From 28cee61beaf737380b319d8ecd6ce3520b8b3306 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 9 Oct 2017 06:13:28 -0400 Subject: [PATCH] Add support TLS renegotiation (#5353) This PR adds support for enabling TLS renegotiation. The setting is `ssl.renegotiation` and the options are `never` (default), `once`, and `freely`. This exposes the three options from https://golang.org/pkg/crypto/tls/#RenegotiationSupport. Fixes #4386 --- CHANGELOG.asciidoc | 1 + auditbeat/auditbeat.reference.yml | 15 +++++++++++++++ filebeat/filebeat.reference.yml | 15 +++++++++++++++ heartbeat/heartbeat.reference.yml | 15 +++++++++++++++ libbeat/_meta/config.reference.yml | 15 +++++++++++++++ libbeat/docs/shared-ssl-config.asciidoc | 9 +++++++++ libbeat/outputs/tls.go | 20 ++++++++++++++++++++ libbeat/outputs/tls_test.go | 8 ++++++++ libbeat/outputs/transport/tls.go | 4 ++++ metricbeat/metricbeat.reference.yml | 15 +++++++++++++++ packetbeat/packetbeat.reference.yml | 15 +++++++++++++++ winlogbeat/winlogbeat.reference.yml | 15 +++++++++++++++ 12 files changed, 147 insertions(+) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index ef534fa6fc6..5934e2f3dfe 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -61,6 +61,7 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di - Changed the hashbang used in the beat helper script from `/bin/bash` to `/usr/bin/env bash`. {pull}5051[5051] - Changed beat helper script to use `exec` when running the beat. {pull}5051[5051] - Fix reloader error message to only print on actual error {pull}5066[5066] +- Add support for enabling TLS renegotiation. {issue}4386[4386] *Auditbeat* diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index 0c4d78055ce..42920c139c4 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -281,6 +281,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #----------------------------- Logstash output --------------------------------- #output.logstash: @@ -357,6 +361,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Kafka output ---------------------------------- #output.kafka: # Boolean flag to enable or disable the output module. @@ -489,6 +497,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Redis output ---------------------------------- #output.redis: # Boolean flag to enable or disable the output module. @@ -586,6 +598,9 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never #------------------------------- File output ----------------------------------- #output.file: diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index d1d93174ae1..dee3140514f 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -701,6 +701,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #----------------------------- Logstash output --------------------------------- #output.logstash: @@ -777,6 +781,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Kafka output ---------------------------------- #output.kafka: # Boolean flag to enable or disable the output module. @@ -909,6 +917,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Redis output ---------------------------------- #output.redis: # Boolean flag to enable or disable the output module. @@ -1006,6 +1018,9 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never #------------------------------- File output ----------------------------------- #output.file: diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index 5e1f7d1e02a..23d2fa1e005 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -430,6 +430,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #----------------------------- Logstash output --------------------------------- #output.logstash: @@ -506,6 +510,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Kafka output ---------------------------------- #output.kafka: # Boolean flag to enable or disable the output module. @@ -638,6 +646,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Redis output ---------------------------------- #output.redis: # Boolean flag to enable or disable the output module. @@ -735,6 +747,9 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never #------------------------------- File output ----------------------------------- #output.file: diff --git a/libbeat/_meta/config.reference.yml b/libbeat/_meta/config.reference.yml index fec940b1219..bf6cf9dcd30 100644 --- a/libbeat/_meta/config.reference.yml +++ b/libbeat/_meta/config.reference.yml @@ -216,6 +216,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #----------------------------- Logstash output --------------------------------- #output.logstash: @@ -292,6 +296,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Kafka output ---------------------------------- #output.kafka: # Boolean flag to enable or disable the output module. @@ -424,6 +432,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Redis output ---------------------------------- #output.redis: # Boolean flag to enable or disable the output module. @@ -521,6 +533,9 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never #------------------------------- File output ----------------------------------- #output.file: diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc index 6b0b1f6795f..2aa6f3b8110 100644 --- a/libbeat/docs/shared-ssl-config.asciidoc +++ b/libbeat/docs/shared-ssl-config.asciidoc @@ -157,3 +157,12 @@ The following elliptic curve types are available: * P-384 * P-521 +[float] +==== `renegotiation` + +This configures what types of TLS renegotiation are supported. The valid options +are `never`, `once`, and `freely`. The default value is never. + +* `never` - Disables renegotiation. +* `once` - Allows a remote server to request renegotiation once per connection. +* `freely` - Allows a remote server to repeatedly request renegotiation. diff --git a/libbeat/outputs/tls.go b/libbeat/outputs/tls.go index 0d601f365f7..8bb8f3eaf0e 100644 --- a/libbeat/outputs/tls.go +++ b/libbeat/outputs/tls.go @@ -36,6 +36,7 @@ type TLSConfig struct { CAs []string `config:"certificate_authorities"` Certificate CertificateConfig `config:",inline"` CurveTypes []tlsCurveType `config:"curve_types"` + Renegotiation tlsRenegotiationSupport `config:"renegotiation"` } type CertificateConfig struct { @@ -48,6 +49,8 @@ type tlsCipherSuite uint16 type tlsCurveType tls.CurveID +type tlsRenegotiationSupport tls.RenegotiationSupport + var tlsCipherSuites = map[string]tlsCipherSuite{ "ECDHE-ECDSA-AES-128-CBC-SHA": tlsCipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA), "ECDHE-ECDSA-AES-128-GCM-SHA256": tlsCipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), @@ -74,6 +77,12 @@ var tlsCurveTypes = map[string]tlsCurveType{ "P-521": tlsCurveType(tls.CurveP521), } +var tlsRenegotiationSupportTypes = map[string]tlsRenegotiationSupport{ + "never": tlsRenegotiationSupport(tls.RenegotiateNever), + "once": tlsRenegotiationSupport(tls.RenegotiateOnceAsClient), + "freely": tlsRenegotiationSupport(tls.RenegotiateFreelyAsClient), +} + func (c *TLSConfig) Validate() error { hasCertificate := c.Certificate.Certificate != "" hasKey := c.Certificate.Key != "" @@ -144,6 +153,7 @@ func LoadTLSConfig(config *TLSConfig) (*transport.TLSConfig, error) { RootCAs: cas, CipherSuites: cipherSuites, CurvePreferences: curves, + Renegotiation: tls.RenegotiationSupport(config.Renegotiation), }, nil } @@ -289,3 +299,13 @@ func (ct *tlsCurveType) Unpack(s string) error { *ct = t return nil } + +func (r *tlsRenegotiationSupport) Unpack(s string) error { + t, found := tlsRenegotiationSupportTypes[s] + if !found { + return fmt.Errorf("invalid tls renegotiation type '%v'", s) + } + + *r = t + return nil +} diff --git a/libbeat/outputs/tls_test.go b/libbeat/outputs/tls_test.go index 59013c98ddf..4c8ce1eae49 100644 --- a/libbeat/outputs/tls_test.go +++ b/libbeat/outputs/tls_test.go @@ -85,6 +85,7 @@ func TestValuesSet(t *testing.T) { supported_protocols: [TLSv1.1, TLSv1.2] curve_types: - P-521 + renegotiation: freely `) if err != nil { @@ -100,6 +101,9 @@ func TestValuesSet(t *testing.T) { []transport.TLSVersion{transport.TLSVersion11, transport.TLSVersion12}, cfg.Versions) assert.Len(t, cfg.CurveTypes, 1) + assert.Equal(t, + tls.RenegotiateFreelyAsClient, + tls.RenegotiationSupport(cfg.Renegotiation)) } func TestApplyEmptyConfig(t *testing.T) { @@ -169,6 +173,10 @@ func TestCertificateFails(t *testing.T) { "unknown curve type", "curve_types: ['unknown curve type']", }, + { + "unknown renegotiation type", + "renegotiation: always", + }, } for i, test := range tests { diff --git a/libbeat/outputs/transport/tls.go b/libbeat/outputs/transport/tls.go index 2e00b3f77be..c0eb074f498 100644 --- a/libbeat/outputs/transport/tls.go +++ b/libbeat/outputs/transport/tls.go @@ -39,6 +39,10 @@ type TLSConfig struct { // Types of elliptic curves that will be used in an ECDHE handshake. If empty, // the implementation will choose a default. CurvePreferences []tls.CurveID + + // Renegotiation controls what types of renegotiation are supported. + // The default, never, is correct for the vast majority of applications. + Renegotiation tls.RenegotiationSupport } type TLSVersion uint16 diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index 578d06b4478..eedcac9e35b 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -660,6 +660,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #----------------------------- Logstash output --------------------------------- #output.logstash: @@ -736,6 +740,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Kafka output ---------------------------------- #output.kafka: # Boolean flag to enable or disable the output module. @@ -868,6 +876,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Redis output ---------------------------------- #output.redis: # Boolean flag to enable or disable the output module. @@ -965,6 +977,9 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never #------------------------------- File output ----------------------------------- #output.file: diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index a730f3ca170..1265829be34 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -668,6 +668,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #----------------------------- Logstash output --------------------------------- #output.logstash: @@ -744,6 +748,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Kafka output ---------------------------------- #output.kafka: # Boolean flag to enable or disable the output module. @@ -876,6 +884,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Redis output ---------------------------------- #output.redis: # Boolean flag to enable or disable the output module. @@ -973,6 +985,9 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never #------------------------------- File output ----------------------------------- #output.file: diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index 0a592543f46..cdbd759fc96 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -245,6 +245,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #----------------------------- Logstash output --------------------------------- #output.logstash: @@ -321,6 +325,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Kafka output ---------------------------------- #output.kafka: # Boolean flag to enable or disable the output module. @@ -453,6 +461,10 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + #------------------------------- Redis output ---------------------------------- #output.redis: # Boolean flag to enable or disable the output module. @@ -550,6 +562,9 @@ output.elasticsearch: # Configure curve types for ECDHE based cipher suites #ssl.curve_types: [] + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never #------------------------------- File output ----------------------------------- #output.file: