From 7421ed5e5e4b528d3443552ff61d556056cb6c1e Mon Sep 17 00:00:00 2001 From: Christian Galsterer Date: Sat, 14 Jan 2017 09:46:00 +0100 Subject: [PATCH] Fix for https://github.com/christiangalsterer/httpbeat/issues/14 - proper handling of ssl.verificaton_mode --- README.md | 5 +++-- _meta/beat.full.yml | 33 +++++++++++++++++++++++++++++++++ _meta/beat.yml | 32 ++++++++++++++++++++++++++++++++ beater/poller.go | 1 + httpbeat.full.yml | 33 +++++++++++++++++++++++++++++++++ httpbeat.template-es2x.json | 2 +- httpbeat.template.json | 2 +- httpbeat.yml | 32 ++++++++++++++++++++++++++++++++ 8 files changed, 136 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9811232..fda2700 100644 --- a/README.md +++ b/README.md @@ -140,13 +140,14 @@ This will fetch and create all images required for the build process. The hole p 3.2.0 (2017-01-07) -[Download](https://github.com/christiangalsterer/httpbeat/releases/tag/3.1.1) +[Download](https://github.com/christiangalsterer/httpbeat/releases/tag/3.2.0) -Feature release containing the following changes: +Feature and bugfix release containing the following changes: * Various documentation improvements * Update to beats v5.1.2 * Update to Go 1.7.4 * Fix: [Panic when using TLS configuration (Go 1.7.4)](https://github.com/christiangalsterer/httpbeat/pull/15) +* Fix: [Proper suport for ssl.verification_mode](https://github.com/christiangalsterer/httpbeat/issues/14) 3.1.1 (2017-01-07) diff --git a/_meta/beat.full.yml b/_meta/beat.full.yml index d6c39cd..6fe5bb4 100644 --- a/_meta/beat.full.yml +++ b/_meta/beat.full.yml @@ -45,3 +45,36 @@ httpbeat: # Optional additional headers to send to the endpoint headers: Accept: application/json + + # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + #ssl.enabled: true + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # Optional SSL configuration options. SSL is off by default. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + diff --git a/_meta/beat.yml b/_meta/beat.yml index e58d5db..853acf1 100644 --- a/_meta/beat.yml +++ b/_meta/beat.yml @@ -45,3 +45,35 @@ httpbeat: # Optional additional headers to send to the endpoint #headers: #Accept: application/json + # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + #ssl.enabled: true + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # Optional SSL configuration options. SSL is off by default. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + diff --git a/beater/poller.go b/beater/poller.go index e481ed0..b66d67a 100644 --- a/beater/poller.go +++ b/beater/poller.go @@ -248,6 +248,7 @@ func convertTLSConfig(config *transport.TLSConfig) *tls.Config { CipherSuites: config.CipherSuites, RootCAs: config.RootCAs, CurvePreferences: config.CurvePreferences, + InsecureSkipVerify: config.Verification != transport.VerifyFull, } } diff --git a/httpbeat.full.yml b/httpbeat.full.yml index 524526d..ac3826b 100644 --- a/httpbeat.full.yml +++ b/httpbeat.full.yml @@ -46,6 +46,39 @@ httpbeat: headers: Accept: application/json + # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + #ssl.enabled: true + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # Optional SSL configuration options. SSL is off by default. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + + #================================ General ====================================== # The name of the shipper that publishes the network data. It can be used to group diff --git a/httpbeat.template-es2x.json b/httpbeat.template-es2x.json index 8b91166..0547f0e 100644 --- a/httpbeat.template-es2x.json +++ b/httpbeat.template-es2x.json @@ -7,7 +7,7 @@ } }, "_meta": { - "version": "5.1.1" + "version": "5.1.2" }, "dynamic_templates": [ { diff --git a/httpbeat.template.json b/httpbeat.template.json index d3cbb44..237914d 100644 --- a/httpbeat.template.json +++ b/httpbeat.template.json @@ -5,7 +5,7 @@ "norms": false }, "_meta": { - "version": "5.1.1" + "version": "5.1.2" }, "dynamic_templates": [ { diff --git a/httpbeat.yml b/httpbeat.yml index 7ed7398..51e3175 100644 --- a/httpbeat.yml +++ b/httpbeat.yml @@ -45,6 +45,38 @@ httpbeat: # Optional additional headers to send to the endpoint #headers: #Accept: application/json + # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + #ssl.enabled: true + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # Optional SSL configuration options. SSL is off by default. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + #================================ General =====================================