tessl/maven-org-elasticsearch--elasticsearch-ssl-config
SSL/TLS configuration library for Elasticsearch providing comprehensive security management utilities.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-elasticsearch--elasticsearch-ssl-config@9.1.0index.mddocs/
Elasticsearch SSL Configuration Library
The Elasticsearch SSL Configuration Library provides comprehensive SSL/TLS configuration management utilities for Java applications. It offers a robust framework for handling SSL configurations including key stores, trust stores, certificate management, PEM utilities, and various SSL verification modes with extensive validation and diagnostic capabilities.
Package Information
- Package Name: org.elasticsearch:elasticsearch-ssl-config
- Package Type: maven
- Language: Java
- Installation: Add to your Maven
pom.xml:
<dependency>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch-ssl-config</artifactId>
<version>9.1.3</version>
</dependency>For Gradle:
implementation 'org.elasticsearch:elasticsearch-ssl-config:9.1.3'Core Imports
import org.elasticsearch.common.ssl.SslConfiguration;
import org.elasticsearch.common.ssl.SslConfigurationLoader;
import org.elasticsearch.common.ssl.SslKeyConfig;
import org.elasticsearch.common.ssl.SslTrustConfig;
import org.elasticsearch.common.ssl.SslVerificationMode;
import org.elasticsearch.common.ssl.SslClientAuthenticationMode;Basic Usage
import org.elasticsearch.common.ssl.*;
import javax.net.ssl.SSLContext;
import java.nio.file.Path;
import java.util.List;
// Create SSL configuration
SslConfiguration config = new SslConfiguration(
"https", // setting prefix
true, // explicitly configured
new PemTrustConfig(List.of("ca.pem"), basePath), // trust config
new PemKeyConfig("cert.pem", "key.pem", null, basePath), // key config
SslVerificationMode.FULL, // verification mode
SslClientAuthenticationMode.OPTIONAL, // client auth
List.of(), // cipher suites (use defaults)
List.of("TLSv1.3", "TLSv1.2") // supported protocols
);
// Create SSL context
SSLContext sslContext = config.createSslContext();
// Use the SSL context for secure connections
// (with HttpsURLConnection, SSLSocketFactory, etc.)Architecture
The library is built around several key architectural components:
- Configuration Management: Central
SslConfigurationrecord that encapsulates all SSL settings and can createSSLContextinstances - Pluggable Key Sources:
SslKeyConfiginterface with implementations for PEM files, keystores, and empty configurations - Flexible Trust Models:
SslTrustConfiginterface supporting PEM CA files, trust stores, system defaults, composite configurations, and trust-everything modes - Configuration Loading: Abstract
SslConfigurationLoaderfor building configurations from various settings sources - Utility Layer: Comprehensive utilities for keystore operations, PEM parsing, certificate handling, and SSL diagnostics
- Type Safety: Strong typing with enums for verification modes, client authentication, and certificate fields
Capabilities
SSL Configuration Management
Core SSL configuration functionality providing immutable configuration objects and SSL context creation.
public record SslConfiguration(
String settingPrefix,
boolean explicitlyConfigured,
SslTrustConfig trustConfig,
SslKeyConfig keyConfig,
SslVerificationMode verificationMode,
SslClientAuthenticationMode clientAuth,
List<String> ciphers,
List<String> supportedProtocols
) {
public SSLContext createSslContext();
public List<String> getCipherSuites();
public Collection<Path> getDependentFiles();
public Collection<? extends StoredCertificate> getConfiguredCertificates();
}Key Management
SSL key material management with support for PEM files, keystores, and programmatic key configurations.
public interface SslKeyConfig {
Collection<Path> getDependentFiles();
X509ExtendedKeyManager createKeyManager();
List<Tuple<PrivateKey, X509Certificate>> getKeys();
Collection<StoredCertificate> getConfiguredCertificates();
default boolean hasKeyMaterial();
default SslTrustConfig asTrustConfig();
}
public class PemKeyConfig implements SslKeyConfig {
public PemKeyConfig(String certificatePath, String keyPath, char[] keyPassword, Path configBasePath);
}
public class StoreKeyConfig implements SslKeyConfig {
public StoreKeyConfig(String path, char[] storePassword, String type,
Function<KeyStore, KeyStore> filter, char[] keyPassword,
String algorithm, Path configBasePath);
}Trust Management
SSL trust configuration with support for various trust models including PEM CA files, trust stores, and system defaults.
public interface SslTrustConfig {
Collection<Path> getDependentFiles();
X509ExtendedTrustManager createTrustManager();
Collection<? extends StoredCertificate> getConfiguredCertificates();
default boolean isSystemDefault();
}
public class PemTrustConfig implements SslTrustConfig {
public PemTrustConfig(List<String> certificateAuthorities, Path basePath);
}
public class StoreTrustConfig implements SslTrustConfig {
public StoreTrustConfig(String path, char[] password, String type, String algorithm,
boolean requireTrustAnchors, Path configBasePath);
}SSL Utilities
Comprehensive utility functions for keystore operations, PEM file parsing, certificate handling, and SSL-related tasks.
public final class KeyStoreUtil {
public static String inferKeyStoreType(String path);
public static KeyStore readKeyStore(Path path, String ksType, char[] password);
public static KeyStore buildKeyStore(Collection<Certificate> certificateChain, PrivateKey privateKey, char[] password);
public static X509ExtendedKeyManager createKeyManager(Certificate[] certificateChain, PrivateKey privateKey, char[] password);
public static X509ExtendedTrustManager createTrustManager(Collection<Certificate> certificates);
}
public final class PemUtils {
public static PrivateKey readPrivateKey(Path path, Supplier<char[]> passwordSupplier);
public static List<Certificate> readCertificates(Collection<Path> certPaths);
public static PrivateKey parsePKCS8PemString(String pemString);
}SSL Diagnostics
Advanced diagnostic capabilities for troubleshooting SSL trust failures and certificate issues.
public class SslDiagnostics {
public static final SslDiagnostics INSTANCE;
public String getTrustDiagnosticFailure(X509Certificate[] chain, PeerType peerType,
SSLSession session, String contextName,
Map<String, List<X509Certificate>> trustedIssuers);
public static List<String> describeValidHostnames(X509Certificate certificate);
public static IssuerTrust checkIssuerTrust(Map<String, List<X509Certificate>> trustedIssuers,
X509Certificate peerCert);
}
public final class DiagnosticTrustManager extends X509ExtendedTrustManager {
public DiagnosticTrustManager(X509ExtendedTrustManager delegate, Supplier<String> contextName,
DiagnosticLogger logger);
}Configuration Types and Enums
Strongly-typed enums and data classes for SSL configuration options, verification modes, and certificate handling.
public enum SslVerificationMode {
NONE, CERTIFICATE, FULL;
public abstract boolean isHostnameVerificationEnabled();
public abstract boolean isCertificateVerificationEnabled();
public static SslVerificationMode parse(String value);
}
public enum SslClientAuthenticationMode {
NONE, OPTIONAL, REQUIRED;
public abstract boolean enabled();
public abstract void configure(SSLParameters sslParameters);
public static SslClientAuthenticationMode parse(String value);
}
public record StoredCertificate(
X509Certificate certificate,
String path,
String format,
String alias,
boolean hasPrivateKey
) {}