opensearch-project · finnegancarroll · Feb 27, 2025 · Mar 4, 2025 · Feb 28, 2025 · Feb 28, 2025
@@ -69,6 +69,7 @@
 import org.opensearch.SpecialPermission;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.env.Environment;
+import org.opensearch.security.ssl.config.CertType;
 import org.opensearch.security.ssl.util.CertFileProps;
 import org.opensearch.security.ssl.util.CertFromFile;
 import org.opensearch.security.ssl.util.CertFromKeystore;
@@ -874,16 +875,16 @@ private String[] getEnabledSSLProtocols(final SslProvider provider, boolean http
     private void initEnabledSSLCiphers() {
 
         final ImmutableSet<String> allowedSecureHttpSSLCiphers = ImmutableSet.copyOf(
-            SSLConfigConstants.getSecureSSLCiphers(settings, true)
+            SSLConfigConstants.getSecureSSLCiphers(settings, CertType.HTTP)
         );
         final ImmutableSet<String> allowedSecureTransportSSLCiphers = ImmutableSet.copyOf(
-            SSLConfigConstants.getSecureSSLCiphers(settings, false)
+            SSLConfigConstants.getSecureSSLCiphers(settings, CertType.TRANSPORT)
         );
         final ImmutableSet<String> allowedSecureHttpSSLProtocols = ImmutableSet.copyOf(
-            (SSLConfigConstants.getSecureSSLProtocols(settings, true))
+            (SSLConfigConstants.getSecureSSLProtocols(settings, CertType.HTTP))
         );
         final ImmutableSet<String> allowedSecureTransportSSLProtocols = ImmutableSet.copyOf(
-            SSLConfigConstants.getSecureSSLProtocols(settings, false)
+            SSLConfigConstants.getSecureSSLProtocols(settings, CertType.TRANSPORT)
         );
 
         if (OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable()) {

@@ -31,6 +31,7 @@
 
 import org.opensearch.OpenSearchException;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.security.ssl.config.CertType;
 import org.opensearch.security.ssl.util.SSLConfigConstants;
 
 public class ExternalSecurityKeyStore implements SecurityKeyStore {
@@ -72,17 +73,17 @@ public SSLEngine createClientTransportSSLEngine(final String peerHost, final int
             final SSLParameters sslParams = new SSLParameters();
             sslParams.setEndpointIdentificationAlgorithm("HTTPS");
             engine.setSSLParameters(sslParams);
-            engine.setEnabledProtocols(evalSecure(engine.getEnabledProtocols(), SSLConfigConstants.getSecureSSLProtocols(settings, false)));
+            engine.setEnabledProtocols(evalSecure(engine.getEnabledProtocols(), SSLConfigConstants.getSecureSSLProtocols(settings, CertType.TRANSPORT)));
             engine.setEnabledCipherSuites(
-                evalSecure(engine.getEnabledCipherSuites(), SSLConfigConstants.getSecureSSLCiphers(settings, false).toArray(new String[0]))
+                evalSecure(engine.getEnabledCipherSuites(), SSLConfigConstants.getSecureSSLCiphers(settings, CertType.TRANSPORT).toArray(new String[0]))
             );
             engine.setUseClientMode(true);
             return engine;
         } else {
             final SSLEngine engine = externalSslContext.createSSLEngine();
-            engine.setEnabledProtocols(evalSecure(engine.getEnabledProtocols(), SSLConfigConstants.getSecureSSLProtocols(settings, false)));
+            engine.setEnabledProtocols(evalSecure(engine.getEnabledProtocols(), SSLConfigConstants.getSecureSSLProtocols(settings, CertType.TRANSPORT)));
             engine.setEnabledCipherSuites(
-                evalSecure(engine.getEnabledCipherSuites(), SSLConfigConstants.getSecureSSLCiphers(settings, false).toArray(new String[0]))
+                evalSecure(engine.getEnabledCipherSuites(), SSLConfigConstants.getSecureSSLCiphers(settings, CertType.TRANSPORT).toArray(new String[0]))
             );
             engine.setUseClientMode(true);
             return engine;

@@ -14,16 +14,23 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
+import java.util.function.Supplier;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.TrustManagerFactory;
 
