security: OpenSSL engine support is broken

The following settings were used to enable the use of OpenSSL in JDK11 runtime. After investigating this is not working at all and OpenSSL has been broken for an indeterminate amount of time.

plugins.security.ssl.http.enable_openssl_if_available: true
plugins.security.ssl.transport.enable_openssl_if_available: true
opensearch.unsafe.use_netty_default_allocator: true

After quickly probing the forums I see years old posts with no resolution:

While there was some interest our modern JDK platforms support many more cryptographic protocols and make this unneeded for the majority use case. Note! This could be a solid enhancement to the platform for faster execution and better footprint.

Fixing OpenSSL support has the following steps at least…

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 16 (13 by maintainers)

Commits related to this issue

Most upvoted comments

@peternied I think we could close this one with a note that BoringSSL seems to work but Netty’s OpenSSL support is only available for OpenSSL 1.x versions.

+1
reta on Jan 24, 2023

[Triage] @peternied after discussion in Triage with @reta we are planning to remove the OpenSSL-related code as this feature has been broken for a while.

+1
cwperks on Nov 7, 2022

@reta Thanks for checking in. I’m of the opinion that we should not work any more on this issue and update the documentation site. I say we don’t invest more time into OpenSSL until we find someone(s) that have good reason not to use the JDK’s SSL Engine and OpenSSL is a good fit.

I’m going to re-add the untriaged tag so we have another discussion about this issue on Monday with the maintainers and give everyone time to weigh in before we make a more conclusive decision.

+1
peternied on Nov 2, 2022

@nibix Do you have context on the impact of this feature being broken?

Maybe I can give some history:

OpenSSL support originally built because the TLS support that came with the JRE was lacking in regards of performance and modern cipher suites. Java 11, however, brought a fundamentally improved TLS support which fixed the performance and cipher suite issues. Thus OpenSSL support lost its significant advantage while keeping significant disadvantages: Hard to configure, thus being a noticeable support burden. So, OpenSSL support was disabled at some point in time - which was actually before ODFE was created.

Later, in 2020, AWS re-enabled OpenSSL support - however only for Java versions 11 and older:

https://github.com/opensearch-project/security/pull/422

The PR does not really give a rationale on doing this - thus I don’t know about the motivation here.

So, generally only users on old Java versions should be impacted. As OpenSearch is quite young, I do not really expect many users to actually rely on old Java versions. Thus, I personally do not expect a significant impact.

+1
nibix on Nov 1, 2022

[Triage] @peternied Can you file an issue on the documentation website with affected versions?

+1
cwperks on Oct 31, 2022

@peternied I just created an issue 😉

https://github.com/opensearch-project/security/issues/2208

+1
cwperks on Oct 31, 2022

I believe the test is working

Sounds like the OpenSSL tests do not verify its functionality 🤯 I am going to rewrite this issue as “OpenSSL does not work” Help wanted, and we can triage this afternoon.

+1
peternied on Oct 31, 2022
Read more comments on GitHub
← security: Can't use Let’s Encrypt certificate
OCNet.pytorch: Segmentation fault →