Skip to content

Commit

Permalink
Add support TLS renegotiation (elastic#5353)
Browse files Browse the repository at this point in the history
This PR adds support for enabling TLS renegotiation. The setting is `ssl.renegotiation` and the options are `never` (default), `once`, and `freely`. This exposes the three options from https://golang.org/pkg/crypto/tls/#RenegotiationSupport.

Fixes elastic#4386
  • Loading branch information
andrewkroh authored and ruflin committed Oct 9, 2017
1 parent 4778c51 commit 28cee61
Show file tree
Hide file tree
Showing 12 changed files with 147 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di
- Changed the hashbang used in the beat helper script from `/bin/bash` to `/usr/bin/env bash`. {pull}5051[5051]
- Changed beat helper script to use `exec` when running the beat. {pull}5051[5051]
- Fix reloader error message to only print on actual error {pull}5066[5066]
- Add support for enabling TLS renegotiation. {issue}4386[4386]

*Auditbeat*

Expand Down
15 changes: 15 additions & 0 deletions auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -357,6 +361,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -489,6 +497,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -586,6 +598,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
15 changes: 15 additions & 0 deletions filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -701,6 +701,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -777,6 +781,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -909,6 +917,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -1006,6 +1018,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
15 changes: 15 additions & 0 deletions heartbeat/heartbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -430,6 +430,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -506,6 +510,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -638,6 +646,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -735,6 +747,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
15 changes: 15 additions & 0 deletions libbeat/_meta/config.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -292,6 +296,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -424,6 +432,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -521,6 +533,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
9 changes: 9 additions & 0 deletions libbeat/docs/shared-ssl-config.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -157,3 +157,12 @@ The following elliptic curve types are available:
* P-384
* P-521

[float]
==== `renegotiation`

This configures what types of TLS renegotiation are supported. The valid options
are `never`, `once`, and `freely`. The default value is never.

* `never` - Disables renegotiation.
* `once` - Allows a remote server to request renegotiation once per connection.
* `freely` - Allows a remote server to repeatedly request renegotiation.
20 changes: 20 additions & 0 deletions libbeat/outputs/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ type TLSConfig struct {
CAs []string `config:"certificate_authorities"`
Certificate CertificateConfig `config:",inline"`
CurveTypes []tlsCurveType `config:"curve_types"`
Renegotiation tlsRenegotiationSupport `config:"renegotiation"`
}

type CertificateConfig struct {
Expand All @@ -48,6 +49,8 @@ type tlsCipherSuite uint16

type tlsCurveType tls.CurveID

type tlsRenegotiationSupport tls.RenegotiationSupport

var tlsCipherSuites = map[string]tlsCipherSuite{
"ECDHE-ECDSA-AES-128-CBC-SHA": tlsCipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
"ECDHE-ECDSA-AES-128-GCM-SHA256": tlsCipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
Expand All @@ -74,6 +77,12 @@ var tlsCurveTypes = map[string]tlsCurveType{
"P-521": tlsCurveType(tls.CurveP521),
}

var tlsRenegotiationSupportTypes = map[string]tlsRenegotiationSupport{
"never": tlsRenegotiationSupport(tls.RenegotiateNever),
"once": tlsRenegotiationSupport(tls.RenegotiateOnceAsClient),
"freely": tlsRenegotiationSupport(tls.RenegotiateFreelyAsClient),
}

func (c *TLSConfig) Validate() error {
hasCertificate := c.Certificate.Certificate != ""
hasKey := c.Certificate.Key != ""
Expand Down Expand Up @@ -144,6 +153,7 @@ func LoadTLSConfig(config *TLSConfig) (*transport.TLSConfig, error) {
RootCAs: cas,
CipherSuites: cipherSuites,
CurvePreferences: curves,
Renegotiation: tls.RenegotiationSupport(config.Renegotiation),
}, nil
}

Expand Down Expand Up @@ -289,3 +299,13 @@ func (ct *tlsCurveType) Unpack(s string) error {
*ct = t
return nil
}

func (r *tlsRenegotiationSupport) Unpack(s string) error {
t, found := tlsRenegotiationSupportTypes[s]
if !found {
return fmt.Errorf("invalid tls renegotiation type '%v'", s)
}

*r = t
return nil
}
8 changes: 8 additions & 0 deletions libbeat/outputs/tls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ func TestValuesSet(t *testing.T) {
supported_protocols: [TLSv1.1, TLSv1.2]
curve_types:
- P-521
renegotiation: freely
`)

if err != nil {
Expand All @@ -100,6 +101,9 @@ func TestValuesSet(t *testing.T) {
[]transport.TLSVersion{transport.TLSVersion11, transport.TLSVersion12},
cfg.Versions)
assert.Len(t, cfg.CurveTypes, 1)
assert.Equal(t,
tls.RenegotiateFreelyAsClient,
tls.RenegotiationSupport(cfg.Renegotiation))
}

func TestApplyEmptyConfig(t *testing.T) {
Expand Down Expand Up @@ -169,6 +173,10 @@ func TestCertificateFails(t *testing.T) {
"unknown curve type",
"curve_types: ['unknown curve type']",
},
{
"unknown renegotiation type",
"renegotiation: always",
},
}

for i, test := range tests {
Expand Down
4 changes: 4 additions & 0 deletions libbeat/outputs/transport/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ type TLSConfig struct {
// Types of elliptic curves that will be used in an ECDHE handshake. If empty,
// the implementation will choose a default.
CurvePreferences []tls.CurveID

// Renegotiation controls what types of renegotiation are supported.
// The default, never, is correct for the vast majority of applications.
Renegotiation tls.RenegotiationSupport
}

type TLSVersion uint16
Expand Down
15 changes: 15 additions & 0 deletions metricbeat/metricbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -660,6 +660,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -736,6 +740,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -868,6 +876,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -965,6 +977,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
15 changes: 15 additions & 0 deletions packetbeat/packetbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -668,6 +668,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -744,6 +748,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -876,6 +884,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -973,6 +985,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
Loading

0 comments on commit 28cee61

Please sign in to comment.