad5ca5 · cad5ca5
1 parent fdc2135
commit cad5ca5
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 22 deletions.
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
@@ -7,7 +7,6 @@
 
 package org.elasticsearch.xpack.core;
 
-import org.apache.logging.log4j.LogManager;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
@@ -30,7 +29,6 @@
 import java.util.function.Function;
 
 import javax.crypto.SecretKeyFactory;
-import javax.net.ssl.SSLContext;
 
 import static org.elasticsearch.xpack.core.security.SecurityField.USER_SETTING;
 import static org.elasticsearch.xpack.core.security.authc.RealmSettings.DOMAIN_TO_REALM_ASSOC_SETTING;
@@ -248,19 +246,7 @@ public static Setting<String> defaultStoredHashAlgorithmSetting(String key, Func
         }, Property.NodeScope);
     }
 
-    public static final List<String> DEFAULT_SUPPORTED_PROTOCOLS;
-
-    static {
-        boolean supportsTLSv13 = false;
-        try {
-            SSLContext.getInstance("TLSv1.3");
-            supportsTLSv13 = true;
-        } catch (NoSuchAlgorithmException e) {
-            // BCJSSE in FIPS mode doesn't support TLSv1.3 yet.
-            LogManager.getLogger(XPackSettings.class).debug("TLSv1.3 is not supported", e);
-        }
-        DEFAULT_SUPPORTED_PROTOCOLS = supportsTLSv13 ? Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1") : Arrays.asList("TLSv1.2", "TLSv1.1");
-    }
+    public static final List<String> DEFAULT_SUPPORTED_PROTOCOLS = Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1");
 
     public static final SslClientAuthenticationMode CLIENT_AUTH_DEFAULT = SslClientAuthenticationMode.REQUIRED;
     public static final SslClientAuthenticationMode HTTP_CLIENT_AUTH_DEFAULT = SslClientAuthenticationMode.NONE;

diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/XPackSettingsTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/XPackSettingsTests.java
@@ -12,11 +12,15 @@
 import org.elasticsearch.transport.RemoteClusterPortSettings;
 
 import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.Security;
 import java.util.List;
+import java.util.Locale;
 
 import javax.crypto.SecretKeyFactory;
+import javax.net.ssl.SSLContext;
 
-import static org.hamcrest.Matchers.contains;
+import static org.elasticsearch.xpack.core.XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasItem;
@@ -69,13 +73,29 @@ public void testDefaultPasswordHashingAlgorithmInFips() {
         }
     }
 
-    public void testDefaultSupportedProtocols() {
-        if (inFipsJvm()) {
-            assertThat(XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS, contains("TLSv1.2", "TLSv1.1"));
-        } else {
-            assertThat(XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS, contains("TLSv1.3", "TLSv1.2", "TLSv1.1"));
-
+    public void testDefaultSupportedProtocols() throws NoSuchAlgorithmException {
+        // TLSv1.3 is recommended but is not required for FIPS-140-3 compliance, government-only applications must use TLS 1.2 or higher
+        // https://www.gsa.gov/system/files?file=SSL-TLS-Implementation-%5BCIO-IT-Security-14-69-Rev-7%5D-06-12-2023.pdf
+        List<String> defaultSupportedProtocols = DEFAULT_SUPPORTED_PROTOCOLS.stream().map(s -> s.toLowerCase(Locale.ROOT)).toList();
+        int i = 0;
+        Provider[] providers = Security.getProviders();
+        for (Provider provider : providers) {
+            for (Provider.Service service : provider.getServices()) {
+                if ("SSLContext".equalsIgnoreCase(service.getType())) {
+                    if (defaultSupportedProtocols.contains(service.getAlgorithm().toLowerCase(Locale.ROOT))) {
+                        i++;
+                        if (inFipsJvm()) {
+                            // ensure bouncy castle is the provider
+                            assertEquals("BCJSSE", provider.getName());
+                        }
+                        SSLContext.getInstance(service.getAlgorithm()); // ensure no exceptions
+                    }
+
+                }
+
+            }
         }
+        assertEquals("did not find all supported TLS protocols", i, defaultSupportedProtocols.size());
     }
 
     public void testServiceTokenHashingAlgorithmSettingValidation() {