remove SSL Config and NR certs

newrelic-agent/src/main/java/com/newrelic/agent/config/AgentConfigImpl.java

@@ -13,16 +13,7 @@
 import com.newrelic.agent.transport.DataSenderImpl;
 
 import java.text.MessageFormat;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 import java.util.concurrent.TimeUnit;
 import java.util.logging.Level;
 import java.util.regex.Pattern;
@@ -122,7 +113,6 @@ public class AgentConfigImpl extends BaseConfig implements AgentConfig {
     public static final double DEFAULT_APDEX_T = 1.0; // 1 second
     public static final String DEFAULT_API_HOST = "rpm.newrelic.com";
     public static final String DEFAULT_CA_BUNDLE_PATH = null;
-    public static final boolean DEFAULT_USE_PRIVATE_SSL = false;
     public static final String DEFAULT_COMPRESSED_CONTENT_ENCODING = DataSenderImpl.GZIP_ENCODING;
     public static final boolean DEFAULT_CPU_SAMPLING_ENABLED = true;
     public static final boolean DEFAULT_ENABLED = true;
@@ -181,7 +171,6 @@ public class AgentConfigImpl extends BaseConfig implements AgentConfig {
     private final boolean autoAppNamingEnabled;
     private final boolean autoTransactionNamingEnabled;
     private final String caBundlePath;
-    private final boolean usePrivateSSL;
     private final String compressedContentEncoding;
     private final boolean cpuSamplingEnabled;
     private final boolean customInstrumentationEditorAllowed;
@@ -299,8 +288,7 @@ private AgentConfigImpl(Map<String, Object> props) {
         startupTimingEnabled = getProperty(STARTUP_TIMING, DEFAULT_STARTUP_TIMING);
         sendJvmProps = getProperty(SEND_JVM_PROPS, true);
         litemode = getProperty(LITE_MODE, false);
-        caBundlePath = initCaBundlePathConfig();
-        usePrivateSSL = initUsePrivateSSLConfig();
+        caBundlePath = initSSLConfig();
         trimStats = getProperty(TRIM_STATS, DEFAULT_TRIM_STATS);
         platformInformationEnabled = getProperty(PLATFORM_INFORMATION_ENABLED, DEFAULT_PLATFORM_INFORMATION_ENABLED);
         ibmWorkaroundEnabled = getProperty(IBM_WORKAROUND, DEFAULT_IBM_WORKAROUND);
@@ -358,16 +346,20 @@ private AgentConfigImpl(Map<String, Object> props) {
         this.customParameters = getProperty(LaspPolicies.LASP_CUSTOM_PARAMETERS, !highSecurity);
 
         if (getProperty(REPORT_SQL_PARSER_ERRORS) != null) {
-            addDeprecatedProperty(new String[] { REPORT_SQL_PARSER_ERRORS }, null);
+            addDeprecatedProperty(new String[]{REPORT_SQL_PARSER_ERRORS}, null);
         }
     }
 
-    private String initCaBundlePathConfig() {
-        return getProperty(CA_BUNDLE_PATH, DEFAULT_CA_BUNDLE_PATH);
-    }
-
-    private boolean initUsePrivateSSLConfig() {
-        return getProperty(USE_PRIVATE_SSL, DEFAULT_USE_PRIVATE_SSL);
+    private String initSSLConfig() {
+        String caBundlePath = getProperty(CA_BUNDLE_PATH, DEFAULT_CA_BUNDLE_PATH);
+        if (getProperty(USE_PRIVATE_SSL) != null) {
+            if (caBundlePath != null) {
+                Agent.LOG.log(Level.INFO, "use_private_ssl configuration setting has been removed.");
+            } else {
+                Agent.LOG.log(Level.SEVERE, "The use_private_ssl configuration setting has been removed and will be ignored. The agent will use the JVM/JRE truststore by default unless you configure ca_bundle_path to use a different truststore.");
+            }
+        }
+        return caBundlePath;
     }
 
     /**
@@ -1105,11 +1097,6 @@ public String getCaBundlePath() {
         return caBundlePath;
     }
 
-    @Override
-    public boolean getUsePrivateSSL() {
-        return usePrivateSSL;
-    }
-
     @Override
     public boolean isLogDaily() {
         return logDaily;

newrelic-agent/src/main/java/com/newrelic/agent/config/DataSenderConfig.java

@@ -31,8 +31,6 @@ public interface DataSenderConfig {
 
     String getCaBundlePath();
 
-    boolean getUsePrivateSSL();
-
     /**
      * If simple compression is enabled we will prevent data within a payload from being compressed. However,
      * the payload itself may still be compressed before being sent to the collector.

newrelic-agent/src/main/java/com/newrelic/agent/transport/apache/ApacheSSLManager.java

@@ -7,7 +7,6 @@
 
 package com.newrelic.agent.transport.apache;
 
