LDAP realm does not reload SSL context if files change #36923
Assignees
Labels
Comments
tvernum
added
>bug
:Security/Authentication
|
Pinging @elastic/es-security |
|
I've confirmed this is a result of the FIPS-JVM compliant reloading changes in 2b09e90 That's unfortunate, because we need to keep those changes, so I'm going to need to add some sort of notification mechanism so that the SSLService can notify the LDAP connection pool to reload its SSL context. |
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this issue
Dec 21, 2018
In elastic#30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: elastic#36923
tvernum
added a commit
that referenced
this issue
Dec 28, 2018
In #30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: #36923
original-brownbear
pushed a commit
to original-brownbear/elasticsearch
that referenced
this issue
Dec 28, 2018
In elastic#30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: elastic#36923
tvernum
added a commit
that referenced
this issue
Jan 4, 2019
In #30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: #36923
tvernum
added a commit
that referenced
this issue
Jan 4, 2019
In #30509 we changed the way SSL configuration is reloaded when the content of a file changes. As a consequence of that implementation change the LDAP realm ceased to pick up changes to CA files (or other certificate material) if they changed. This commit repairs the reloading behaviour for LDAP realms, and adds a test for this functionality. Resolves: #36923
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Somewhere between 6.2 and 6.5 the LDAP realm behaviour changed to not reload the SSL context if the underlying file contents change (updated CA file).
The SSL Service still reloads the internal context, but the LDAP realm doesn't use it.
My guess is that this might be due to the way we changed reloading to support FIPS, but I haven't dug into it yet.
The text was updated successfully, but these errors were encountered: