diff --git a/build-tools-internal/src/main/resources/fips_java.policy b/build-tools-internal/src/main/resources/fips_java.policy index 16c59fd5ecdc4..593d18f33595a 100644 --- a/build-tools-internal/src/main/resources/fips_java.policy +++ b/build-tools-internal/src/main/resources/fips_java.policy @@ -1,11 +1,11 @@ grant { permission java.security.SecurityPermission "putProviderProperty.BCFIPS"; permission java.security.SecurityPermission "putProviderProperty.BCJSSE"; - permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms"; - permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms"; - permission java.security.SecurityPermission "getProperty.keystore.type.compat"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.util.PropertyPermission "java.runtime.name", "read"; + permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.allow_multi_use"; + permission java.util.PropertyPermission "javax.net.debug", "write"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled"; //io.netty.handler.codec.DecoderException permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; @@ -16,4 +16,19 @@ grant { permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey"; permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey"; permission java.io.FilePermission "${javax.net.ssl.trustStore}", "read"; + + //TODO: double check these !! + permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms"; + permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms"; + permission java.security.SecurityPermission "getProperty.keystore.type.compat"; + permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.disable_f2m"; + permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.disable"; + permission java.security.SecurityPermission "getProperty.org.bouncycastle.tripledes.allow_weak"; + permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters"; + permission java.security.SecurityPermission "getProperty.org.bouncycastle.drbg.gather_pause_secs"; + permission java.net.NetPermission "getNetworkInformation"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.misc"; + permission java.lang.RuntimePermission "accessSystemModules"; + permission java.lang.RuntimePermission "manageProcess"; + permission java.lang.RuntimePermission "createSecurityManager"; }; diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java index 6e517f731843b..0f8413dcbd704 100644 --- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java +++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java @@ -57,7 +57,7 @@ public record SslConfiguration( SSLContext.getInstance("TLSv1.3"); protocolAlgorithmMap.put("TLSv1.3", "TLSv1.3"); } catch (NoSuchAlgorithmException e) { - // ignore since we support JVMs using BCJSSE in FIPS mode which doesn't support TLSv1.3 + // ignore since we support JVMs using BCJSSE in FIPS mode which doesn't support TLSv1.3 //TODO: -> can i remove this ? } protocolAlgorithmMap.put("TLSv1.2", "TLSv1.2"); protocolAlgorithmMap.put("TLSv1.1", "TLSv1.1");