-import com.google.common.collect.ImmutableList;
 import com.newrelic.agent.Agent;
 import com.newrelic.agent.config.DataSenderConfig;
 import org.apache.http.ssl.SSLContextBuilder;
@@ -17,37 +16,24 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.net.URL;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
-import java.security.cert.CertificateExpiredException;
 import java.security.cert.CertificateFactory;
-import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
-import java.util.Calendar;
 import java.util.Collection;
-import java.util.Date;
 import java.util.LinkedList;
 import java.util.logging.Level;
 
 public class ApacheSSLManager {
-    private static final String NEW_RELIC_CERTS_PATH = "META-INF/certs/";
-    private static final Collection<String> NEW_RELIC_CERTS = ImmutableList.of("newrelic-com.pem",
-            "eu-newrelic-com.pem", "eu01-nr-data-net.pem");
 
     public static SSLContext createSSLContext(DataSenderConfig config) {
         SSLContextBuilder sslContextBuilder = new SSLContextBuilder();
         try {
             if (config.getCaBundlePath() != null) {
-                if (config.getUsePrivateSSL()) {
-                   Agent.LOG.log(Level.FINE, "Ignoring use_private_ssl config." +
-                           " Using SSL certificates provided by ca_bundle_path.");
-                }
+                Agent.LOG.log(Level.INFO, "Using ca_bundle_path: {0}", config.getCaBundlePath());
                 sslContextBuilder.loadTrustMaterial(getKeyStore(config.getCaBundlePath()), null);
-            } else if (config.getUsePrivateSSL()){
-                addNewRelicCertToTrustStore(sslContextBuilder);
             }
             return sslContextBuilder.build();
         } catch (Exception e) {
@@ -56,61 +42,6 @@ public static SSLContext createSSLContext(DataSenderConfig config) {
         }
     }
 
-    private static void addNewRelicCertToTrustStore(SSLContextBuilder sslContextBuilder) {
-        // Initialize keystore and add valid New Relic certificates
-        try {
-            KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
-            keystore.load(null, null);
-            CertificateFactory cf = CertificateFactory.getInstance("X.509");
-            for (String file : NEW_RELIC_CERTS) {
-                URL nrCertUrl = ApacheSSLManager.class.getClassLoader().getResource(NEW_RELIC_CERTS_PATH + file);
-                if (nrCertUrl != null) {
-                    try (InputStream is = nrCertUrl.openStream()) {
-                        X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
-                        boolean sslCertIsValid = isSslCertValid(cert);
-                        if (sslCertIsValid) {
-                            logIfExpiringSoon(cert.getNotAfter());
-                            String alias = file.split("\\.pem")[0];
-                            keystore.setCertificateEntry(alias, cert);
-                            Agent.LOG.log(Level.FINEST, "Installed New Relic ssl certificate at alias: " + alias);
-                            Agent.LOG.log(Level.FINEST, "SSL Certificate expires on: {0}", cert.getNotAfter());
-                        }
-                    } catch (IOException e) {
-                        Agent.LOG.log(Level.INFO, "Unable to add bundled New Relic ssl certificate.", e);
-                    }
-                } else {
-                    Agent.LOG.log(Level.INFO, "Unable to find bundled New Relic ssl certificates.");
-                }
-            }
-            sslContextBuilder.loadTrustMaterial(keystore, null);
-        } catch (IOException | CertificateException | NoSuchAlgorithmException | KeyStoreException e) {
-            Agent.LOG.log(Level.INFO, "Unable to add bundled New Relic ssl certificate.", e);
-        }
-    }
-
-    private static void logIfExpiringSoon(Date expiry) {
-        // log if less than 3 months left until certificate expires
-        Calendar cal = Calendar.getInstance();
-        cal.add(Calendar.MONTH, +3);
-        if (cal.getTime().compareTo(expiry) > 0) {
-            Agent.LOG.log(Level.WARNING, "New Relic ssl certificate expire on {0}.\n" +
-                    "Applications using a custom Truststore may need to update the agent " +
-                    "or provide a valid certificate using the ca_bundle_path config", expiry);
-        }
-    }
-
-    private static boolean isSslCertValid(X509Certificate cert) {
-        try {
-            cert.checkValidity();
-        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
-            Agent.LOG.log(Level.WARNING, "New Relic ssl certificate has expired.\n" +
-                    "Applications using a custom Truststore may need to update the agent " +
-                    "or provide a valid certificate using the ca_bundle_path config", e);
-            return false;
-        }
-        return true;
-    }
-
     private static KeyStore getKeyStore(String caBundlePath)
             throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
         KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
@@ -127,7 +58,7 @@ private static KeyStore getKeyStore(String caBundlePath)
                         caCerts.add((X509Certificate) cf.generateCertificate(is));
                     } catch (Throwable t) {
                         Agent.LOG.log(Level.SEVERE,
-                                "Unable to generate ca_bundle_path certificate. Will not process further certs.", t);
+                                "Unable to generate ca_bundle_path certificate. Verify the certificate format. Will not process further certs.", t);
                         break;
                     }
                 }