From b53fa395a7ff9c704e35fe3e6d948aad61fb4d74 Mon Sep 17 00:00:00 2001 From: Thy Tran <58045538+ThyTran1402@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:37:00 -0400 Subject: [PATCH 1/4] added stronger TLS ciphers default Signed-off-by: Thy Tran <58045538+ThyTran1402@users.noreply.github.com> --- .../security/OpenSearchSecurityPlugin.java | 7 +- .../auditlog/sink/ExternalOpenSearchSink.java | 2 +- .../backend/LDAPAuthorizationBackend.java | 2 +- .../security/ssl/util/SSLConfigConstants.java | 118 ++---------------- .../util/SettingsBasedSSLConfigurator.java | 2 +- .../util/SettingsBasedSSLConfiguratorV4.java | 2 +- .../ssl/util/SSLConfigConstantsTest.java | 4 +- 7 files changed, 22 insertions(+), 115 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index db738ff536..2e92576326 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -522,10 +522,9 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) private void verifyTLSVersion(final String settings, final List configuredProtocols) { for (final var tls : configuredProtocols) { if (tls.equalsIgnoreCase("TLSv1") || tls.equalsIgnoreCase("TLSv1.1")) { - deprecationLogger.deprecate( - settings, - "The '{}' setting contains {} protocol version which was deprecated since 2021 (RFC 8996). " - + "Support for it will be removed in the next major release.", + throw new OpenSearchException( + "The '{}' setting contains {} protocol version which has been removed in OpenSearch 3.0 (RFC 8996). " + + "Please remove this protocol from your configuration.", settings, tls ); diff --git a/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java b/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java index 744e2ab46e..81c561f206 100644 --- a/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java +++ b/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java @@ -36,7 +36,7 @@ public final class ExternalOpenSearchSink extends AuditLogSink { - private static final List DEFAULT_TLS_PROTOCOLS = Arrays.asList(new String[] { "TLSv1.2", "TLSv1.1" }); + private static final List DEFAULT_TLS_PROTOCOLS = SSLConfigConstants.DEFAULT_SSL_PROTOCOLS; // config in opensearch.yml private final String index; private final String type; diff --git a/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java b/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java index 7a672d5fdb..ce7518c79a 100755 --- a/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java +++ b/src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java @@ -86,7 +86,7 @@ public class LDAPAuthorizationBackend implements AuthorizationBackend { private static final AtomicInteger CONNECTION_COUNTER = new AtomicInteger(); private static final String COM_SUN_JNDI_LDAP_OBJECT_DISABLE_ENDPOINT_IDENTIFICATION = "com.sun.jndi.ldap.object.disableEndpointIdentification"; - private static final List DEFAULT_TLS_PROTOCOLS = Arrays.asList("TLSv1.2", "TLSv1.1"); + private static final List DEFAULT_TLS_PROTOCOLS = SSLConfigConstants.DEFAULT_SSL_PROTOCOLS; static final int ONE_PLACEHOLDER = 1; static final int TWO_PLACEHOLDER = 2; static final String DEFAULT_ROLEBASE = ""; diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java index 64ff1f8165..9838da9d5c 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java @@ -34,7 +34,8 @@ public final class SSLConfigConstants { */ public static final String DEFAULT_STORE_PASSWORD = "changeit"; // #16 public static final String JDK_TLS_REJECT_CLIENT_INITIATED_RENEGOTIATION = "jdk.tls.rejectClientInitiatedRenegotiation"; - public static final String[] ALLOWED_SSL_PROTOCOLS = { "TLSv1.3", "TLSv1.2", "TLSv1.1" }; + public static final String[] ALLOWED_SSL_PROTOCOLS = { "TLSv1.3", "TLSv1.2" }; + public static final List DEFAULT_SSL_PROTOCOLS = Collections.unmodifiableList(Arrays.asList(ALLOWED_SSL_PROTOCOLS)); /** * Shared settings prefixes/postfixes @@ -259,116 +260,23 @@ public static String[] getSecureSSLProtocols(Settings settings, CertType certTyp } // @formatter:off + // Based on Mozilla Intermediate TLS profile (https://wiki.mozilla.org/Security/Server_Side_TLS). + // CBC-mode, DHE_DSS, SHA-1 MAC, and IBM SSL_-prefix entries removed in OpenSearch 3.0. public static final String[] ALLOWED_SSL_CIPHERS = { - // TLS__WITH_ - - // Example (including unsafe ones) - // Protocol: TLS, SSL - // Key Exchange RSA, Diffie-Hellman, ECDH, SRP, PSK - // Authentication RSA, DSA, ECDSA - // Bulk Ciphers