+import org.opensearch.common.network.NetworkService;
+import org.opensearch.common.settings.ClusterSettings;
 import org.opensearch.common.settings.Settings;
+import org.opensearch.core.indices.breaker.CircuitBreakerService;
 import org.opensearch.http.HttpServerTransport;
 import org.opensearch.http.netty4.ssl.SecureNetty4HttpServerTransport;
+import org.opensearch.plugins.NetworkPlugin;
 import org.opensearch.plugins.SecureHttpTransportSettingsProvider;
+import org.opensearch.plugins.SecureAuxTransportSettingsProvider;
 import org.opensearch.plugins.SecureSettingsFactory;
 import org.opensearch.plugins.SecureTransportSettingsProvider;
 import org.opensearch.plugins.TransportExceptionHandler;
@@ -32,6 +39,7 @@
 import org.opensearch.security.ssl.http.netty.Netty4ConditionalDecompressor;
 import org.opensearch.security.ssl.http.netty.Netty4HttpRequestHeaderVerifier;
 import org.opensearch.security.ssl.transport.SSLConfig;
+import org.opensearch.telemetry.tracing.Tracer;
 import org.opensearch.threadpool.ThreadPool;
 import org.opensearch.transport.Transport;
 import org.opensearch.transport.TransportAdapterProvider;
@@ -185,4 +193,49 @@ public Optional<SSLEngine> buildSecureHttpServerEngine(Settings settings, HttpSe
             }
         });
     }
+
+    @Override
+    public Optional<SecureAuxTransportSettingsProvider> getSecureAuxTransportSettingsProvider(Settings settings) {
+        return Optional.of(new SecureAuxTransportSettingsProvider() {
+            @Override
+            public Optional<SecureAuxTransportSettingsProvider.SecureAuxTransportParameters> parameters() {
+                return Optional.of(new SecureAuxTransportSettingsProvider.SecureAuxTransportParameters() {
+
+                    @Override
+                    public Optional<String> sslProvider() {
+                        return sslSettingsManager.sslConfiguration(CertType.AUX).map(config -> config.sslParameters().provider().name());
+                    }
+
+                    @Override
+                    public Optional<String> clientAuth() {
+                        return sslSettingsManager.sslConfiguration(CertType.AUX).map(config -> config.sslParameters().clientAuth().name());
+                    }
+
+                    @Override
+                    public Collection<String> protocols() {
+                        return sslSettingsManager.sslConfiguration(CertType.AUX)
+                                .map(config -> config.sslParameters().allowedProtocols())
+                                .orElse(Collections.emptyList());
+                    }
+
+                    @Override
+                    public Collection<String> cipherSuites() {
+                        return sslSettingsManager.sslConfiguration(CertType.AUX)
+                                .map(config -> config.sslParameters().allowedCiphers())
+                                .orElse(Collections.emptyList());
+                    }
+
+                    @Override
+                    public Optional<KeyManagerFactory> keyManagerFactory() {
+                        return sslSettingsManager.sslConfiguration(CertType.AUX).map(SslConfiguration::keyStoreFactory);
+                    }
+
+                    @Override
+                    public Optional<TrustManagerFactory> trustManagerFactory() {
+                        return sslSettingsManager.sslConfiguration(CertType.AUX).map(SslConfiguration::trustStoreFactory);
+                    }
+                });
+            }
+        });
+    }
 }
@@ -651,6 +651,89 @@ public List<Setting<?>> getSettings() {
             )
         );
 
+        /**
+         * TLS settings for aux transports.
+         */
+        settings.add(
+            Setting.boolSetting(
+                SSLConfigConstants.SECURITY_SSL_AUX_ENABLE_OPENSSL_IF_AVAILABLE,
+                OPENSSL_SUPPORTED,
+                Property.NodeScope,
+                Property.Filtered
+            )
+        );
+        settings.add(
+            Setting.boolSetting(
+                SSLConfigConstants.SECURITY_SSL_AUX_ENABLED,
+                SSLConfigConstants.SECURITY_SSL_AUX_ENABLED_DEFAULT,
+                Property.NodeScope,
+                Property.Filtered
+            )
+        );
+        settings.add(
+            Setting.listSetting(
+                SSLConfigConstants.SECURITY_SSL_AUX_ENABLED_CIPHERS,
+                Collections.emptyList(),
+                Function.identity(),
+                Property.NodeScope
+            )
+        );
+        settings.add(
+            Setting.listSetting(
+                SSLConfigConstants.SECURITY_SSL_AUX_ENABLED_PROTOCOLS,
+                Collections.emptyList(),
+                Function.identity(),
+                Property.NodeScope
+            )
+        );
+        settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_AUX_CLIENTAUTH_MODE, Property.NodeScope, Property.Filtered));
+        settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_AUX_KEYSTORE_ALIAS, Property.NodeScope, Property.Filtered));
+        settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_AUX_KEYSTORE_FILEPATH, Property.NodeScope, Property.Filtered));
+        settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_AUX_KEYSTORE_TYPE, Property.NodeScope, Property.Filtered));
+        settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_AUX_TRUSTSTORE_ALIAS, Property.NodeScope, Property.Filtered));
+        settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_AUX_TRUSTSTORE_FILEPATH, Property.NodeScope, Property.Filtered));
+        settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_AUX_TRUSTSTORE_TYPE, Property.NodeScope, Property.Filtered));
+        settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_AUX_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered));
+        settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_AUX_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered));
+        settings.add(
+                Setting.simpleString(SSLConfigConstants.SECURITY_SSL_AUX_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered)
+        );
+        settings.add(Setting.simpleString(SSLConfigConstants.SECURITY_SSL_AUX_CRL_FILE, Property.NodeScope, Property.Filtered));
+        settings.add(Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_AUX_CRL_VALIDATE, false, Property.NodeScope, Property.Filtered));
+        settings.add(
+                Setting.boolSetting(
+                        SSLConfigConstants.SECURITY_SSL_AUX_CRL_PREFER_CRLFILE_OVER_OCSP,
+                        false,
+                        Property.NodeScope,
+                        Property.Filtered
+                )
+        );
+        settings.add(
+                Setting.boolSetting(
+                        SSLConfigConstants.SECURITY_SSL_AUX_CRL_CHECK_ONLY_END_ENTITIES,
+                        true,
+                        Property.NodeScope,
+                        Property.Filtered
+                )
+        );
+        settings.add(
+                Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_AUX_CRL_DISABLE_CRLDP, false, Property.NodeScope, Property.Filtered)
+        );
+        settings.add(
+                Setting.boolSetting(SSLConfigConstants.SECURITY_SSL_AUX_CRL_DISABLE_OCSP, false, Property.NodeScope, Property.Filtered)
+        );
+        settings.add(
+                Setting.longSetting(SSLConfigConstants.SECURITY_SSL_AUX_CRL_VALIDATION_DATE, -1, -1, Property.NodeScope, Property.Filtered)
+        );
+        settings.add(
+                Setting.boolSetting(
+                        SSLConfigConstants.SECURITY_SSL_AUX_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+                        true,
+                        Property.NodeScope,
+                        Property.Filtered
+                )
+        );
+
         return settings;
     }