Search in sources :

Example 1 with TLSProtocolsConfiguration

use of org.graylog2.configuration.TLSProtocolsConfiguration in project graylog2-server by Graylog2.

the class UnboundLDAPConnectorTest method setUp.

@Before
public void setUp() throws Exception {
    final LdapServer server = getLdapServer();
    final LDAPConnectorConfig.LDAPServer unreachableServer = LDAPConnectorConfig.LDAPServer.create("localhost", 9);
    final LDAPConnectorConfig.LDAPServer ldapServer = LDAPConnectorConfig.LDAPServer.create("localhost", server.getPort());
    final LDAPConnectorConfig connectorConfig = LDAPConnectorConfig.builder().systemUsername(ADMIN_DN).systemPassword(encryptedValueService.encrypt(ADMIN_PASSWORD)).transportSecurity(LDAPTransportSecurity.NONE).verifyCertificates(false).serverList(ImmutableList.of(unreachableServer, ldapServer)).build();
    connector = new UnboundLDAPConnector(10000, new TLSProtocolsConfiguration(), mock(TrustManagerProvider.class), encryptedValueService);
    connection = connector.connect(connectorConfig);
}
Also used : CreateLdapServer(org.apache.directory.server.annotations.CreateLdapServer) LdapServer(org.apache.directory.server.ldap.LdapServer) TLSProtocolsConfiguration(org.graylog2.configuration.TLSProtocolsConfiguration) Before(org.junit.Before)

Example 2 with TLSProtocolsConfiguration

use of org.graylog2.configuration.TLSProtocolsConfiguration in project graylog2-server by Graylog2.

the class CmdLineTool method applySecuritySettings.

protected static void applySecuritySettings(TLSProtocolsConfiguration configuration) {
    // Disable insecure TLS parameters and ciphers by default.
    // Prevent attacks like LOGJAM, LUCKY13, et al.
    setSystemPropertyIfEmpty("jdk.tls.ephemeralDHKeySize", "2048");
    setSystemPropertyIfEmpty("jdk.tls.rejectClientInitiatedRenegotiation", "true");
    final Set<String> tlsProtocols = configuration.getConfiguredTlsProtocols();
    final List<String> disabledAlgorithms = Stream.of(Security.getProperty("jdk.tls.disabledAlgorithms").split(",")).map(String::trim).collect(Collectors.toList());
    // c.f. https://github.com/Graylog2/graylog2-server/issues/10944
    if (tlsProtocols == null || !(tlsProtocols.isEmpty() || tlsProtocols.contains("TLSv1") || tlsProtocols.contains("TLSv1.1"))) {
        disabledAlgorithms.addAll(ImmutableSet.of("CBC", "3DES"));
        Security.setProperty("jdk.tls.disabledAlgorithms", Strings.join(disabledAlgorithms, ", "));
    } else {
        // Remove explicitly enabled legacy TLS protocols from the disabledAlgorithms filter
        Set<String> reEnabledTLSProtocols;
        if (tlsProtocols.isEmpty()) {
            reEnabledTLSProtocols = ImmutableSet.of("TLSv1", "TLSv1.1");
        } else {
            reEnabledTLSProtocols = tlsProtocols;
        }
        final List<String> updatedProperties = disabledAlgorithms.stream().filter(p -> !reEnabledTLSProtocols.contains(p)).collect(Collectors.toList());
        Security.setProperty("jdk.tls.disabledAlgorithms", Strings.join(updatedProperties, ", "));
    }
    // Explicitly register Bouncy Castle as security provider.
    // This allows us to use more key formats than with JCE
    Security.addProvider(new BouncyCastleProvider());
}
Also used : Option(com.github.rvesse.airline.annotations.Option) Module(com.google.inject.Module) Plugin(org.graylog2.plugin.Plugin) Arrays(java.util.Arrays) ParameterException(com.github.joschi.jadconfig.ParameterException) NodeIdPersistenceException(org.graylog2.plugin.system.NodeIdPersistenceException) FeatureFlagsFactory(org.graylog2.featureflag.FeatureFlagsFactory) GuiceInjectorHolder(org.graylog2.shared.bindings.GuiceInjectorHolder) RepositoryException(com.github.joschi.jadconfig.RepositoryException) LoggerContext(org.apache.logging.log4j.core.LoggerContext) Tools(org.graylog2.plugin.Tools) LoggerFactory(org.slf4j.LoggerFactory) Level(org.apache.logging.log4j.Level) Security(java.security.Security) InstrumentedAppender(com.codahale.metrics.log4j2.InstrumentedAppender) Message(com.google.inject.spi.Message) PluginLoaderConfig(org.graylog2.plugin.PluginLoaderConfig) Map(java.util.Map) UnsupportedSearchException(org.graylog2.storage.UnsupportedSearchException) Version(org.graylog2.plugin.Version) PropertiesRepository(com.github.joschi.jadconfig.repositories.PropertiesRepository) Command(com.github.rvesse.airline.annotations.Command) ChainingClassLoader(org.graylog2.shared.plugins.ChainingClassLoader) Path(java.nio.file.Path) TLSProtocolsConfiguration(org.graylog2.configuration.TLSProtocolsConfiguration) ExceptionUtils(org.graylog2.shared.utilities.ExceptionUtils) Slf4JLoggerFactory(io.netty.util.internal.logging.Slf4JLoggerFactory) ImmutableSet(com.google.common.collect.ImmutableSet) JodaTimeConverterFactory(com.github.joschi.jadconfig.jodatime.JodaTimeConverterFactory) Collection(java.util.Collection) Set(java.util.Set) ServerStatus(org.graylog2.plugin.ServerStatus) SearchVersion(org.graylog2.storage.SearchVersion) ValidationException(com.github.joschi.jadconfig.ValidationException) Collectors(java.util.stream.Collectors) Sets(com.google.common.collect.Sets) Stage(com.google.inject.Stage) List(java.util.List) Stream(java.util.stream.Stream) Configuration(org.graylog2.Configuration) DocsHelper(org.graylog2.plugin.DocsHelper) PluginBindings(org.graylog2.shared.bindings.PluginBindings) PathConfiguration(org.graylog2.configuration.PathConfiguration) PluginMetaData(org.graylog2.plugin.PluginMetaData) ElasticsearchProbeException(org.graylog2.storage.versionprobe.ElasticsearchProbeException) UI(org.graylog2.shared.UI) AccessDeniedException(java.nio.file.AccessDeniedException) GuavaConverterFactory(com.github.joschi.jadconfig.guava.GuavaConverterFactory) Joiner(com.google.common.base.Joiner) EnvironmentRepository(com.github.joschi.jadconfig.repositories.EnvironmentRepository) Strings.nullToEmpty(com.google.common.base.Strings.nullToEmpty) Strings(joptsimple.internal.Strings) HashSet(java.util.HashSet) JmxReporter(com.codahale.metrics.jmx.JmxReporter) Lists(com.google.common.collect.Lists) ImmutableList(com.google.common.collect.ImmutableList) Binder(com.google.inject.Binder) SystemPropertiesRepository(com.github.joschi.jadconfig.repositories.SystemPropertiesRepository) JadConfig(com.github.joschi.jadconfig.JadConfig) ManagementFactory(java.lang.management.ManagementFactory) NamedConfigParametersModule(com.github.joschi.jadconfig.guice.NamedConfigParametersModule) MigrateCmd(org.graylog2.bootstrap.commands.MigrateCmd) FeatureFlags(org.graylog2.featureflag.FeatureFlags) MetricRegistry(com.codahale.metrics.MetricRegistry) Logger(org.slf4j.Logger) Names(com.google.inject.name.Names) PluginLoader(org.graylog2.shared.plugins.PluginLoader) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Injector(com.google.inject.Injector) CreationException(com.google.inject.CreationException) Repository(com.github.joschi.jadconfig.Repository) Guice(com.google.inject.Guice) MetricRegistryFactory(org.graylog2.shared.metrics.MetricRegistryFactory) InternalLoggerFactory(io.netty.util.internal.logging.InternalLoggerFactory) LogManager(org.apache.logging.log4j.LogManager) Collections(java.util.Collections) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 3 with TLSProtocolsConfiguration

use of org.graylog2.configuration.TLSProtocolsConfiguration in project graylog2-server by Graylog2.

the class CmdLineTool method parseAndGetTLSConfiguration.

// Parse only the TLSConfiguration bean
// to avoid triggering anything that might initialize the default SSLContext
private TLSProtocolsConfiguration parseAndGetTLSConfiguration() {
    final JadConfig jadConfig = new JadConfig();
    jadConfig.setRepositories(getConfigRepositories(configFile));
    final TLSProtocolsConfiguration tlsConfiguration = new TLSProtocolsConfiguration();
    jadConfig.addConfigurationBean(tlsConfiguration);
    processConfiguration(jadConfig);
    return tlsConfiguration;
}
Also used : JadConfig(com.github.joschi.jadconfig.JadConfig) TLSProtocolsConfiguration(org.graylog2.configuration.TLSProtocolsConfiguration)

Aggregations

TLSProtocolsConfiguration (org.graylog2.configuration.TLSProtocolsConfiguration)3 JadConfig (com.github.joschi.jadconfig.JadConfig)2 MetricRegistry (com.codahale.metrics.MetricRegistry)1 JmxReporter (com.codahale.metrics.jmx.JmxReporter)1 InstrumentedAppender (com.codahale.metrics.log4j2.InstrumentedAppender)1 ParameterException (com.github.joschi.jadconfig.ParameterException)1 Repository (com.github.joschi.jadconfig.Repository)1 RepositoryException (com.github.joschi.jadconfig.RepositoryException)1 ValidationException (com.github.joschi.jadconfig.ValidationException)1 GuavaConverterFactory (com.github.joschi.jadconfig.guava.GuavaConverterFactory)1 NamedConfigParametersModule (com.github.joschi.jadconfig.guice.NamedConfigParametersModule)1 JodaTimeConverterFactory (com.github.joschi.jadconfig.jodatime.JodaTimeConverterFactory)1 EnvironmentRepository (com.github.joschi.jadconfig.repositories.EnvironmentRepository)1 PropertiesRepository (com.github.joschi.jadconfig.repositories.PropertiesRepository)1 SystemPropertiesRepository (com.github.joschi.jadconfig.repositories.SystemPropertiesRepository)1 Command (com.github.rvesse.airline.annotations.Command)1 Option (com.github.rvesse.airline.annotations.Option)1 Joiner (com.google.common.base.Joiner)1 Strings.nullToEmpty (com.google.common.base.Strings.nullToEmpty)1 ImmutableList (com.google.common.collect.ImmutableList)1