RC4, 3DES, AES - // Message Authentication HMAC-SHA256, HMAC-SHA1, HMAC-MD5 - - // thats what chrome 48 supports (https://cc.dcsec.uni-hannover.de/) - // (c0,2b)ECDHE-ECDSA-AES128-GCM-SHA256128 BitKey exchange: ECDH, encryption: AES, MAC: SHA256. - // (c0,2f)ECDHE-RSA-AES128-GCM-SHA256128 BitKey exchange: ECDH, encryption: AES, MAC: SHA256. - // (00,9e)DHE-RSA-AES128-GCM-SHA256128 BitKey exchange: DH, encryption: AES, MAC: SHA256. - // (cc,14)ECDHE-ECDSA-CHACHA20-POLY1305-SHA256128 BitKey exchange: ECDH, encryption: ChaCha20 Poly1305, MAC: SHA256. - // (cc,13)ECDHE-RSA-CHACHA20-POLY1305-SHA256128 BitKey exchange: ECDH, encryption: ChaCha20 Poly1305, MAC: SHA256. - // (c0,0a)ECDHE-ECDSA-AES256-SHA256 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. - // (c0,14)ECDHE-RSA-AES256-SHA256 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. - // (00,39)DHE-RSA-AES256-SHA256 BitKey exchange: DH, encryption: AES, MAC: SHA1. - // (c0,09)ECDHE-ECDSA-AES128-SHA128 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. - // (c0,13)ECDHE-RSA-AES128-SHA128 BitKey exchange: ECDH, encryption: AES, MAC: SHA1. - // (00,33)DHE-RSA-AES128-SHA128 BitKey exchange: DH, encryption: AES, MAC: SHA1. - // (00,9c)RSA-AES128-GCM-SHA256128 BitKey exchange: RSA, encryption: AES, MAC: SHA256. - // (00,35)RSA-AES256-SHA256 BitKey exchange: RSA, encryption: AES, MAC: SHA1. - // (00,2f)RSA-AES128-SHA128 BitKey exchange: RSA, encryption: AES, MAC: SHA1. - // (00,0a)RSA-3DES-EDE-SHA168 BitKey exchange: RSA, encryption: 3DES, MAC: SHA1. - - // thats what firefox 42 supports (https://cc.dcsec.uni-hannover.de/) - // (c0,2b) ECDHE-ECDSA-AES128-GCM-SHA256 - // (c0,2f) ECDHE-RSA-AES128-GCM-SHA256 - // (c0,0a) ECDHE-ECDSA-AES256-SHA - // (c0,09) ECDHE-ECDSA-AES128-SHA - // (c0,13) ECDHE-RSA-AES128-SHA - // (c0,14) ECDHE-RSA-AES256-SHA - // (00,33) DHE-RSA-AES128-SHA - // (00,39) DHE-RSA-AES256-SHA - // (00,2f) RSA-AES128-SHA - // (00,35) RSA-AES256-SHA - // (00,0a) RSA-3DES-EDE-SHA - - // Mozilla modern browsers - // https://wiki.mozilla.org/Security/Server_Side_TLS - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", - "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - - // TLS 1.3 + // TLS 1.3 suites "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", - "TLS_CHACHA20_POLY1305_SHA256", // Open SSL >= 1.1.1 and Java >= 12 + "TLS_CHACHA20_POLY1305_SHA256", // OpenSSL >= 1.1.1 and Java >= 12 + + // TLS 1.2 ECDHE-GCM suites (Mozilla Intermediate) + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - // TLS 1.2 CHACHA20 POLY1305 supported by Java >= 12 and - // OpenSSL >= 1.1.0 + // TLS 1.2 ECDHE-ChaCha20 suites (Java >= 12 / OpenSSL >= 1.1.0) "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - - // IBM - "SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "SSL_DHE_RSA_WITH_AES_128_GCM_SHA256", - "SSL_DHE_DSS_WITH_AES_128_GCM_SHA256", - "SSL_DHE_DSS_WITH_AES_256_GCM_SHA384", - "SSL_DHE_RSA_WITH_AES_256_GCM_SHA384", - "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", - "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", - "SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "SSL_DHE_RSA_WITH_AES_128_CBC_SHA256", - "SSL_DHE_RSA_WITH_AES_128_CBC_SHA", - "SSL_DHE_DSS_WITH_AES_128_CBC_SHA256", - "SSL_DHE_RSA_WITH_AES_256_CBC_SHA256", - "SSL_DHE_DSS_WITH_AES_256_CBC_SHA", - "SSL_DHE_RSA_WITH_AES_256_CBC_SHA" - - // some others - // "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - // "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - // "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - // "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - // "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - // "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - // "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - // "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - // "TLS_RSA_WITH_AES_128_CBC_SHA256", - // "TLS_RSA_WITH_AES_128_GCM_SHA256", - // "TLS_RSA_WITH_AES_128_CBC_SHA", - // "TLS_RSA_WITH_AES_256_CBC_SHA", }; // @formatter:on diff --git a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java index 0ec161c64a..da4a284e5c 100644 --- a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java +++ b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java @@ -78,7 +78,7 @@ public class SettingsBasedSSLConfigurator { public static final String VERIFY_HOSTNAMES = "verify_hostnames"; public static