From 4eeb5a958f11e3888a61aad764eab617848b7db7 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Fri, 11 Feb 2022 14:28:10 +0100 Subject: [PATCH] libbeat/common/transport: fix log message about TLS (#30331) This commit fixes the log message issued by the `test output` command. Our current TLS verification relies on more than the value of `tlsConfig.InsecureSkipVerify`, so the previous implementation would log that TLS was disabled when it was not. This commit fixes it by checking the value of `config.Verification`. --- CHANGELOG.next.asciidoc | 1 + libbeat/common/transport/tls.go | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index ac82203c812..4cc85a1154c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -39,6 +39,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif *Affecting all Beats* - Fix field names with `add_network_direction` processor. {issue}29747[29747] {pull}29751[29751] +- Fix a logging bug when `ssl.verification_mode` was set to `full` or `certificate`, the command `test output` incorrectly logged that TLS was disabled. *Auditbeat* diff --git a/libbeat/common/transport/tls.go b/libbeat/common/transport/tls.go index 5f8ade67012..25b116d8998 100644 --- a/libbeat/common/transport/tls.go +++ b/libbeat/common/transport/tls.go @@ -154,7 +154,21 @@ func tlsDialWith( } } - if tlsConfig.InsecureSkipVerify { + // config might be nil, so get the zero-value and then read what is in config. + // We assume that the zero-value is the default value + var verification tlscommon.TLSVerificationMode + if config != nil { + verification = config.Verification + } + + // We only check the status of config.Verification (`ssl.verification_mode` + // in the configuration file) because we have a custom verification logic + // implemented by setting tlsConfig.VerifyConnection that runs regardless of + // the status of tlsConfig.InsecureSkipVerify. + // For verification modes VerifyFull and VerifyCeritifcate we set + // tlsConfig.InsecureSkipVerify to true, hence it's not an indicator of + // whether TLS verification is enabled or not. + if verification == tlscommon.VerifyNone { d.Warn("security", "server's certificate chain verification is disabled") } else { d.Info("security", "server's certificate chain verification is enabled")