tessl/maven-org-elasticsearch--elasticsearch-ssl-config
SSL/TLS configuration library for Elasticsearch providing comprehensive security management utilities.
—
Pending
enums-types.mddocs/
Configuration Types and Enums
Strongly-typed enums and data classes for SSL configuration options, verification modes, certificate handling, and authentication settings with parsing and validation capabilities.
Capabilities
SSL Verification Mode Enum
Enumeration defining SSL connection verification modes for certificate and hostname validation.
/**
* SSL connection verification modes
*/
public enum SslVerificationMode {
/**
* No verification - accept any certificate and hostname (INSECURE)
*/
NONE,
/**
* Certificate verification only - validate certificate chain but not hostname
*/
CERTIFICATE,
/**
* Full verification - validate both certificate chain and hostname
*/
FULL;
/**
* Checks if hostname verification is enabled for this mode
* @return true if hostname verification should be performed
*/
public boolean isHostnameVerificationEnabled();
/**
* Checks if certificate verification is enabled for this mode
* @return true if certificate chain verification should be performed
*/
public boolean isCertificateVerificationEnabled();
/**
* Parses verification mode from string value
* @param value string representation (case-insensitive)
* @return corresponding SslVerificationMode
* @throws IllegalArgumentException if value is not recognized
*/
public static SslVerificationMode parse(String value);
}Usage Examples:
import org.elasticsearch.common.ssl.SslVerificationMode;
// Parse from string configuration
SslVerificationMode mode1 = SslVerificationMode.parse("full"); // FULL
SslVerificationMode mode2 = SslVerificationMode.parse("certificate"); // CERTIFICATE
SslVerificationMode mode3 = SslVerificationMode.parse("none"); // NONE
// Check verification capabilities
if (mode1.isHostnameVerificationEnabled()) {
System.out.println("Hostname verification is enabled");
}
if (mode1.isCertificateVerificationEnabled()) {
System.out.println("Certificate verification is enabled");
}
// Use in SSL configuration
SslConfiguration config = new SslConfiguration(
"https",
true,
trustConfig,
keyConfig,
SslVerificationMode.FULL, // full verification
clientAuth,
ciphers,
protocols
);
// Configure SSL parameters based on verification mode
SSLParameters sslParams = new SSLParameters();
if (!mode1.isHostnameVerificationEnabled()) {
sslParams.setEndpointIdentificationAlgorithm(null); // disable hostname verification
}SSL Client Authentication Mode Enum
Enumeration defining client authentication modes for SSL servers.
/**
* Client authentication modes for SSL servers
*/
public enum SslClientAuthenticationMode {
/**
* No client authentication - never request client certificates
*/
NONE,
/**
* Optional client authentication - request but don't require client certificates
*/
OPTIONAL,
/**
* Required client authentication - request and require client certificates
*/
REQUIRED;
/**
* Checks if client authentication is enabled for this mode
* @return true if client authentication is requested
*/
public boolean enabled();
/**
* Configures SSL parameters for this client authentication mode
* @param sslParameters SSL parameters to configure
*/
public void configure(SSLParameters sslParameters);
/**
* Parses client authentication mode from string value
* @param value string representation (case-insensitive)
* @return corresponding SslClientAuthenticationMode
* @throws IllegalArgumentException if value is not recognized
*/
public static SslClientAuthenticationMode parse(String value);
}Usage Examples:
import org.elasticsearch.common.ssl.SslClientAuthenticationMode;
import javax.net.ssl.SSLParameters;
// Parse from string configuration
SslClientAuthenticationMode auth1 = SslClientAuthenticationMode.parse("required"); // REQUIRED
SslClientAuthenticationMode auth2 = SslClientAuthenticationMode.parse("optional"); // OPTIONAL
SslClientAuthenticationMode auth3 = SslClientAuthenticationMode.parse("none"); // NONE
// Check if client authentication is enabled
if (auth1.enabled()) {
System.out.println("Client authentication is enabled");
}
// Configure SSL parameters
SSLParameters sslParams = new SSLParameters();
auth1.configure(sslParams); // sets client auth mode on SSL parameters
// Use in SSL configuration
SslConfiguration serverConfig = new SslConfiguration(
"xpack.security.http.ssl",
true,
trustConfig,
keyConfig,
SslVerificationMode.FULL,
SslClientAuthenticationMode.OPTIONAL, // request but don't require client certs
ciphers,
protocols
);
// Example server-side usage
SSLContext sslContext = serverConfig.createSslContext();
SSLServerSocket serverSocket = (SSLServerSocket) sslContext.getServerSocketFactory().createServerSocket(8443);
// Client auth mode is automatically applied through SSL configurationX509 Field Enum
Enumeration for referencing specific parts of X509 certificates by canonical string values, used for trust restriction.
/**
* X509 certificate field references for trust restrictions
*/
public enum X509Field {
/**
* Subject Alternative Name - Other Name with Common Name component
*/
SAN_OTHERNAME_COMMONNAME,
/**
* Subject Alternative Name - DNS Name
*/
SAN_DNS;
/**
* Gets string representation of this field
* @return canonical string representation
*/
@Override
public String toString();
/**
* Parses X509 field from string for restricted trust configuration
* @param s string representation of the field
* @return corresponding X509Field
* @throws IllegalArgumentException if field is not recognized
*/
public static X509Field parseForRestrictedTrust(String s);
}Usage Examples:
import org.elasticsearch.common.ssl.X509Field;
import java.util.List;
// Parse X509 field references
X509Field dnsField = X509Field.parseForRestrictedTrust("san_dns");
X509Field cnField = X509Field.parseForRestrictedTrust("san_othername_commonname");
// Use in restricted trust configuration
List<X509Field> restrictedFields = List.of(
X509Field.SAN_DNS, // only trust DNS names in SAN
X509Field.SAN_OTHERNAME_COMMONNAME // and common names in SAN other names
);
// Configure with SslConfigurationLoader
SslConfigurationLoader loader = new MyConfigurationLoader("https");
loader.setDefaultRestrictedTrustFields(restrictedFields);
// The trust manager will only validate certificates against the specified fieldsStored Certificate Record
Record class containing information about a locally stored certificate including metadata.
/**
* Information about a locally stored certificate with metadata
*/
public record StoredCertificate(
/**
* The X509 certificate
*/
X509Certificate certificate,
/**
* Path to the certificate file (null if not from file)
*/
@Nullable String path,
/**
* Format of the certificate storage (PEM, JKS, PKCS12, etc.)
*/
String format,
/**
* Alias within keystore (null if not from keystore)
*/
@Nullable String alias,
/**
* Whether this certificate has an associated private key
*/
boolean hasPrivateKey
) {}Usage Examples:
import org.elasticsearch.common.ssl.StoredCertificate;
import java.security.cert.X509Certificate;
// Create stored certificate metadata
StoredCertificate pemCert = new StoredCertificate(
certificate, // X509Certificate instance
"/etc/ssl/server.pem", // file path
"PEM", // format
null, // no alias (PEM files don't have aliases)
true // has associated private key
);
StoredCertificate keystoreCert = new StoredCertificate(
certificate, // X509Certificate instance
"/etc/ssl/keystore.p12", // keystore file path
"PKCS12", // keystore format
"server-cert", // alias within keystore
true // has associated private key
);
StoredCertificate caCert = new StoredCertificate(
caCertificate, // CA certificate
"/etc/ssl/ca.pem", // CA file path
"PEM", // format
null, // no alias
false // no private key (CA cert only)
);
// Use stored certificate information
System.out.println("Certificate from: " + pemCert.path());
System.out.println("Format: " + pemCert.format());
System.out.println("Has private key: " + pemCert.hasPrivateKey());
if (keystoreCert.alias() != null) {
System.out.println("Keystore alias: " + keystoreCert.alias());
}
// Get certificate details
X509Certificate cert = pemCert.certificate();
System.out.println("Subject: " + cert.getSubjectX500Principal().getName());
System.out.println("Issuer: " + cert.getIssuerX500Principal().getName());SSL Configuration Exception
Base exception class for SSL configuration problems with comprehensive error information.
