Skip to content

Commit b6ea0a2

Browse files
edmocostaedmocosta
authored
Standardize SSL settings (logstash-plugins#470)
This commit added the `ssl_enabled` and `ssl_client_authentication` configs. It also deprecates the following settings to comply with Logstash's SSL naming convention: - `ssl` was deprecated in favor of `ssl_enabled` - `ssl_verify_mode` was deprecated in favor of `ssl_client_authentication` In addition to the new settings, it also changes: - Using `ssl_verify_mode` should keep the current behavior as it is. Once upgraded to `ssl_client_authentication`, it will validate and reject configurations with `ssl_certificate_authorities` set and `ssl_client_authentication = > none`. The current `ssl_verify_mode` behavior is to silently ignore the `none` value and use `force_peer/required`. - Fixed `ssl_peer_metadata` when `ssl_enabled => false` - Added tests for the new and existing `SslContextBuilder` methods.
1 parent d39de45 commit b6ea0a2

File tree

17 files changed

+827
-214
lines changed

17 files changed

+827
-214
lines changed

CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
## 6.6.0
2+
- Reviewed and deprecated SSL settings to comply with Logstash's naming convention [#470](https://github.com/logstash-plugins/logstash-input-beats/pull/470)
3+
- Deprecated `ssl` in favor of `ssl_enabled`
4+
- Deprecated `ssl_verify_mode` in favor of `ssl_client_authentication`
5+
16
## 6.5.0
27
- An enrichment `enrich` option added to control ECS passthrough. `ssl_peer_metadata` and `include_codec_tag` configurations are deprecated and can be managed through the `enrich` [#464](https://github.com/logstash-plugins/logstash-input-beats/pull/464)
38

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
6.5.0
1+
6.6.0

docs/index.asciidoc

Lines changed: 34 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -221,15 +221,18 @@ This plugin supports the following configuration options plus the <<plugins-{typ
221221
| <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
222222
| <<plugins-{type}s-{plugin}-include_codec_tag>> |<<boolean,boolean>>|__Deprecated__
223223
| <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
224-
| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
224+
| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|__Deprecated__
225225
| <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
226226
| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
227+
| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<array,array>>|No
228+
| <<plugins-{type}s-{plugin}-ssl_client_authentication>> |<<string,string>>, one of `["none", "optional", "required"]`|No
229+
| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
227230
| <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
228231
| <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
229232
| <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
230233
| <<plugins-{type}s-{plugin}-ssl_peer_metadata>> |<<boolean,boolean>>|__Deprecated__
231234
| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
232-
| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
235+
| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|__Deprecated__
233236
| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|__Deprecated__
234237
| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|__Deprecated__
235238
|=======================================================================
@@ -384,6 +387,7 @@ The port to listen on.
384387

385388
[id="plugins-{type}s-{plugin}-ssl"]
386389
===== `ssl`
390+
deprecated[6.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
387391

388392
* Value type is <<boolean,boolean>>
389393
* Default value is `false`
@@ -408,8 +412,8 @@ SSL certificate to use.
408412

409413
Validate client certificates against these authorities.
410414
You can define multiple files or paths. All the certificates will
411-
be read and added to the trust store. You need to configure the `ssl_verify_mode`
412-
to `peer` or `force_peer` to enable the verification.
415+
be read and added to the trust store. You need to configure the <<plugins-{type}s-{plugin}-ssl_client_authentication>>
416+
to `optional` or `required` to enable the verification.
413417

414418
[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
415419
===== `ssl_cipher_suites`
@@ -422,6 +426,27 @@ This default list applies for OpenJDK 11.0.14 and higher.
422426
For older JDK versions, the default list includes only suites supported by that version.
423427
For example, the ChaCha20 family of ciphers is not supported in older versions.
424428

429+
[id="plugins-{type}s-{plugin}-ssl_client_authentication"]
430+
===== `ssl_client_authentication`
431+
432+
* Value can be any of: `none`, `optional`, `required`
433+
* Default value is `"none"`
434+
435+
Controls the server's behavior in regard to requesting a certificate from client connections:
436+
`required` forces a client to present a certificate, while `optional` requests a client certificate
437+
but the client is not required to present one. Defaults to `none`, which disables the client authentication.
438+
439+
NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> is set.
440+
441+
[id="plugins-{type}s-{plugin}-ssl_enabled"]
442+
===== `ssl_enabled`
443+
444+
* Value type is <<boolean,boolean>>
445+
* Default value is `false`
446+
447+
Events are by default sent in plain text. You can enable encryption by setting `ssl_enabled` to true and configuring
448+
the <<plugins-{type}s-{plugin}-ssl_certificate>> and <<plugins-{type}s-{plugin}-ssl_key>> options.
449+
425450
[id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
426451
===== `ssl_handshake_timeout`
427452

@@ -464,7 +489,7 @@ deprecated[6.5.0, Replaced by <<plugins-{type}s-{plugin}-enrich>>]
464489

465490
Enables storing client certificate information in event's metadata.
466491

467-
This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer`.
492+
This option is only valid when <<plugins-{type}s-{plugin}-ssl_client_authentication>> is set to `optional` or `required`.
468493

469494
[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
470495
===== `ssl_supported_protocols`
@@ -485,19 +510,21 @@ the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.
485510

486511
[id="plugins-{type}s-{plugin}-ssl_verify_mode"]
487512
===== `ssl_verify_mode`
513+
deprecated[6.6.0, Replaced by <<plugins-{type}s-{plugin}-ssl_client_authentication>>]
488514

489515
* Value can be any of: `none`, `peer`, `force_peer`
490516
* Default value is `"none"`
491517

492-
By default the server doesn't do any client verification.
518+
By default, the server doesn't do any client verification. If the <<plugins-{type}s-{plugin}-ssl_certificate_authorities>>
519+
is configured, and no value or `none` is provided for this option, it defaults to `force_peer` instead of `none`.
493520

494521
`peer` will make the server ask the client to provide a certificate.
495522
If the client provides a certificate, it will be validated.
496523

497524
`force_peer` will make the server ask the client to provide a certificate.
498525
If the client doesn't provide a certificate, the connection will be closed.
499526

500-
This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
527+
This option needs to be used with <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> and a defined list of CAs.
501528

502529
[id="plugins-{type}s-{plugin}-tls_max_version"]
503530
===== `tls_max_version`

0 commit comments

Comments
 (0)