Seeing keystore and truststore file handle leak when closing ES client with SSL searchguard plugin.

  • Search Guard and Elasticsearch version

searchguard 2.3.5.19, ES 2.3.5

I’m seeing a leftover keystore and truststore file handle associated with my java web service after closing down the ES transport client.

/Users/kredfern/.m2/repository/org/elasticsearch/elasticsearch/2.3.5/elasticsearch-2.3.5-sources.jar!/org/elasticsearch/client/transport/TransportClient.java, See close()

I see that ES has capability to allow custom plugin behaviour for various operations such as close, but don’t see any defined by my version of searchguard ssl.

Looking at the SSL code, I see the following (see code snippet). Not sure if this is the source of my file handles, but just wondering who or what takes care of these?

My filehandle leaks come about when ES cluster is not available and clients are attempting searches.

Perhaps there is a different approach here to avoid this leak?

Thanks … Keith

PS: https://stackoverflow.com/questions/42357988/will-i-need-to-close-fileinputstream-manually-in-this-code

… com/floragunn/search-guard-ssl/2.3.5.19/search-guard-ssl-2.3.5.19-sources.jar!/com/floragunn/searchguard/ssl/DefaultSearchGuardKeyStore.java

final KeyStore ks = KeyStore.getInstance(keystoreType);

ks.load(new FileInputStream(new File(keystoreFilePath)), (keystorePassword == null || keystorePassword.length() == 0) ? null:keystorePassword.toCharArray()); ########### What takes care of this filehandle?

httpKeystoreCert = SSLCertificateHelper.exportCertificateChain(ks, keystoreAlias);

httpKeystoreKey = SSLCertificateHelper.exportDecryptedKey(ks, keystoreAlias, (keystorePassword==null || keystorePassword.length() == 0) ? null:keystorePassword.toCharArray());

if(httpKeystoreKey == null) {

throw new ElasticsearchException("No key found in “+keystoreFilePath+” with alias "+keystoreAlias);

}

if(httpKeystoreCert != null && httpKeystoreCert.length > 0) {

//TODO create sensitive log property

/*for (int i = 0; i < httpKeystoreCert.length; i++) {

X509Certificate x509Certificate = httpKeystoreCert[i];

if(x509Certificate != null) {

log.info(“HTTP keystore subject DN no. {} {}”,i,x509Certificate.getSubjectX500Principal());

}

}*/

} else {

throw new ElasticsearchException("No certificates found in “+keystoreFilePath+” with alias "+keystoreAlias);

}

if(settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_FILEPATH, null) != null) {

checkStorePath(truststoreFilePath);

final String truststoreType = settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);

final String truststorePassword = settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_PASSWORD, DEFAULT_STORE_PASSWORD);

final String truststoreAlias = settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_ALIAS, null);

final KeyStore ts = KeyStore.getInstance(truststoreType);

ts.load(new FileInputStream(new File(truststoreFilePath)), (truststorePassword == null || truststorePassword.length() == 0) ?null:truststorePassword.toCharArray()); ########### What takes care of this filehandle?

trustedHTTPCertificates = SSLCertificateHelper.exportCertificateChain(ts, truststoreAlias);

}

Thx for reporting this. I will need to investigate a bit deeper.

···

On Friday, 8 June 2018 16:45:57 UTC+2, Keith Redfern wrote:

  • Search Guard and Elasticsearch version

searchguard 2.3.5.19, ES 2.3.5

I’m seeing a leftover keystore and truststore file handle associated with my java web service after closing down the ES transport client.

/Users/kredfern/.m2/repository/org/elasticsearch/elasticsearch/2.3.5/elasticsearch-2.3.5-sources.jar!/org/elasticsearch/client/transport/TransportClient.java, See close()

I see that ES has capability to allow custom plugin behaviour for various operations such as close, but don’t see any defined by my version of searchguard ssl.

Looking at the SSL code, I see the following (see code snippet). Not sure if this is the source of my file handles, but just wondering who or what takes care of these?

My filehandle leaks come about when ES cluster is not available and clients are attempting searches.

Perhaps there is a different approach here to avoid this leak?

Thanks … Keith

PS: https://stackoverflow.com/questions/42357988/will-i-need-to-close-fileinputstream-manually-in-this-code

… com/floragunn/search-guard-ssl/2.3.5.19/search-guard-ssl-2.3.5.19-sources.jar!/com/floragunn/searchguard/ssl/DefaultSearchGuardKeyStore.java

final KeyStore ks = KeyStore.getInstance(keystoreType);

ks.load(new FileInputStream(new File(keystoreFilePath)), (keystorePassword == null || keystorePassword.length() == 0) ? null:keystorePassword.toCharArray()); ########### What takes care of this filehandle?

httpKeystoreCert = SSLCertificateHelper.exportCertificateChain(ks, keystoreAlias);

httpKeystoreKey = SSLCertificateHelper.exportDecryptedKey(ks, keystoreAlias, (keystorePassword==null || keystorePassword.length() == 0) ? null:keystorePassword.toCharArray());

if(httpKeystoreKey == null) {

throw new ElasticsearchException("No key found in “+keystoreFilePath+” with alias "+keystoreAlias);

}

if(httpKeystoreCert != null && httpKeystoreCert.length > 0) {

//TODO create sensitive log property

/*for (int i = 0; i < httpKeystoreCert.length; i++) {

X509Certificate x509Certificate = httpKeystoreCert[i];

if(x509Certificate != null) {

log.info(“HTTP keystore subject DN no. {} {}”,i,x509Certificate.getSubjectX500Principal());

}

}*/

} else {

throw new ElasticsearchException("No certificates found in “+keystoreFilePath+” with alias "+keystoreAlias);

}

if(settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_FILEPATH, null) != null) {

checkStorePath(truststoreFilePath);

final String truststoreType = settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_TYPE, DEFAULT_STORE_TYPE);

final String truststorePassword = settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_PASSWORD, DEFAULT_STORE_PASSWORD);

final String truststoreAlias = settings.get(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_ALIAS, null);

final KeyStore ts = KeyStore.getInstance(truststoreType);

ts.load(new FileInputStream(new File(truststoreFilePath)), (truststorePassword == null || truststorePassword.length() == 0) ?null:truststorePassword.toCharArray()); ########### What takes care of this filehandle?

trustedHTTPCertificates = SSLCertificateHelper.exportCertificateChain(ts, truststoreAlias);

}