Handle JCE restrictions

While it is been the default for Java since JDK 8u161 released in early 2018,
old versions of Java may not have the JCE unlimited strength jurisdiction policy
installed. This commit handles this case, warning the user that the policy is not
installed, and presenting a reduced set of default ciphers for use.

lib/logstash/inputs/beats.rb

@@ -114,8 +114,7 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   config :tls_max_version, :validate => :number, :default => TLS.max.version
 
   # The list of ciphers suite to use, listed by priorities.
-  config :cipher_suites, :validate => :array, :default => org.logstash.netty.SslContextBuilder::DEFAULT_CIPHERS
-
+  config :cipher_suites, :validate => :array, :default => org.logstash.netty.SslContextBuilder.getDefaultCiphers
   # Close Idle clients after X seconds of inactivity.
   config :client_inactivity_timeout, :validate => :number, :default => 60
 

spec/integration/filebeat_spec.rb

@@ -166,8 +166,8 @@
             end
 
             context "when the cipher is not supported" do
-              let(:beats_cipher) { "ECDHE-RSA-AES-128-GCM-SHA256" }
-              let(:logstash_cipher) { "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}
+              let(:beats_cipher) { "ECDHE-RSA-AES-256-GCM-SHA384" }
+              let(:logstash_cipher) { "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}
 
               include_examples "doesn't send events"
             end

src/main/java/org/logstash/netty/SslContextBuilder.java

@@ -5,12 +5,14 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import javax.crypto.Cipher;
 import javax.net.ssl.SSLServerSocketFactory;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
@@ -41,7 +43,7 @@ public enum SslClientVerifyMode {
     Mordern Ciphers List from
     https://wiki.mozilla.org/Security/Server_Side_TLS
     */
-    public final static String[] DEFAULT_CIPHERS = new String[] {
+    private final static String[] DEFAULT_CIPHERS = new String[] {
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
@@ -51,6 +53,17 @@ public enum SslClientVerifyMode {
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
     };
+
+    /*
+      Reduced set of ciphers available when JCE Unlimited Strength Jurisdiction Policy is not installed.
+     */
+    private final static String[] DEFAULT_CIPHERS_LIMITED = new String[] {
+            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
+    };
+
     private String[] supportedCiphers = ((SSLServerSocketFactory)SSLServerSocketFactory
             .getDefault()).getSupportedCipherSuites();
     private String[] ciphers = DEFAULT_CIPHERS;
@@ -74,6 +87,9 @@ public SslContextBuilder setCipherSuites(String[] ciphersSuite) throws IllegalAr
             if(Arrays.asList(supportedCiphers).contains(cipher)) {
                 logger.debug("Cipher is supported: {}", cipher);
             }else{
+                if (!isUnlimitedJCEAvailable()) {
+                    logger.warn("JCE Unlimited Strength Jurisdiction Policy not installed");
+                }
                 throw new IllegalArgumentException("Cipher `" + cipher + "` is not available");
             }
         }
@@ -82,6 +98,23 @@ public SslContextBuilder setCipherSuites(String[] ciphersSuite) throws IllegalAr
         return this;
     }
 
+    public static String[] getDefaultCiphers(){
+        if (isUnlimitedJCEAvailable()){
+            return DEFAULT_CIPHERS;
+        } else {
+            logger.warn("JCE Unlimited Strength Jurisdiction Policy not installed - max key length is 128 bits");
+            return DEFAULT_CIPHERS_LIMITED;
+        }
+    }
+
+    public static boolean isUnlimitedJCEAvailable(){
+        try {
+            return (Cipher.getMaxAllowedKeyLength("AES") > 128);
+        } catch (NoSuchAlgorithmException e) {
+            logger.warn("AES not available", e);
+            return false;
+        }
+    }
     public SslContextBuilder setCertificateAuthorities(String[] cert) {
         certificateAuthorities = cert;
         return this;