diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2020-02-20 09:50:17 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-02-20 09:50:17 +0100 |
commit | 6a39f2c585e08d64122f58e1a5546b6cd999dcb7 (patch) | |
tree | 9cbc3392599f5974d3746290ff3f63ffa94b825f | |
parent | a387fc96d20fde6a6c3a15690f9e604ead2460c2 (diff) | |
parent | 0a352bc6ab22515a3ac576f75e98d911d82f08d5 (diff) |
Merge pull request #12231 from vespa-engine/bjorncs/vespa-security-env-hostname-validation
Bjorncs/vespa security env hostname validation
11 files changed, 22 insertions, 3 deletions
diff --git a/config-model/src/main/perl/vespa-deploy b/config-model/src/main/perl/vespa-deploy index 59a84f5b0c0..a128e4a8d4c 100755 --- a/config-model/src/main/perl/vespa-deploy +++ b/config-model/src/main/perl/vespa-deploy @@ -154,7 +154,7 @@ my $command = shift; $command ||= "help"; # The '--insecure' parameter is sadly required as it is not possible to disable or alter hostname verification with curl -my $curl_command = $VESPA_HOME . '/libexec/vespa/vespa-curl-wrapper --insecure -A vespa-deploy --silent --show-error --connect-timeout 30 --max-time 1200'; +my $curl_command = $VESPA_HOME . '/libexec/vespa/vespa-curl-wrapper -A vespa-deploy --silent --show-error --connect-timeout 30 --max-time 1200'; my $CURL_PUT = $curl_command . ' --write-out \%{http_code} --request PUT'; my $CURL_GET = $curl_command . ' --request GET'; diff --git a/security-tools/pom.xml b/security-tools/pom.xml index 38b14ce957f..195e2d06311 100644 --- a/security-tools/pom.xml +++ b/security-tools/pom.xml @@ -57,6 +57,7 @@ <exclude>META-INF/*.SF</exclude> <exclude>META-INF/*.DSA</exclude> <exclude>META-INF/*.RSA</exclude> + <exclude>META-INF/versions/*/module-info.class</exclude> </excludes> </filter> </filters> diff --git a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java index 367d7b9dd83..c314d17e018 100644 --- a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java +++ b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java @@ -54,6 +54,9 @@ public class Main { MixedMode mixedMode = TransportSecurityUtils.getInsecureMixedMode(envVars); if (options.isPresent() && mixedMode != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) { outputVariables.put(OutputVariable.TLS_ENABLED, "1"); + if (options.get().isHostnameValidationDisabled()) { + outputVariables.put(OutputVariable.DISABLE_HOSTNAME_VALIDATION, "1"); + } options.get().getCaCertificatesFile() .ifPresent(caCertFile -> outputVariables.put(OutputVariable.CA_CERTIFICATE, caCertFile.toString())); options.get().getCertificatesFile() diff --git a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/OutputVariable.java b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/OutputVariable.java index dd248d05aac..9a90a145f30 100644 --- a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/OutputVariable.java +++ b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/OutputVariable.java @@ -10,7 +10,8 @@ enum OutputVariable { TLS_ENABLED("VESPA_TLS_ENABLED", "Set to '1' if TLS is enabled in Vespa"), CA_CERTIFICATE("VESPA_TLS_CA_CERT", "Path to CA certificates file"), CERTIFICATE("VESPA_TLS_CERT", "Path to certificate file"), - PRIVATE_KEY("VESPA_TLS_PRIVATE_KEY", "Path to private key file"); + PRIVATE_KEY("VESPA_TLS_PRIVATE_KEY", "Path to private key file"), + DISABLE_HOSTNAME_VALIDATION("VESPA_TLS_HOSTNAME_VALIDATION_DISABLED", "Set to '1' if TLS hostname validation is disabled"); private final String variableName; private final String description; diff --git a/security-tools/src/main/sh/vespa-curl-wrapper b/security-tools/src/main/sh/vespa-curl-wrapper index e286e121f64..b4fd9224a8a 100755 --- a/security-tools/src/main/sh/vespa-curl-wrapper +++ b/security-tools/src/main/sh/vespa-curl-wrapper @@ -88,6 +88,11 @@ then CURL_PARAMETERS=("${CURL_PARAMETERS[@]/http:/https:}") fi +if [ -n "${VESPA_TLS_HOSTNAME_VALIDATION_DISABLED}" ] +then + CURL_PARAMETERS=("--insecure" "${CURL_PARAMETERS[@]}") +fi + if [ -n "${VESPA_TLS_CA_CERT}" ] then CURL_PARAMETERS=("--cacert" "${VESPA_TLS_CA_CERT}" "${CURL_PARAMETERS[@]}") diff --git a/security-tools/src/test/java/com/yahoo/vespa/security/tool/securityenv/MainTest.java b/security-tools/src/test/java/com/yahoo/vespa/security/tool/securityenv/MainTest.java index b563ebd14f4..45626820f4d 100644 --- a/security-tools/src/test/java/com/yahoo/vespa/security/tool/securityenv/MainTest.java +++ b/security-tools/src/test/java/com/yahoo/vespa/security/tool/securityenv/MainTest.java @@ -106,6 +106,7 @@ public class MainTest { TransportSecurityOptions options = new TransportSecurityOptions.Builder() .withCertificates(Paths.get("/path/to/certificate"), Paths.get("/path/to/key")) .withCaCertificates(Paths.get("/path/to/cacerts")) + .withHostnameValidationDisabled(true) .build(); Path configFile = tmpFolder.newFile().toPath(); options.toJsonFile(configFile); diff --git a/security-tools/src/test/resources/bash-output.txt b/security-tools/src/test/resources/bash-output.txt index c07c667af47..182dc177d42 100644 --- a/security-tools/src/test/resources/bash-output.txt +++ b/security-tools/src/test/resources/bash-output.txt @@ -2,3 +2,4 @@ VESPA_TLS_ENABLED="1"; export VESPA_TLS_ENABLED; VESPA_TLS_CA_CERT="/path/to/cacerts"; export VESPA_TLS_CA_CERT; VESPA_TLS_CERT="/path/to/certificate"; export VESPA_TLS_CERT; VESPA_TLS_PRIVATE_KEY="/path/to/key"; export VESPA_TLS_PRIVATE_KEY; +VESPA_TLS_HOSTNAME_VALIDATION_DISABLED="1"; export VESPA_TLS_HOSTNAME_VALIDATION_DISABLED; diff --git a/security-tools/src/test/resources/csh-output.txt b/security-tools/src/test/resources/csh-output.txt index 2b6716de92b..2e6cd886c26 100644 --- a/security-tools/src/test/resources/csh-output.txt +++ b/security-tools/src/test/resources/csh-output.txt @@ -2,3 +2,4 @@ setenv VESPA_TLS_ENABLED "1"; setenv VESPA_TLS_CA_CERT "/path/to/cacerts"; setenv VESPA_TLS_CERT "/path/to/certificate"; setenv VESPA_TLS_PRIVATE_KEY "/path/to/key"; +setenv VESPA_TLS_HOSTNAME_VALIDATION_DISABLED "1"; diff --git a/security-tools/src/test/resources/expected-help-output.txt b/security-tools/src/test/resources/expected-help-output.txt index 7d125fe15a2..33ad3b6d232 100644 --- a/security-tools/src/test/resources/expected-help-output.txt +++ b/security-tools/src/test/resources/expected-help-output.txt @@ -9,3 +9,5 @@ The output may include the following variables: - 'VESPA_TLS_CA_CERT': Path to CA certificates file - 'VESPA_TLS_CERT': Path to certificate file - 'VESPA_TLS_PRIVATE_KEY': Path to private key file + - 'VESPA_TLS_HOSTNAME_VALIDATION_DISABLED': Set to '1' if TLS hostname +validation is disabled diff --git a/security-tools/src/test/resources/no-security-output.txt b/security-tools/src/test/resources/no-security-output.txt index 3467f1316b5..257a2747ee2 100644 --- a/security-tools/src/test/resources/no-security-output.txt +++ b/security-tools/src/test/resources/no-security-output.txt @@ -2,3 +2,4 @@ unset VESPA_TLS_ENABLED; unset VESPA_TLS_CA_CERT; unset VESPA_TLS_CERT; unset VESPA_TLS_PRIVATE_KEY; +unset VESPA_TLS_HOSTNAME_VALIDATION_DISABLED; diff --git a/vespaclient/src/perl/lib/Yahoo/Vespa/Http.pm b/vespaclient/src/perl/lib/Yahoo/Vespa/Http.pm index 2dbf475f2a7..d907e89fa54 100644 --- a/vespaclient/src/perl/lib/Yahoo/Vespa/Http.pm +++ b/vespaclient/src/perl/lib/Yahoo/Vespa/Http.pm @@ -100,7 +100,10 @@ sub initialize { # () my $tls_enabled = $ENV{'VESPA_TLS_ENABLED'}; if (defined $tls_enabled and $tls_enabled eq '1') { $BROWSER->ssl_opts( SSL_version => 'TLSv12'); - $BROWSER->ssl_opts( verify_hostname => 0); + my $hostname_verification_disabled = $ENV{'VESPA_TLS_HOSTNAME_VALIDATION_DISABLED'}; + if (defined $hostname_verification_disabled and $hostname_verification_disabled eq '1') { + $BROWSER->ssl_opts( verify_hostname => 0); + } $BROWSER->ssl_opts( SSL_cipher_list => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256' ); } if (defined $ENV{'VESPA_TLS_CA_CERT'}) { |