Disable DiagnosticTrustManager in FIPS 140 (#49888)

This commit changes the default behavior for
xpack.security.ssl.diagnose.trust when running in a FIPS 140 JVM.

More specifically, when xpack.security.fips_mode.enabled is true:

- If xpack.security.ssl.diagnose.trust is not explicitly set, the
    default value of it becomes false and a log message is printed
    on info level, notifying of the fact that the TLS/SSL diagnostic
    messages are not enabled when in a FIPS 140 JVM.
- If xpack.security.ssl.diagnose.trust is explicitly set, the value of
    it is honored, even in FIPS mode.

This is relevant only for 7.x where we support Java 8 in which
SunJSSE can still be used as a FIPS 140 provider for TLS. SunJSSE
in FIPS mode, disallows the use of other TrustManager implementations
than the one shipped with SunJSSE.

Author: jkakavas

docs/reference/settings/security-settings.asciidoc

@@ -1505,6 +1505,7 @@ to establish trust.
 This diagnostic message contains information that can be used to determine the
 cause of the failure and assist with resolving the problem.
 Set to `false` to disable these messages.
+NOTE: This defaults to `false` when `xpack.security.fips_mode.enabled` is `true`.
 
 ==== Default values for TLS/SSL settings
 In general, the values below represent the default values for the various TLS

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java

@@ -140,6 +140,9 @@ private XPackSettings() {
     /** Setting for enabling or disabling vectors. Defaults to true. */
     public static final Setting<Boolean> VECTORS_ENABLED = Setting.boolSetting("xpack.vectors.enabled", true, Setting.Property.NodeScope);
 
+    public static final Setting<Boolean> DIAGNOSE_TRUST_EXCEPTIONS_SETTING = Setting.boolSetting(
+        "xpack.security.ssl.diagnose.trust", true, Setting.Property.NodeScope);
+
     public static final List<String> DEFAULT_SUPPORTED_PROTOCOLS;
 
     static {

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLService.java

@@ -19,7 +19,6 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.logging.DeprecationLogger;
 import org.elasticsearch.common.logging.LoggerMessageFormat;
-import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.ssl.DiagnosticTrustManager;
 import org.elasticsearch.common.ssl.SslDiagnostics;
@@ -72,6 +71,7 @@
 import java.util.stream.Collectors;
 
 import static org.elasticsearch.xpack.core.XPackSettings.DEFAULT_SUPPORTED_PROTOCOLS;
+import static org.elasticsearch.xpack.core.XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING;
 
 /**
  * Provides access to {@link SSLEngine} and {@link SSLSocketFactory} objects based on a provided configuration. All
@@ -103,9 +103,6 @@ public class SSLService {
         ORDERED_PROTOCOL_ALGORITHM_MAP = Collections.unmodifiableMap(protocolAlgorithmMap);
     }
 
-    private static final Setting<Boolean> DIAGNOSE_TRUST_EXCEPTIONS_SETTING = Setting.boolSetting(
-        "xpack.security.ssl.diagnose.trust", true, Setting.Property.NodeScope);
-
     private final Settings settings;
     private final boolean diagnoseTrustExceptions;
 
@@ -143,7 +140,7 @@ public SSLService(Environment environment) {
     public SSLService(Settings settings, Environment environment) {
         this.settings = settings;
         this.env = environment;
-        this.diagnoseTrustExceptions = DIAGNOSE_TRUST_EXCEPTIONS_SETTING.get(settings);
+        this.diagnoseTrustExceptions = shouldEnableDiagnoseTrust();
         this.sslConfigurations = new HashMap<>();
         this.sslContexts = loadSSLConfigurations();
     }
@@ -152,7 +149,7 @@ private SSLService(Settings settings, Environment environment, Map<String, SSLCo
                        Map<SSLConfiguration, SSLContextHolder> sslContexts) {
         this.settings = settings;
         this.env = environment;
-        this.diagnoseTrustExceptions = DIAGNOSE_TRUST_EXCEPTIONS_SETTING.get(settings);
+        this.diagnoseTrustExceptions = shouldEnableDiagnoseTrust();
         this.sslConfigurations = sslConfigurations;
         this.sslContexts = sslContexts;
     }
@@ -187,10 +184,6 @@ SSLContextHolder sslContextHolder(SSLConfiguration sslConfiguration) {
         };
     }
 
-    public static void registerSettings(List<Setting<?>> settingList) {
-        settingList.add(DIAGNOSE_TRUST_EXCEPTIONS_SETTING);
-    }
-
     /**
      * Create a new {@link SSLIOSessionStrategy} based on the provided settings. The settings are used to identify the SSL configuration
      * that should be used to create the context.
@@ -852,4 +845,13 @@ private static String sslContextAlgorithm(List<String> supportedProtocols) {
         throw new IllegalArgumentException("no supported SSL/TLS protocol was found in the configured supported protocols: "
             + supportedProtocols);
     }
+
+    private boolean shouldEnableDiagnoseTrust() {
+        if (XPackSettings.FIPS_MODE_ENABLED.get(settings) && DIAGNOSE_TRUST_EXCEPTIONS_SETTING.exists(settings) == false ) {
+            logger.info("diagnostic messages for SSL/TLS trust failures are not enabled in FIPS 140 mode by default.");
+            return false;
+        } else {
+            return DIAGNOSE_TRUST_EXCEPTIONS_SETTING.get(settings);
+        }
+    }
 }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLServiceTests.java

@@ -822,6 +822,27 @@ public void testDontWrapTrustManagerWhenDiagnosticsDisabled() {
         assertThat(sslService.wrapWithDiagnostics(baseTrustManager, sslConfiguration), sameInstance(baseTrustManager));
     }
 
+    public void testDontWrapTrustManagerByDefaultWhenInFips(){
+        final Settings.Builder builder = Settings.builder();
+        builder.put("xpack.security.fips_mode.enabled", true);
+        final SSLService sslService = new SSLService(builder.build(), env);
+        final X509ExtendedTrustManager baseTrustManager = TrustAllConfig.INSTANCE.createTrustManager(env);
+        final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
+        assertThat(sslService.wrapWithDiagnostics(baseTrustManager, sslConfiguration), sameInstance(baseTrustManager));
+    }
+
+    public void testWrapTrustManagerWhenInFipsAndExplicitlyConfigured(){
+        final Settings.Builder builder = Settings.builder();
+        builder.put("xpack.security.fips_mode.enabled", true);
+        builder.put("xpack.security.ssl.diagnose.trust", true);
+        final SSLService sslService = new SSLService(builder.build(), env);
+        final X509ExtendedTrustManager baseTrustManager = TrustAllConfig.INSTANCE.createTrustManager(env);
+        final SSLConfiguration sslConfiguration = sslService.getSSLConfiguration("xpack.security.transport.ssl");
+        final X509ExtendedTrustManager wrappedTrustManager = sslService.wrapWithDiagnostics(baseTrustManager, sslConfiguration);
+        assertThat(wrappedTrustManager, instanceOf(DiagnosticTrustManager.class));
+        assertThat(sslService.wrapWithDiagnostics(wrappedTrustManager, sslConfiguration), sameInstance(wrappedTrustManager));
+    }
+
     class AssertionCallback implements FutureCallback<HttpResponse> {
 
         @Override

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -641,7 +641,7 @@ public static List<Setting<?>> getSettings(boolean transportClientMode, List<Sec
         // The following just apply in node mode
         settingsList.add(XPackSettings.FIPS_MODE_ENABLED);
 
-        SSLService.registerSettings(settingsList);
+        settingsList.add(XPackSettings.DIAGNOSE_TRUST_EXCEPTIONS_SETTING);
         // IP Filter settings
         IPFilter.addSettings(settingsList);
 
@@ -909,7 +909,6 @@ static void validateForFips(Settings settings) {
             validationErrors.add("Only PBKDF2 is allowed for password hashing in a FIPS 140 JVM. Please set the " +
                 "appropriate value for [ " + XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey() + " ] setting.");
         }
-
         if (validationErrors.isEmpty() == false) {
             final StringBuilder sb = new StringBuilder();
             sb.append("Validation for FIPS 140 mode failed: \n");