/**
* Base exception for SSL configuration problems
*/
public class SslConfigException extends Exception {
/**
* Creates SSL configuration exception with message and cause
* @param message descriptive error message
* @param cause underlying exception that caused this error
*/
public SslConfigException(String message, Exception cause);
/**
* Creates SSL configuration exception with message only
* @param message descriptive error message
*/
public SslConfigException(String message);
}Usage Examples:
import org.elasticsearch.common.ssl.SslConfigException;
import java.io.IOException;
import java.security.GeneralSecurityException;
// Catch and handle SSL configuration exceptions
try {
SslConfiguration config = loader.load(basePath);
SSLContext sslContext = config.createSslContext();
} catch (SslConfigException e) {
System.err.println("SSL configuration failed: " + e.getMessage());
if (e.getCause() != null) {
System.err.println("Caused by: " + e.getCause().getMessage());
}
// Handle specific causes
if (e.getCause() instanceof IOException) {
System.err.println("File access problem - check certificate/key file paths and permissions");
} else if (e.getCause() instanceof GeneralSecurityException) {
System.err.println("Security/cryptography problem - check certificate validity and formats");
}
}
// Throw SSL configuration exceptions
public SslKeyConfig loadKeyConfig(String path) throws SslConfigException {
try {
return new PemKeyConfig(certPath, keyPath, password, basePath);
} catch (IOException e) {
throw new SslConfigException("Failed to read key configuration from " + path, e);
} catch (GeneralSecurityException e) {
throw new SslConfigException("Invalid key material at " + path, e);
}
}Type Usage Patterns
Configuration Validation
Use enums for robust configuration validation:
// Validate and parse configuration strings
public SslConfiguration parseConfiguration(Map<String, String> settings) {
// Parse with validation
SslVerificationMode verificationMode;
try {
verificationMode = SslVerificationMode.parse(
settings.getOrDefault("verification_mode", "full")
);
} catch (IllegalArgumentException e) {
throw new SslConfigException("Invalid verification mode: " + settings.get("verification_mode"));
}
SslClientAuthenticationMode clientAuth;
try {
clientAuth = SslClientAuthenticationMode.parse(
settings.getOrDefault("client_authentication", "none")
);
} catch (IllegalArgumentException e) {
throw new SslConfigException("Invalid client authentication mode: " + settings.get("client_authentication"));
}
return new SslConfiguration(prefix, true, trustConfig, keyConfig, verificationMode, clientAuth, ciphers, protocols);
}Certificate Metadata Collection
Use StoredCertificate for comprehensive certificate tracking:
// Collect certificate metadata from various sources
public List<StoredCertificate> collectCertificateMetadata(SslConfiguration config) {
List<StoredCertificate> allCerts = new ArrayList<>();
// Add certificates from key configuration
allCerts.addAll(config.keyConfig().getConfiguredCertificates());
// Add certificates from trust configuration
allCerts.addAll(config.trustConfig().getConfiguredCertificates());
// Analyze certificate sources
Map<String, List<StoredCertificate>> byFormat = allCerts.stream()
.collect(Collectors.groupingBy(StoredCertificate::format));
System.out.println("Certificate sources:");
byFormat.forEach((format, certs) -> {
System.out.println(" " + format + ": " + certs.size() + " certificates");
});
// Find certificates with private keys
List<StoredCertificate> withPrivateKeys = allCerts.stream()
.filter(StoredCertificate::hasPrivateKey)
.toList();
System.out.println("Certificates with private keys: " + withPrivateKeys.size());
return allCerts;
}Enum-Based Configuration Defaults
Use enums to provide sensible defaults:
public class SslDefaults {
public static final SslVerificationMode DEFAULT_VERIFICATION_MODE = SslVerificationMode.FULL;
public static final SslClientAuthenticationMode DEFAULT_CLIENT_AUTH = SslClientAuthenticationMode.NONE;
public static final List<String> DEFAULT_PROTOCOLS = List.of("TLSv1.3", "TLSv1.2");
public static SslConfiguration createDefaultConfiguration(SslTrustConfig trustConfig, SslKeyConfig keyConfig) {
return new SslConfiguration(
"ssl",
false, // using defaults
trustConfig,
keyConfig,
DEFAULT_VERIFICATION_MODE,
DEFAULT_CLIENT_AUTH,
List.of(), // use JVM cipher defaults
DEFAULT_PROTOCOLS
);
}
}X509 Field Validation
Use X509Field enum for certificate field validation:
// Configure trust field restrictions
public void configureRestrictedTrust(SslConfigurationLoader loader, List<String> fieldNames) {
List<X509Field> fields = fieldNames.stream()
.map(name -> {
try {
return X509Field.parseForRestrictedTrust(name);
} catch (IllegalArgumentException e) {
throw new SslConfigException("Invalid X509 field for trust restriction: " + name, e);
}
})
.toList();
loader.setDefaultRestrictedTrustFields(fields);
}Install with Tessl CLI
npx tessl i tessl/maven-org-elasticsearch--elasticsearch-ssl-config