diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 99b1f259a7a..6c2814ea810 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -32,6 +32,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Change Docker base image from CentOS 7 to Ubuntu 20.04 {pull}29681[29681] - Enrich kubernetes metadata with node annotations. {pull}29605[29605] - Allign kubernetes configuration settings. {pull}29908[29908] +- Remove legacy support for SSLv3. {pull}30071[30071] *Auditbeat* diff --git a/libbeat/common/transport/tlscommon/versions_default.go b/libbeat/common/transport/tlscommon/versions_default.go index 2d5180864c6..0d0ea0d2df0 100644 --- a/libbeat/common/transport/tlscommon/versions_default.go +++ b/libbeat/common/transport/tlscommon/versions_default.go @@ -26,14 +26,13 @@ import ( // Define all the possible TLS version. const ( - TLSVersionSSL30 TLSVersion = tls.VersionSSL30 - TLSVersion10 TLSVersion = tls.VersionTLS10 - TLSVersion11 TLSVersion = tls.VersionTLS11 - TLSVersion12 TLSVersion = tls.VersionTLS12 - TLSVersion13 TLSVersion = tls.VersionTLS13 + TLSVersion10 TLSVersion = tls.VersionTLS10 + TLSVersion11 TLSVersion = tls.VersionTLS11 + TLSVersion12 TLSVersion = tls.VersionTLS12 + TLSVersion13 TLSVersion = tls.VersionTLS13 // TLSVersionMin is the min TLS version supported. - TLSVersionMin = TLSVersionSSL30 + TLSVersionMin = TLSVersion10 // TLSVersionMax is the max TLS version supported. TLSVersionMax = TLSVersion13 @@ -55,8 +54,6 @@ var TLSDefaultVersions = []TLSVersion{ } var tlsProtocolVersions = map[string]TLSVersion{ - "SSLv3": TLSVersionSSL30, - "SSLv3.0": TLSVersionSSL30, "TLSv1": TLSVersion10, "TLSv1.0": TLSVersion10, "TLSv1.1": TLSVersion11, @@ -77,9 +74,8 @@ func (pv TLSVersionDetails) String() string { } var tlsInverseLookup = map[TLSVersion]TLSVersionDetails{ - TLSVersionSSL30: TLSVersionDetails{Version: "3.0", Protocol: "ssl", Combined: "SSLv3"}, - TLSVersion10: TLSVersionDetails{Version: "1.0", Protocol: "tls", Combined: "TLSv1.0"}, - TLSVersion11: TLSVersionDetails{Version: "1.1", Protocol: "tls", Combined: "TLSv1.1"}, - TLSVersion12: TLSVersionDetails{Version: "1.2", Protocol: "tls", Combined: "TLSv1.2"}, - TLSVersion13: TLSVersionDetails{Version: "1.3", Protocol: "tls", Combined: "TLSv1.3"}, + TLSVersion10: TLSVersionDetails{Version: "1.0", Protocol: "tls", Combined: "TLSv1.0"}, + TLSVersion11: TLSVersionDetails{Version: "1.1", Protocol: "tls", Combined: "TLSv1.1"}, + TLSVersion12: TLSVersionDetails{Version: "1.2", Protocol: "tls", Combined: "TLSv1.2"}, + TLSVersion13: TLSVersionDetails{Version: "1.3", Protocol: "tls", Combined: "TLSv1.3"}, } diff --git a/libbeat/common/transport/tlscommon/versions_legacy.go b/libbeat/common/transport/tlscommon/versions_legacy.go index 18d557a2495..3d538a7ab9f 100644 --- a/libbeat/common/transport/tlscommon/versions_legacy.go +++ b/libbeat/common/transport/tlscommon/versions_legacy.go @@ -23,13 +23,12 @@ package tlscommon import "crypto/tls" const ( - TLSVersionSSL30 TLSVersion = tls.VersionSSL30 - TLSVersion10 TLSVersion = tls.VersionTLS10 - TLSVersion11 TLSVersion = tls.VersionTLS11 - TLSVersion12 TLSVersion = tls.VersionTLS12 + TLSVersion10 TLSVersion = tls.VersionTLS10 + TLSVersion11 TLSVersion = tls.VersionTLS11 + TLSVersion12 TLSVersion = tls.VersionTLS12 // TLSVersionMin is the min TLS version supported. - TLSVersionMin = TLSVersionSSL30 + TLSVersionMin = TLSVersion10 // TLSVersionMax is the max TLS version supported. TLSVersionMax = TLSVersion12 @@ -51,8 +50,6 @@ var TLSDefaultVersions = []TLSVersion{ } var tlsProtocolVersions = map[string]TLSVersion{ - "SSLv3": TLSVersionSSL30, - "SSLv3.0": TLSVersionSSL30, "TLSv1": TLSVersion10, "TLSv1.0": TLSVersion10, "TLSv1.1": TLSVersion11, @@ -60,8 +57,7 @@ var tlsProtocolVersions = map[string]TLSVersion{ } var tlsProtocolVersionsInverse = map[TLSVersion]string{ - TLSVersionSSL30: "SSLv3", - TLSVersion10: "TLSv1.0", - TLSVersion11: "TLSv1.1", - TLSVersion12: "TLSv1.2", + TLSVersion10: "TLSv1.0", + TLSVersion11: "TLSv1.1", + TLSVersion12: "TLSv1.2", } diff --git a/libbeat/common/transport/tlscommon/versions_test.go b/libbeat/common/transport/tlscommon/versions_test.go index b1251109b05..7f2b2e02763 100644 --- a/libbeat/common/transport/tlscommon/versions_test.go +++ b/libbeat/common/transport/tlscommon/versions_test.go @@ -36,11 +36,6 @@ func TestTLSVersion(t *testing.T) { 0x0, nil, }, - { - "SSLv3", - tls.VersionSSL30, - &TLSVersionDetails{Version: "3.0", Protocol: "ssl", Combined: "SSLv3"}, - }, { "TLSv1.0", tls.VersionTLS10, diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc index 97a2605ef4b..71f9b45c2b8 100644 --- a/libbeat/docs/shared-ssl-config.asciidoc +++ b/libbeat/docs/shared-ssl-config.asciidoc @@ -120,7 +120,7 @@ SSL settings are disabled if either `enabled` is set to `false` or the List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions not configured, the connection will be dropped during or after the handshake. The setting is a list of allowed protocol versions: -`SSLv3`, `TLSv1` for TLS version 1.0, `TLSv1.0`, `TLSv1.1`, `TLSv1.2`, and +`TLSv1` for TLS version 1.0, `TLSv1.0`, `TLSv1.1`, `TLSv1.2`, and `TLSv1.3`. The default value is `[TLSv1.1, TLSv1.2, TLSv1.3]`. diff --git a/packetbeat/docs/packetbeat-options.asciidoc b/packetbeat/docs/packetbeat-options.asciidoc index 6c062187494..2cd21bfd8fc 100644 --- a/packetbeat/docs/packetbeat-options.asciidoc +++ b/packetbeat/docs/packetbeat-options.asciidoc @@ -1235,8 +1235,7 @@ Packetbeat intercepts the initial handshake in a TLS connection and extracts useful information that helps operators diagnose problems and strengthen the security of their network and systems. It does not decrypt any information from the encapsulated protocol, nor does it reveal any -sensitive information such as cryptographic keys. TLS versions 1.0 to 1.3 and -SSL 3.0 are supported. +sensitive information such as cryptographic keys. TLS versions 1.0 to 1.3 are supported. It works by intercepting the client and server "hello" messages, which contain the negotiated parameters for the connection such as cryptographic ciphers and