Fix for #14

- proper handling of ssl.verificaton_mode
christiangalsterer · Jan 14, 2017 · 7421ed5 · 7421ed5
1 parent a4f6ff9
commit 7421ed5
Show file tree

Hide file tree

Showing 8 changed files with 136 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -140,13 +140,14 @@ This will fetch and create all images required for the build process. The hole p
 
 3.2.0 (2017-01-07)
 
-[Download](https://github.com/christiangalsterer/httpbeat/releases/tag/3.1.1)
+[Download](https://github.com/christiangalsterer/httpbeat/releases/tag/3.2.0)
 
-Feature release containing the following changes:
+Feature and bugfix release containing the following changes:
 * Various documentation improvements
 * Update to beats v5.1.2
 * Update to Go 1.7.4
 * Fix: [Panic when using TLS configuration (Go 1.7.4)](https://github.com/christiangalsterer/httpbeat/pull/15)
+* Fix: [Proper suport for ssl.verification_mode](https://github.com/christiangalsterer/httpbeat/issues/14)
 
 3.1.1 (2017-01-07)
 

diff --git a/_meta/beat.full.yml b/_meta/beat.full.yml
@@ -45,3 +45,36 @@ httpbeat:
       # Optional additional headers to send to the endpoint
       headers:
         Accept: application/json
+
+      # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
+      #ssl.enabled: true
+
+      # Configure SSL verification mode. If `none` is configured, all server hosts
+      # and certificates will be accepted. In this mode, SSL based connections are
+      # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+      # `full`.
+      #ssl.verification_mode: full
+
+      # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+      # 1.2 are enabled.
+      #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+      # Optional SSL configuration options. SSL is off by default.
+      # List of root certificates for HTTPS server verifications
+      #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+      # Certificate for SSL client authentication
+      #ssl.certificate: "/etc/pki/client/cert.pem"
+
+      # Client Certificate Key
+      #ssl.key: "/etc/pki/client/cert.key"
+
+      # Optional passphrase for decrypting the Certificate Key.
+      #ssl.key_passphrase: ''
+
+      # Configure cipher suites to be used for SSL connections
+      #ssl.cipher_suites: []
+
+      # Configure curve types for ECDHE based cipher suites
+      #ssl.curve_types: []
+
diff --git a/_meta/beat.yml b/_meta/beat.yml
@@ -45,3 +45,35 @@ httpbeat:
       # Optional additional headers to send to the endpoint
       #headers:
         #Accept: application/json
+      # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
+      #ssl.enabled: true
+
+      # Configure SSL verification mode. If `none` is configured, all server hosts
+      # and certificates will be accepted. In this mode, SSL based connections are
+      # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+      # `full`.
+      #ssl.verification_mode: full
+
+      # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+      # 1.2 are enabled.
+      #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+      # Optional SSL configuration options. SSL is off by default.
+      # List of root certificates for HTTPS server verifications
+      #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+      # Certificate for SSL client authentication
+      #ssl.certificate: "/etc/pki/client/cert.pem"
+
+      # Client Certificate Key
+      #ssl.key: "/etc/pki/client/cert.key"
+
+      # Optional passphrase for decrypting the Certificate Key.
+      #ssl.key_passphrase: ''
+
+      # Configure cipher suites to be used for SSL connections
+      #ssl.cipher_suites: []
+
+      # Configure curve types for ECDHE based cipher suites
+      #ssl.curve_types: []
+
diff --git a/beater/poller.go b/beater/poller.go
@@ -248,6 +248,7 @@ func convertTLSConfig(config *transport.TLSConfig) *tls.Config {
 		CipherSuites:     config.CipherSuites,
 		RootCAs:          config.RootCAs,
 		CurvePreferences: config.CurvePreferences,
+		InsecureSkipVerify: config.Verification != transport.VerifyFull,
 	}
 }
 

diff --git a/httpbeat.full.yml b/httpbeat.full.yml
@@ -46,6 +46,39 @@ httpbeat:
       headers:
         Accept: application/json
 
+      # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
+      #ssl.enabled: true
+
+      # Configure SSL verification mode. If `none` is configured, all server hosts
+      # and certificates will be accepted. In this mode, SSL based connections are
+      # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+      # `full`.
+      #ssl.verification_mode: full
+
+      # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+      # 1.2 are enabled.
+      #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+      # Optional SSL configuration options. SSL is off by default.
+      # List of root certificates for HTTPS server verifications
+      #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+      # Certificate for SSL client authentication
+      #ssl.certificate: "/etc/pki/client/cert.pem"
+
+      # Client Certificate Key
+      #ssl.key: "/etc/pki/client/cert.key"
+
+      # Optional passphrase for decrypting the Certificate Key.
+      #ssl.key_passphrase: ''
+
+      # Configure cipher suites to be used for SSL connections
+      #ssl.cipher_suites: []
+
+      # Configure curve types for ECDHE based cipher suites
+      #ssl.curve_types: []
+
+
 #================================ General ======================================
 
 # The name of the shipper that publishes the network data. It can be used to group

diff --git a/httpbeat.template-es2x.json b/httpbeat.template-es2x.json
@@ -7,7 +7,7 @@
         }
       },
       "_meta": {
-        "version": "5.1.1"
+        "version": "5.1.2"
       },
       "dynamic_templates": [
         {

diff --git a/httpbeat.template.json b/httpbeat.template.json
@@ -5,7 +5,7 @@
         "norms": false
       },
       "_meta": {
-        "version": "5.1.1"
+        "version": "5.1.2"
       },
       "dynamic_templates": [
         {

diff --git a/httpbeat.yml b/httpbeat.yml
@@ -45,6 +45,38 @@ httpbeat:
       # Optional additional headers to send to the endpoint
       #headers:
         #Accept: application/json
+      # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
+      #ssl.enabled: true
+
+      # Configure SSL verification mode. If `none` is configured, all server hosts
+      # and certificates will be accepted. In this mode, SSL based connections are
+      # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+      # `full`.
+      #ssl.verification_mode: full
+
+      # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+      # 1.2 are enabled.
+      #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+      # Optional SSL configuration options. SSL is off by default.
+      # List of root certificates for HTTPS server verifications
+      #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+      # Certificate for SSL client authentication
+      #ssl.certificate: "/etc/pki/client/cert.pem"
+
+      # Client Certificate Key
+      #ssl.key: "/etc/pki/client/cert.key"
+
+      # Optional passphrase for decrypting the Certificate Key.
+      #ssl.key_passphrase: ''
+
+      # Configure cipher suites to be used for SSL connections
+      #ssl.cipher_suites: []
+
+      # Configure curve types for ECDHE based cipher suites
+      #ssl.curve_types: []
+
 
 #================================ General =====================================