tessl/maven-org-elasticsearch--elasticsearch-ssl-config
SSL/TLS configuration library for Elasticsearch providing comprehensive security management utilities.
—
Pending
configuration.mddocs/
SSL Configuration Management
Core SSL configuration functionality providing immutable configuration objects, configuration loading from various sources, and SSL context creation with comprehensive validation.
Capabilities
SSL Configuration Record
Immutable configuration object that encapsulates all SSL context settings and provides SSL context creation.
/**
* Immutable SSL configuration record containing all SSL context settings
*/
public record SslConfiguration(
String settingPrefix,
boolean explicitlyConfigured,
SslTrustConfig trustConfig,
SslKeyConfig keyConfig,
SslVerificationMode verificationMode,
SslClientAuthenticationMode clientAuth,
List<String> ciphers,
List<String> supportedProtocols
) {
/**
* Creates an SSL context from this configuration
* @return configured SSLContext ready for use
* @throws SslConfigException if SSL context creation fails
*/
public SSLContext createSslContext() throws SslConfigException;
/**
* Gets the effective cipher suites for this configuration
* @return list of cipher suite names
*/
public List<String> getCipherSuites();
/**
* Gets all certificate and key files this configuration depends on
* @return collection of file paths
*/
public Collection<Path> getDependentFiles();
/**
* Gets all configured certificates from key and trust configurations
* @return collection of stored certificates with metadata
*/
public Collection<? extends StoredCertificate> getConfiguredCertificates();
}Usage Examples:
import org.elasticsearch.common.ssl.*;
import javax.net.ssl.SSLContext;
import java.util.List;
// Create a complete SSL configuration
SslConfiguration config = new SslConfiguration(
"xpack.security.http.ssl", // setting prefix for logging/errors
true, // explicitly configured (not defaults)
new PemTrustConfig( // trust configuration
List.of("/path/to/ca.pem"),
Paths.get("/config")
),
new PemKeyConfig( // key configuration
"/path/to/cert.pem",
"/path/to/key.pem",
"keypass".toCharArray(),
Paths.get("/config")
),
SslVerificationMode.FULL, // full certificate and hostname verification
SslClientAuthenticationMode.OPTIONAL, // request but don't require client cert
List.of("TLS_AES_256_GCM_SHA384"), // specific cipher suites
List.of("TLSv1.3", "TLSv1.2") // supported TLS versions
);
// Create SSL context from configuration
SSLContext sslContext = config.createSslContext();
// Get effective cipher suites (includes defaults if none specified)
List<String> ciphers = config.getCipherSuites();
// Get all dependent files for monitoring changes
Collection<Path> files = config.getDependentFiles();SSL Configuration Loader
Abstract base class for loading SSL configurations from various settings sources with configurable defaults.
/**
* Abstract factory for loading SSL configurations from settings
*/
public abstract class SslConfigurationLoader {
public static final List<String> DEFAULT_PROTOCOLS;
public static final List<String> DEFAULT_CIPHERS;
public static final List<X509Field> GLOBAL_DEFAULT_RESTRICTED_TRUST_FIELDS;
/**
* Creates a configuration loader for the specified setting prefix
* @param settingPrefix the prefix for all SSL settings (e.g., "xpack.security.http.ssl")
*/
public SslConfigurationLoader(String settingPrefix);
/**
* Sets the default trust configuration to use when none is explicitly configured
* @param defaultTrustConfig the default trust configuration
*/
public void setDefaultTrustConfig(SslTrustConfig defaultTrustConfig);
/**
* Sets the default key configuration to use when none is explicitly configured
* @param defaultKeyConfig the default key configuration
*/
public void setDefaultKeyConfig(SslKeyConfig defaultKeyConfig);
/**
* Sets the default SSL verification mode
* @param defaultVerificationMode the default verification mode
*/
public void setDefaultVerificationMode(SslVerificationMode defaultVerificationMode);
/**
* Sets the default client authentication mode
* @param defaultClientAuth the default client authentication mode
*/
public void setDefaultClientAuth(SslClientAuthenticationMode defaultClientAuth);
/**
* Sets the default cipher suites
* @param defaultCiphers list of default cipher suite names
*/
public void setDefaultCiphers(List<String> defaultCiphers);
/**
* Sets the default TLS protocols
* @param defaultProtocols list of default protocol names
*/
public void setDefaultProtocols(List<String> defaultProtocols);
/**
* Sets a filter function to apply to loaded keystores
* @param keyStoreFilter function to filter keystore entries
*/
public void setKeyStoreFilter(Function<KeyStore, KeyStore> keyStoreFilter);
/**
* Sets default fields to restrict trust validation to
* @param x509Fields list of certificate fields for trust restriction
*/
public void setDefaultRestrictedTrustFields(List<X509Field> x509Fields);
/**
* Loads a complete SSL configuration from settings
* @param basePath base path for resolving relative file paths
* @return fully configured SslConfiguration
* @throws SslConfigException if configuration loading fails
*/
public SslConfiguration load(Path basePath) throws SslConfigException;
/**
* Builds just the key configuration from settings
* @param basePath base path for resolving relative file paths
* @return configured SslKeyConfig
* @throws SslConfigException if key configuration loading fails
*/
public SslKeyConfig buildKeyConfig(Path basePath) throws SslConfigException;
// Abstract methods that subclasses must implement to access settings
protected abstract boolean hasSettings(String prefix) throws Exception;
protected abstract String getSettingAsString(String key) throws Exception;
protected abstract char[] getSecureSetting(String key) throws Exception;
protected abstract List<String> getSettingAsList(String key) throws Exception;
/**
* Resolves a path setting relative to the base path
* @param settingKey the setting key being resolved
* @param basePath the base path for relative resolution
* @return resolved absolute path
*/
protected Path resolvePath(String settingKey, Path basePath);
}Usage Examples:
import org.elasticsearch.common.ssl.*;
import java.nio.file.Path;
import java.util.List;
import java.util.Map;
// Example implementation of SslConfigurationLoader
public class MapBasedSslLoader extends SslConfigurationLoader {
private final Map<String, Object> settings;
public MapBasedSslLoader(String prefix, Map<String, Object> settings) {
super(prefix);
this.settings = settings;
}
@Override
protected boolean hasSettings(String prefix) {
return settings.keySet().stream().anyMatch(key -> key.startsWith(prefix));
}
@Override
protected String getSettingAsString(String key) {
return (String) settings.get(key);
}
@Override
protected char[] getSecureSetting(String key) {
String value = (String) settings.get(key);
return value != null ? value.toCharArray() : null;
}
@Override
protected List<String> getSettingAsList(String key) {
Object value = settings.get(key);
if (value instanceof List) {
return (List<String>) value;
}
return value != null ? List.of(value.toString()) : List.of();
}
}
// Using the configuration loader
Map<String, Object> sslSettings = Map.of(
"xpack.security.http.ssl.certificate", "/path/to/cert.pem",
"xpack.security.http.ssl.key", "/path/to/key.pem",
"xpack.security.http.ssl.certificate_authorities", List.of("/path/to/ca.pem"),
"xpack.security.http.ssl.verification_mode", "full",
"xpack.security.http.ssl.client_authentication", "optional"
);
MapBasedSslLoader loader = new MapBasedSslLoader("xpack.security.http.ssl", sslSettings);
// Set custom defaults
loader.setDefaultVerificationMode(SslVerificationMode.CERTIFICATE);
loader.setDefaultProtocols(List.of("TLSv1.3"));
// Load configuration
SslConfiguration config = loader.load(Paths.get("/config"));SSL Configuration Keys
Utility class providing standard SSL configuration setting keys and metadata about setting types.
/**
* Standard SSL configuration setting keys and utilities
*/
public class SslConfigurationKeys {
// Core SSL settings
public static final String PROTOCOLS = "supported_protocols";
public static final String CIPHERS = "cipher_suites";
public static final String VERIFICATION_MODE = "verification_mode";
public static final String CLIENT_AUTH = "client_authentication";
// Trust configuration settings
public static final String CERTIFICATE_AUTHORITIES = "certificate_authorities";
public static final String TRUSTSTORE_PATH = "truststore.path";
public static final String TRUSTSTORE_SECURE_PASSWORD = "truststore.secure_password";
public static final String TRUSTSTORE_PASSWORD = "truststore.password";
public static final String TRUSTSTORE_TYPE = "truststore.type";
public static final String TRUSTSTORE_ALGORITHM = "truststore.algorithm";
// Key configuration settings
public static final String CERTIFICATE = "certificate";
public static final String KEY = "key";
public static final String KEY_SECURE_PASSPHRASE = "secure_key_passphrase";
public static final String KEY_PASSPHRASE = "key_passphrase";
public static final String KEYSTORE_PATH = "keystore.path";
public static final String KEYSTORE_SECURE_PASSWORD = "keystore.secure_password";
public static final String KEYSTORE_PASSWORD = "keystore.password";
public static final String KEYSTORE_TYPE = "keystore.type";
public static final String KEYSTORE_KEY_PASSWORD = "keystore.key_password";
public static final String KEYSTORE_SECURE_KEY_PASSWORD = "keystore.secure_key_password";
public static final String KEYSTORE_ALGORITHM = "keystore.algorithm";
/**
* Gets all setting keys that expect string values
* @return list of string setting keys
*/
public static List<String> getStringKeys();
/**
* Gets all setting keys that expect list values
* @return list of list setting keys
*/
public static List<String> getListKeys();
/**
* Gets all setting keys that expect secure string values (passwords, etc.)
* @return list of secure string setting keys
*/
public static List<String> getSecureStringKeys();
/**
* Checks if a setting key is deprecated
* @param key the setting key to check
* @return true if the key is deprecated
*/
public static boolean isDeprecated(String key);
}Usage Examples:
import org.elasticsearch.common.ssl.SslConfigurationKeys;
import java.util.List;
// Check setting types
List<String> stringKeys = SslConfigurationKeys.getStringKeys();
List<String> listKeys = SslConfigurationKeys.getListKeys();
List<String> secureKeys = SslConfigurationKeys.getSecureStringKeys();
// Build setting key for a specific prefix
String certSetting = "xpack.security.http.ssl." + SslConfigurationKeys.CERTIFICATE;
String keystoreSetting = "xpack.security.http.ssl." + SslConfigurationKeys.KEYSTORE_PATH;
// Check if a setting is deprecated
boolean deprecated = SslConfigurationKeys.isDeprecated("ssl.trust_all_certs");Error Handling
SSL configuration operations can throw SslConfigException for various error conditions:
/**
* Base exception for SSL configuration problems
*/
public class SslConfigException extends Exception {
public SslConfigException(String message);
public SslConfigException(String message, Exception cause);
}Common error scenarios:
- Invalid file paths or unreadable certificate/key files
- Malformed PEM files or corrupted keystores
- Incompatible cipher suites or protocol versions
- Missing required settings or invalid setting values
- Keystore password mismatches or key extraction failures
Install with Tessl CLI
npx tessl i tessl/maven-org-elasticsearch--elasticsearch-ssl-config