Skip to content

Commit

Permalink
Support self-signed certificate on outputs (#29229)
Browse files Browse the repository at this point in the history
Adds ssl.ca_trusted_fingerprint option, if set to the HEX fingerprint of a root CA certificate, this certificate is added to
the trusted CAs (as if it was defined on ssl.certificate_authorities), then the SSL validation continues as normal.

This happens during the SSL handshake.
  • Loading branch information
belimawr authored Dec 6, 2021
1 parent 27d1a6e commit 191a075
Show file tree
Hide file tree
Showing 19 changed files with 645 additions and 18 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add http.pprof.enabled option to libbeat to allow http/pprof endpoints on the socket that libbeat creates for metrics. {issue}21965[21965]
- Support custom analyzers in fields.yml. {issue}28540[28540] {pull}28926[28926]
- SASL/SCRAM in the Kafka output is no longer beta. {pull}29126[29126]
- Support self signed certificates on outputs {pull}29229[29229]

*Auditbeat*

Expand Down
42 changes: 42 additions & 0 deletions auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -645,6 +652,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
# Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
Expand Down Expand Up @@ -846,6 +860,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -1010,6 +1031,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# -------------------------------- File Output ---------------------------------
#output.file:
Expand Down Expand Up @@ -1297,6 +1325,13 @@ setup.kibana:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# ================================== Logging ===================================

Expand Down Expand Up @@ -1495,6 +1530,13 @@ logging.files:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down
42 changes: 42 additions & 0 deletions filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1446,6 +1446,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -1578,6 +1585,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
# Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
Expand Down Expand Up @@ -1779,6 +1793,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -1943,6 +1964,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# -------------------------------- File Output ---------------------------------
#output.file:
Expand Down Expand Up @@ -2230,6 +2258,13 @@ setup.kibana:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# ================================== Logging ===================================

Expand Down Expand Up @@ -2428,6 +2463,13 @@ logging.files:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down
42 changes: 42 additions & 0 deletions heartbeat/heartbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -659,6 +659,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -791,6 +798,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
# Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
Expand Down Expand Up @@ -992,6 +1006,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -1156,6 +1177,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# -------------------------------- File Output ---------------------------------
#output.file:
Expand Down Expand Up @@ -1443,6 +1471,13 @@ setup.kibana:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# ================================== Logging ===================================

Expand Down Expand Up @@ -1641,6 +1676,13 @@ logging.files:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down
7 changes: 7 additions & 0 deletions libbeat/_meta/config/ssl.reference.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,10 @@
#
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""
36 changes: 19 additions & 17 deletions libbeat/common/transport/tlscommon/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,16 @@ var warnOnce sync.Once

// Config defines the user configurable options in the yaml file.
type Config struct {
Enabled *bool `config:"enabled" yaml:"enabled,omitempty"`
VerificationMode TLSVerificationMode `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
Versions []TLSVersion `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
CipherSuites []CipherSuite `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
CAs []string `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
Certificate CertificateConfig `config:",inline" yaml:",inline"`
CurveTypes []tlsCurveType `config:"curve_types" yaml:"curve_types,omitempty"`
Renegotiation TlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
Enabled *bool `config:"enabled" yaml:"enabled,omitempty"`
VerificationMode TLSVerificationMode `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
Versions []TLSVersion `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
CipherSuites []CipherSuite `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
CAs []string `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
Certificate CertificateConfig `config:",inline" yaml:",inline"`
CurveTypes []tlsCurveType `config:"curve_types" yaml:"curve_types,omitempty"`
Renegotiation TlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
CATrustedFingerprint string `config:"ca_trusted_fingerprint" yaml:"ca_trusted_fingerprint,omitempty"`
}

// LoadTLSConfig will load a certificate from config with all TLS based keys
Expand Down Expand Up @@ -82,14 +83,15 @@ func LoadTLSConfig(config *Config) (*TLSConfig, error) {

// return config if no error occurred
return &TLSConfig{
Versions: config.Versions,
Verification: config.VerificationMode,
Certificates: certs,
RootCAs: cas,
CipherSuites: config.CipherSuites,
CurvePreferences: curves,
Renegotiation: tls.RenegotiationSupport(config.Renegotiation),
CASha256: config.CASha256,
Versions: config.Versions,
Verification: config.VerificationMode,
Certificates: certs,
RootCAs: cas,
CipherSuites: config.CipherSuites,
CurvePreferences: curves,
Renegotiation: tls.RenegotiationSupport(config.Renegotiation),
CASha256: config.CASha256,
CATrustedFingerprint: config.CATrustedFingerprint,
}, nil
}

Expand Down
Loading

0 comments on commit 191a075

Please sign in to comment.