opensearch-project · parislarkins · Sep 19, 2024 · Sep 24, 2024 · Sep 25, 2024 · Sep 29, 2024
@@ -132,7 +132,9 @@ private void printJCEWarnings() {
     public final SslProvider sslTransportServerProvider;
     public final SslProvider sslTransportClientProvider;
     private final boolean httpSSLEnabled;
+    private final boolean httpSSLEnforceCertReloadDnVerification;
     private final boolean transportSSLEnabled;
+    private final boolean transportSSLEnforceCertReloadDnVerification;
 
     private ArrayList<String> enabledHttpCiphersJDKProvider;
     private ArrayList<String> enabledHttpCiphersOpenSSLProvider;
@@ -165,10 +167,18 @@ public DefaultSecurityKeyStore(final Settings settings, final Path configPath) {
             SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED,
             SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT
         );
+        httpSSLEnforceCertReloadDnVerification = settings.getAsBoolean(
+            SSLConfigConstants.SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+            SSLConfigConstants.SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION_DEFAULT
+        );
         transportSSLEnabled = settings.getAsBoolean(
             SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED,
             SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT
         );
+        transportSSLEnforceCertReloadDnVerification = settings.getAsBoolean(
+            SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+            SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION_DEFAULT
+        );
         final boolean useOpenSSLForHttpIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED
             && settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true);
         final boolean useOpenSSLForTransportIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED
@@ -421,7 +431,7 @@ public void initTransportSSLConfig() {
                     certFromTruststore = new CertFromTruststore(truststoreProps, truststoreAlias);
                 }
 
-                validateNewCerts(transportCerts, certFromKeystore.getCerts());
+                validateNewCerts(transportCerts, certFromKeystore.getCerts(), transportSSLEnforceCertReloadDnVerification);
                 transportServerSslContext = buildSSLServerContext(
                     certFromKeystore.getServerKey(),
                     certFromKeystore.getServerCert(),
@@ -472,7 +482,7 @@ public void initTransportSSLConfig() {
                     certFromFile = new CertFromFile(certProps);
                 }
 
-                validateNewCerts(transportCerts, certFromFile.getCerts());
+                validateNewCerts(transportCerts, certFromFile.getCerts(), transportSSLEnforceCertReloadDnVerification);
                 transportServerSslContext = buildSSLServerContext(
                     certFromFile.getServerPemKey(),
                     certFromFile.getServerPemCert(),
@@ -570,7 +580,7 @@ public void initHttpSSLConfig() {
                     certFromTruststore = new CertFromTruststore(truststoreProps, truststoreAlias);
                 }
 
-                validateNewCerts(httpCerts, certFromKeystore.getCerts());
+                validateNewCerts(httpCerts, certFromKeystore.getCerts(), httpSSLEnforceCertReloadDnVerification);
                 httpSslContext = buildSSLServerContext(
                     certFromKeystore.getServerKey(),
                     certFromKeystore.getServerCert(),
@@ -601,7 +611,7 @@ public void initHttpSSLConfig() {
                 );
                 CertFromFile certFromFile = new CertFromFile(certFileProps);
 
-                validateNewCerts(httpCerts, certFromFile.getCerts());
+                validateNewCerts(httpCerts, certFromFile.getCerts(), httpSSLEnforceCertReloadDnVerification);
                 httpSslContext = buildSSLServerContext(
                     certFromFile.getServerPemKey(),
                     certFromFile.getServerPemCert(),
@@ -632,11 +642,16 @@ public void initHttpSSLConfig() {
      * If the current and new certificates are same, skip remaining checks.
      * For new X509 cert to be valid Issuer, Subject DN must be the same and
      * new certificates should expire after current ones.
-     * @param currentX509Certs  Array of current x509 certificates
-     * @param newX509Certs      Array of x509 certificates which will replace our current cert
+     * @param currentX509Certs Array of current x509 certificates
+     * @param newX509Certs     Array of x509 certificates which will replace our current cert
+     * @param verifyValidDNs   Whether to verify that new certs have valid IssuerDN, SubjectDN and SAN
      * @throws Exception if certificate is invalid
      */
-    private void validateNewCerts(final X509Certificate[] currentX509Certs, final X509Certificate[] newX509Certs) throws Exception {
+    private void validateNewCerts(
+        final X509Certificate[] currentX509Certs,
+        final X509Certificate[] newX509Certs,
+        final boolean verifyValidDNs
+    ) throws Exception {
 
         // First time we init certs ignore validity check
         if (currentX509Certs == null) {
@@ -653,7 +668,7 @@ private void validateNewCerts(final X509Certificate[] currentX509Certs, final X5
         }
 
         // Check if new X509 certs have valid IssuerDN, SubjectDN or SAN
-        if (!hasValidDNs(currentX509Certs, newX509Certs)) {
+        if (verifyValidDNs && !hasValidDNs(currentX509Certs, newX509Certs)) {
             throw new Exception("New Certs do not have valid Issuer DN, Subject DN or SAN.");
         }
     }

@@ -638,6 +638,23 @@ public List<Setting<?>> getSettings() {
             Setting.longSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Property.NodeScope, Property.Filtered)
         );
 
+        settings.add(
+            Setting.boolSetting(
+                SSLConfigConstants.SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+                SSLConfigConstants.SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered
+            )
+        );
+        settings.add(
+            Setting.boolSetting(
+                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered
+            )
+        );
+
         return settings;
     }
 

@@ -38,6 +38,9 @@ public final class SSLConfigConstants {
     public static final String SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = "plugins.security.ssl.http.truststore_alias";
     public static final String SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = "plugins.security.ssl.http.truststore_filepath";
     public static final String SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = "plugins.security.ssl.http.truststore_type";
+    public static final String SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION =
+        "plugins.security.ssl.http.enforce_cert_reload_dn_verification";
+    public static final Boolean SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION_DEFAULT = true;
     public static final String SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE =
         "plugins.security.ssl.transport.enable_openssl_if_available";
     public static final String SECURITY_SSL_TRANSPORT_ENABLED = "plugins.security.ssl.transport.enabled";
@@ -47,6 +50,9 @@ public final class SSLConfigConstants {
     public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME =
         "plugins.security.ssl.transport.resolve_hostname";
 
+    public static final String SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION =
+        "plugins.security.ssl.transport.enforce_cert_reload_dn_verification";
+    public static final Boolean SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION_DEFAULT = true;
     public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = "plugins.security.ssl.transport.keystore_alias";
     public static final String SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = "plugins.security.ssl.transport.server.keystore_alias";
     public static final String SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = "plugins.security.ssl.transport.client.keystore_alias";