final String TRUST_ALL = "trust_all"; - private static final List DEFAULT_TLS_PROTOCOLS = ImmutableList.of("TLSv1.2", "TLSv1.1"); + private static final List DEFAULT_TLS_PROTOCOLS = SSLConfigConstants.DEFAULT_SSL_PROTOCOLS; private SSLContextBuilder sslContextBuilder; private final Settings settings; diff --git a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java index ea170878f4..8bbe3feaaa 100644 --- a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java +++ b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java @@ -79,7 +79,7 @@ public class SettingsBasedSSLConfiguratorV4 { public static final String VERIFY_HOSTNAMES = "verify_hostnames"; public static final String TRUST_ALL = "trust_all"; - private static final List DEFAULT_TLS_PROTOCOLS = ImmutableList.of("TLSv1.2", "TLSv1.1"); + private static final List DEFAULT_TLS_PROTOCOLS = SSLConfigConstants.DEFAULT_SSL_PROTOCOLS; private SSLContextBuilder sslContextBuilder; private final Settings settings; diff --git a/src/test/java/org/opensearch/security/ssl/util/SSLConfigConstantsTest.java b/src/test/java/org/opensearch/security/ssl/util/SSLConfigConstantsTest.java index 9a8da523d8..ae335edea5 100644 --- a/src/test/java/org/opensearch/security/ssl/util/SSLConfigConstantsTest.java +++ b/src/test/java/org/opensearch/security/ssl/util/SSLConfigConstantsTest.java @@ -26,13 +26,13 @@ public class SSLConfigConstantsTest { @Test public void testDefaultTLSProtocols() { final var tlsDefaultProtocols = SSLConfigConstants.getSecureSSLProtocols(Settings.EMPTY, CertType.TRANSPORT); - assertArrayEquals(new String[] { "TLSv1.3", "TLSv1.2", "TLSv1.1" }, tlsDefaultProtocols); + assertArrayEquals(new String[] { "TLSv1.3", "TLSv1.2" }, tlsDefaultProtocols); } @Test public void testDefaultSSLProtocols() { final var sslDefaultProtocols = SSLConfigConstants.getSecureSSLProtocols(Settings.EMPTY, CertType.HTTP); - assertArrayEquals(new String[] { "TLSv1.3", "TLSv1.2", "TLSv1.1" }, sslDefaultProtocols); + assertArrayEquals(new String[] { "TLSv1.3", "TLSv1.2" }, sslDefaultProtocols); } @Test From cf9adb5227d322bd6240542a9000522bf98874bc Mon Sep 17 00:00:00 2001 From: Thy Tran <58045538+ThyTran1402@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:50:10 -0400 Subject: [PATCH 2/4] updated changelog Signed-off-by: Thy Tran <58045538+ThyTran1402@users.noreply.github.com> --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a5d71f284a..1091ca4159 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Added ### Changed +- **Breaking change:** Default TLS protocol list no longer includes TLSv1.1. New default is `["TLSv1.3", "TLSv1.2"]`, aligned with Mozilla Intermediate TLS profile. Operators connecting to legacy endpoints may still explicitly configure `enabled_protocols` ([#6003](https://github.com/opensearch-project/security/pull/TODO)) +- **Breaking change:** Default TLS cipher list updated to GCM/ChaCha20 ECDHE-only suites. CBC-mode, DHE_DSS, SHA-1 MAC, and IBM `SSL_`-prefix ciphers removed from defaults. Explicitly configured cipher lists are unaffected ([#6003](https://github.com/opensearch-project/security/pull/TODO)) +- All outbound TLS connectors (LDAP, external audit log, HTTP client) now share the same default protocol list as the inbound server TLS configuration ([#6003](https://github.com/opensearch-project/security/pull/TODO)) +- Configuring TLSv1 or TLSv1.1 explicitly now causes a startup failure instead of a deprecation warning ([#6003](https://github.com/opensearch-project/security/pull/TODO)) ### Features From fda80fa270fb84b45d6f0d739077312593943724 Mon Sep 17 00:00:00 2001 From: Thy Tran <58045538+ThyTran1402@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:14:01 -0400 Subject: [PATCH 3/4] updated changelog Signed-off-by: Thy Tran <58045538+ThyTran1402@users.noreply.github.com> --- CHANGELOG.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1091ca4159..593700a710 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,10 +7,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Added ### Changed -- **Breaking change:** Default TLS protocol list no longer includes TLSv1.1. New default is `["TLSv1.3", "TLSv1.2"]`, aligned with Mozilla Intermediate TLS profile. Operators connecting to legacy endpoints may still explicitly configure `enabled_protocols` ([#6003](https://github.com/opensearch-project/security/pull/TODO)) -- **Breaking change:** Default TLS cipher list updated to GCM/ChaCha20 ECDHE-only suites. CBC-mode, DHE_DSS, SHA-1 MAC, and IBM `SSL_`-prefix ciphers removed from defaults. Explicitly configured cipher lists are unaffected ([#6003](https://github.com/opensearch-project/security/pull/TODO)) -- All outbound TLS connectors (LDAP, external audit log, HTTP client) now share the same default protocol list as the inbound server TLS configuration ([#6003](https://github.com/opensearch-project/security/pull/TODO)) -- Configuring TLSv1 or TLSv1.1 explicitly now causes a startup failure instead of a deprecation warning ([#6003](https://github.com/opensearch-project/security/pull/TODO)) +- **Breaking change:** Default TLS protocol list no longer includes TLSv1.1. New default is `["TLSv1.3", "TLSv1.2"]`, aligned with Mozilla Intermediate TLS profile. Operators connecting to legacy endpoints may still explicitly configure `enabled_protocols` ([#6003](https://github.com/opensearch-project/security/pull/6003)) +- **Breaking change:** Default TLS cipher list updated to GCM/ChaCha20 ECDHE-only suites. CBC-mode, DHE_DSS, SHA-1 MAC, and IBM `SSL_`-prefix ciphers removed from defaults. Explicitly configured cipher lists are unaffected ([#6003](https://github.com/opensearch-project/security/pull/6003)) +- All outbound TLS connectors (LDAP, external audit log, HTTP client) now share the same default protocol list as the inbound server TLS configuration ([#6003](https://github.com/opensearch-project/security/pull/6003)) +- Configuring TLSv1 or TLSv1.1 explicitly now causes a startup failure instead of a deprecation warning ([#6003](https://github.com/opensearch-project/security/pull/6003)) ### Features From dd2501775a622954d0b9529ea4770ebc124bc03b Mon Sep 17 00:00:00 2001 From: Thy Tran <58045538+ThyTran1402@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:22:01 -0400 Subject: [PATCH 4/4] cleanup Signed-off-by: Thy Tran <58045538+ThyTran1402@users.noreply.github.com> --- .../security/auditlog/sink/ExternalOpenSearchSink.java | 1 - .../org/opensearch/security/ssl/util/SSLConfigConstants.java | 3 +-- .../opensearch/security/util/SettingsBasedSSLConfigurator.java | 1 - .../security/util/SettingsBasedSSLConfiguratorV4.java | 1 - 4 files changed, 1 insertion(+), 5 deletions(-) diff --git a/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java b/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java index 81c561f206..888ac96dd4 100644 --- a/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java +++ b/src/main/java/org/opensearch/security/auditlog/sink/ExternalOpenSearchSink.java @@ -16,7 +16,6 @@ import java.security.KeyStore; import java.security.PrivateKey; import java.security.cert.X509Certificate; -import java.util.Arrays; import java.util.Collections; import java.util.List; diff --git a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java index 9838da9d5c..33db2c70a3 100644 --- a/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java +++ b/src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java @@ -276,8 +276,7 @@ public static String[] getSecureSSLProtocols(Settings settings, CertType certTyp // TLS 1.2 ECDHE-ChaCha20 suites (Java >= 12 / OpenSSL >= 1.1.0) "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - }; + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", }; // @formatter:on private SSLConfigConstants() {} diff --git a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java index da4a284e5c..96a925423e 100644 --- a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java +++ b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfigurator.java @@ -32,7 +32,6 @@ import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; -import com.google.common.collect.ImmutableList; import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier; import org.apache.hc.client5.http.ssl.NoopHostnameVerifier; import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory; diff --git a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java index 8bbe3feaaa..c684e3733b 100644 --- a/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java +++ b/src/main/java/org/opensearch/security/util/SettingsBasedSSLConfiguratorV4.java @@ -32,7 +32,6 @@ import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; -import com.google.common.collect.ImmutableList; import org.apache.http.conn.ssl.DefaultHostnameVerifier; import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory;