diff --git a/.go-version b/.go-version index 4ed70fac17d..545fd574d35 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.14.12 +1.15.7 diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 4d40f0c99b3..51a4565e4ff 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -106,3 +106,4 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827] - Update ecszap to v0.3.0 for using ECS 1.6.0 in logs {pull}22267[22267] - Add support for customized monitoring API. {pull}22605[22605] +- Update Go version to 1.15.7. {pull}22495[22495] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0e7edfce6f2..6a780cd612c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -985,6 +985,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Affecting all Beats* +- Selecting `full` in `ssl.verification_mode` option will not treat CommonName field in x509 certificates as + a hostname when Subject Alternative Name is not present from v8.0. + Please update your certificates so it contains at least one DNSName instead of relying on CommonName in the new + major version of Beats. + *Filebeat* - The experimental modules for Citrix Netscaler and Symantec Endpoint Protection have been removed. diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index c6d4c0c0735..e5767ab1167 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index ef82491a4dd..7a053b62884 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -529,6 +529,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -656,6 +662,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -853,6 +865,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1009,6 +1027,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1305,6 +1329,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1502,6 +1532,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/filebeat/Dockerfile b/filebeat/Dockerfile index d9707991a5f..8b3983fa8da 100644 --- a/filebeat/Dockerfile +++ b/filebeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 91b1dfa3190..6cf5f8d33fa 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -1409,6 +1409,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1536,6 +1542,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1733,6 +1745,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1889,6 +1907,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2185,6 +2209,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2382,6 +2412,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/filebeat/input/kafka/config.go b/filebeat/input/kafka/config.go index 0e4888b90c3..75a0957744a 100644 --- a/filebeat/input/kafka/config.go +++ b/filebeat/input/kafka/config.go @@ -177,7 +177,7 @@ func newSaramaConfig(config kafkaInputConfig) (*sarama.Config, error) { } if tls != nil { k.Net.TLS.Enable = true - k.Net.TLS.Config = tls.BuildModuleConfig("") + k.Net.TLS.Config = tls.BuildModuleClientConfig("") } if config.Kerberos.IsEnabled() { diff --git a/filebeat/input/mqtt/client.go b/filebeat/input/mqtt/client.go index 701498f3c56..068dca04386 100644 --- a/filebeat/input/mqtt/client.go +++ b/filebeat/input/mqtt/client.go @@ -40,7 +40,7 @@ func createClientOptions(config mqttInputConfig, onConnectHandler func(client li if err != nil { return nil, err } - clientOptions.SetTLSConfig(tlsConfig.BuildModuleConfig("")) + clientOptions.SetTLSConfig(tlsConfig.BuildModuleClientConfig("")) } return clientOptions, nil } diff --git a/filebeat/inputsource/tcp/server.go b/filebeat/inputsource/tcp/server.go index 270ebc9c0c5..42c88693879 100644 --- a/filebeat/inputsource/tcp/server.go +++ b/filebeat/inputsource/tcp/server.go @@ -68,7 +68,7 @@ func (s *Server) createServer() (net.Listener, error) { var l net.Listener var err error if s.tlsConfig != nil { - t := s.tlsConfig.BuildModuleConfig(s.config.Host) + t := s.tlsConfig.BuildServerConfig(s.config.Host) l, err = tls.Listen("tcp", s.config.Host, t) if err != nil { return nil, err diff --git a/filebeat/tests/system/test_tcp_tls.py b/filebeat/tests/system/test_tcp_tls.py index 4001fd863c9..845ade6b288 100644 --- a/filebeat/tests/system/test_tcp_tls.py +++ b/filebeat/tests/system/test_tcp_tls.py @@ -127,6 +127,8 @@ def test_tcp_over_tls_and_verify_invalid_server_without_mutual_auth(self): with pytest.raises(ssl.SSLError): tls.connect((config.get('host'), config.get('port'))) + sock.close() + def test_tcp_over_tls_mutual_auth_fails(self): """ Test filebeat TCP with TLS with default setting to enforce client auth, with bad client certificates @@ -171,6 +173,8 @@ def test_tcp_over_tls_mutual_auth_fails(self): # so that the failure can be reported as an exception when it arrives. tls.recv(1) + sock.close() + def test_tcp_over_tls_mutual_auth_succeed(self): """ Test filebeat TCP with TLS when enforcing client auth with good client certificates. @@ -275,6 +279,8 @@ def test_tcp_tls_with_a_plain_text_socket(self): assert path.isfile(path.join(self.working_dir, "output/" + self.beat_name)) is False + sock.close() + def assert_output(self, output): assert len(output) == 2 assert output[0]["input.type"] == "tcp" diff --git a/go.mod b/go.mod index 1b611711840..b0c1c974fc1 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/beats/v7 -go 1.14 +go 1.15 require ( 4d63.com/tz v1.1.1-0.20191124060701-6d37baae851b diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index f0155d34274..51c2b06d485 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index 37e3e2ed122..e39dfa16d69 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -707,6 +707,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -834,6 +840,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1031,6 +1043,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1187,6 +1205,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1483,6 +1507,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1680,6 +1710,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/heartbeat/monitors/active/fixtures/expired.cert b/heartbeat/monitors/active/fixtures/expired.cert index e39ad893bd6..959486cec37 100644 --- a/heartbeat/monitors/active/fixtures/expired.cert +++ b/heartbeat/monitors/active/fixtures/expired.cert @@ -1,23 +1,21 @@ -----BEGIN CERTIFICATE----- -MIID3zCCAsegAwIBAgIUS+ahW2wxDZ1bT/qYnenS8jrXUcAwDQYJKoZIhvcNAQEL -BQAwfzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1OMRQwEgYDVQQHDAtNaW5uZWFw -b2xpczEVMBMGA1UECgwMRWxhc3RpYywgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmlu -ZzEgMB4GA1UEAwwXZXhwaXJlZHRlc3QuZXhhbXBsZS5uZXQwHhcNMjAwNDIxMTQw -MDE0WhcNMjAwNDIyMTQwMDE0WjB/MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTU4x -FDASBgNVBAcMC01pbm5lYXBvbGlzMRUwEwYDVQQKDAxFbGFzdGljLCBJbmMxFDAS -BgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBdleHBpcmVkdGVzdC5leGFtcGxl -Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKh1iS5EZ7bDSKgW -R3JXAepMIaEewMSdbaoBtuNQb48XJGwI0mudF983a7JxGCSfw9mhVYa4YsSv79UE -XomGrWVrS01Cmf1VRIOmxevWMPhvnE6UH+5VxKUBk5ooNSty4iHkDFy2i5WWjxiv -de6Xqnn/dVQhuT/sW+rU/grCsGcdUwqsWnC547ekqiYRTtyZrdh+U0KRKqy5iBlH -9Woua+CnXmsD7+4MgGekErg9XLRHYveLOmLucbNlAIlRyfMDZL1RlXufcGwhzItz -JNM9N0NJ5bwrpuP0RYlYbbMYal+b1Tn2e8qkMm88hniQkuu69kUpKeewIOr62vIK -tI273GECAwEAAaNTMFEwHQYDVR0OBBYEFKgd6wQcgIdUSjtJREObD+R3q3MPMB8G -A1UdIwQYMBaAFKgd6wQcgIdUSjtJREObD+R3q3MPMA8GA1UdEwEB/wQFMAMBAf8w -DQYJKoZIhvcNAQELBQADggEBADkBqmCUcvVTqu5IIZ5PLz40jdg2luaDHEA6I2Ga -1ioabETfQhXeaNJflojYm0Bzsy2aneVLGM2KaZ76wN0yvib3MZ4miu4C/mDsR3bB -wq7/CAK2AcJXv1jk0vIrK6DhZfA2HaelBkQ8UHwWK7AO+JmS6jozIt1vySwPI1E7 -lMFWbs3bmsSmunj3+66XS2XguUKzFwUIAEOfsPFqT2OMsPIa7weUWuCV/zMi7fuB -HbgVouYvMTve8wx7+ozDk6CyvlRlx20xwdOvXaH3JILw7gTQWcAEWZLcB2ct1Zks -UTtbIAjBV6s0Pm/2/6MxxkDCVVUpwXiiKBRkHxzkgoH7TQw= +MIIDazCCAlOgAwIBAgIUJGs/M/NeLac1U+H58kwZYgSUoMgwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTAxMTgxNTQxNDdaFw0yMTAx +MTkxNTQxNDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDGo1zHFcEZT4gFe24in23O1C1AtCSP2wfZCHyA9Tvj +fak3dgI5BESPHHu8lqo8V4C2ViAnBBoQ9Uq3nd38CdVJyYK5vtrHpTVLK8OIasOD +eMHBwEOMQQN6js9in0lvixBTK2oZOOcONSSxQVFUKIgSfY8sBJViYftkolPmT/OZ +bipzBoikclKDQykM9GAh/IVSQpfC+PIJT31xOXmwvy9zL5eiLDRIsZpuauI6L7/f +RkapMXtDz0QuP3aZ/VZNydagmfrz0LiBfoX7B93ZRAPLmk9KzRb/RTcuxD28d45v +KtZXUr/cR6S5gwqzb1sEaOOR+kz9aeNzwGFl6LmcgpqfAgMBAAGjUzBRMB0GA1Ud +DgQWBBTKlcyCuhJ07eTv/y33LN6/SVB1FzAfBgNVHSMEGDAWgBTKlcyCuhJ07eTv +/y33LN6/SVB1FzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBo +mv85XCM+qNvn7nNXXvI8h7PFBYZAn6trD713liiD4fURjRmQt/EDXo1ZyJhmqm3n +UHqTbQ1srnhz2zTKbBD1m4rby3bu9l0IvoCihNnd3jEzcz6IkT5TqPy6FwQdKoD4 +U0miGvmSyKs7/IyJepy6k+XUI9KSsi4k/ECx4nAvvf05Yv7XtSvPpVPHW6uvLsTu +jv8C8CcND66LrUsqn2CRkiXXX68KJSDPvT4fdNDz1nIykN0AAvVs8rA3R35dgjiR +9aHsDqkqf6QIZ0jCKbZL4Z/j5tj26P1nEUsDeZ46FECipie2z9oZII897X+Yzrcg +d9RKMlVpBwQg/iFD9orw -----END CERTIFICATE----- diff --git a/heartbeat/monitors/active/fixtures/expired.key b/heartbeat/monitors/active/fixtures/expired.key index 2a11440f7aa..3f29313cc4e 100644 --- a/heartbeat/monitors/active/fixtures/expired.key +++ b/heartbeat/monitors/active/fixtures/expired.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCodYkuRGe2w0io -FkdyVwHqTCGhHsDEnW2qAbbjUG+PFyRsCNJrnRffN2uycRgkn8PZoVWGuGLEr+/V -BF6Jhq1la0tNQpn9VUSDpsXr1jD4b5xOlB/uVcSlAZOaKDUrcuIh5AxctouVlo8Y -r3Xul6p5/3VUIbk/7Fvq1P4KwrBnHVMKrFpwueO3pKomEU7cma3YflNCkSqsuYgZ -R/VqLmvgp15rA+/uDIBnpBK4PVy0R2L3izpi7nGzZQCJUcnzA2S9UZV7n3BsIcyL -cyTTPTdDSeW8K6bj9EWJWG2zGGpfm9U59nvKpDJvPIZ4kJLruvZFKSnnsCDq+try -CrSNu9xhAgMBAAECggEBAIc32QYvWESmWeK6B11rI5lqxK+snLT1XLpSp/esb++e -dtjU9/nzXd8JgEP6bZOwPiepTZpW1MjmJA+Lc0rWtMYsqoP4ityDHfzC2CmmgyZX -iFK2qS7I35BHRLA/x/X5QDRN9fJRgJdxA6mf5Xy/dtJ4UDhY3XbHBTzo/IWsoqYQ -4V3WBQYMGlhBArCoOx07pwc9NMTnXwpfe4rUdm3EaGGpe/9JT08JcTyFZfFUeFT1 -lfSYo5i+xPOCQ/FcC5GfWdciyY0c8ej8iwdxZb0kPI4hBu36+D6zD+YoNoC3CQTb -MecRFQ0MeTTuUMCdzFWtg+2FWnJucaLiaK9fKbVzi7UCgYEA0BAlfUdXdeDYMlW3 -2ReeOgH32bchPYwn2UvHYkIhhDp40STVw3BYQ0Zj9yJQXLFaoY1SFhwRJR1kpbSd -IfME/IzR/oMFvRUNQEPQZVH0Mg9FWIXLdXlV4qbU3AyA2r4x+VUCt3jp1n/5rG7g -cmoKBdCXNUAhK30bRGTdXB06Fp8CgYEAz0V+IlkGyDKcyCkja0ypA3AdSod/43az -7HMS3nf32hOFpgQuEtVYZc3NW/rdJFPksnRd6+RlD2nIoHZEa+adl2gESjGH2asw -nhxP/Pr4m8PGZF5BwdILRTVFukf5yrM6g63FgrgA9d+QdCsqoqrctItRyCgcfpL4 -XYXEKVWELP8CgYATxbUKVsFE/n0NK4AxLUFoGc/H7NNH2g3fZIgqGka9HiFlHq8B -x6dbnVDap3QjmucV+ywV1cz7TfPGm4djNoj+xxMdsK3W7i04MjmXp1Yhe7oHU4+m -NkWnKFuKHdYQ84okO6Pqc58lNzwu2sqRlOom60+zS8jbLSRuN3ehzVU72QKBgGm0 -qCo+Ou44maqfCFg9hWiicd3Dkt5feE0bNsFMb5PBJwTO1ux175ojxhqlqshPHLBC -FnAqT7v3mAD1r9lTiIVh3+YysnS5EJdiGw0KtWVDB9fCFkkRpPvLul7RPDw7AZmM -MtGCo8LBHHuSVDEXcG2HK9MnWbjXnWCcyrjFyx3jAoGAYsNGYm+OBr16NNsPtx3S -nRQJz9wqB2mIqNU8rRSjd5EUp03jhHiTEN9DT6iEnLGaTDBUgD2RlPvEVGk1N7FT -nh9tLtg2ytWIC/P+QrKwzdUUa00MSswTxRS3Cmy459UbLBiPgHBJ2h1G7gsiHPOt -erJWqYJ8DXvLzCPdMVzQxj8= +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDGo1zHFcEZT4gF +e24in23O1C1AtCSP2wfZCHyA9Tvjfak3dgI5BESPHHu8lqo8V4C2ViAnBBoQ9Uq3 +nd38CdVJyYK5vtrHpTVLK8OIasODeMHBwEOMQQN6js9in0lvixBTK2oZOOcONSSx +QVFUKIgSfY8sBJViYftkolPmT/OZbipzBoikclKDQykM9GAh/IVSQpfC+PIJT31x +OXmwvy9zL5eiLDRIsZpuauI6L7/fRkapMXtDz0QuP3aZ/VZNydagmfrz0LiBfoX7 +B93ZRAPLmk9KzRb/RTcuxD28d45vKtZXUr/cR6S5gwqzb1sEaOOR+kz9aeNzwGFl +6LmcgpqfAgMBAAECggEAdd93LMSiA80IIIiwQGdvF+8cs2qyz5LgQ1Af4b6kvUhS +ZBDpHMCFlo8GdlDJ0Gj0fj75cW2jsjB9GBzcH7YOFW0439R7q0FEMMlVjNweDSRZ +hgn7i30A/XdFZXa0czaIh3IZ0cHMisfKcE0cX951cNOFZE+L/ge60Grrcp47Je4H +r5F8fBaP2j729fQlpF3Kzl0uYCRqn9CD+KRMmz8nx9ifxmPM4ddVK8Xg8quVSU1x +HyeN7VfF0Hcvsv6+DRiZqgASu9pSggVffEmW4EBRNuJK4RPKFUriTTUTd8DUS39d +xxA4CjM/t+YjQOYcKlZGxxqu+ILPJnSTfyVe+lvp0QKBgQDvi5GRPuVGegO8nPqE +EHn9fh0CuVtRZjr+7YwJmlYY6WsEuVFOGlo+OdPQwk+iJuT187FYc83PwozRRoI+ +NfMC8lByMGXK0deTfCuK422U+PBuXP/U3xEK6rb1plFiNyw37wxivRTvSX/xZ8ZI +u+zS89LmWQn4oX2fbJUjcfol0wKBgQDUSHAv4PgYQutydgm2n2+asY/BeZupKqmR +FUINmcM8zZ6OC37xrT2TZoGT4WfCRJlvsj6Gpwzf6gM+MAluTQJ6ZxdAP8ifsUJT +69lyRL4o11qLvXsIexdHFUDRxv9E0pWQbEOUH7dZnWuZAXOc9sBVQLW7Hb9UJhzU +JNhsjWK8hQKBgESqO0XpQ4uaOiv8y4rDtlRFrEc1nsmMhmjA6x1tkjR95GFsRbQf +tbKUnPUAXhdbEtK10iZKu7pMSFVM4tS2Xjx//TNeUC99S1BJjam4W5cSbMkV+3en +oZkBgwSTcky3CAPYkDJVhQS6iuRGHP6Ib/BgWBoTd9o/YGUsmOuaJlxlAoGAUkH7 +juH64NPVjlXk76oaQfQ6AzuPMN8CM+Dr5n9FoyL+JIaZ2yZJLPvUjCwU27dfSWPl +TKIgoAd62DcfAGnA4xNddB0DLbYvQHusl9XBZewE/w8eRKwF2hqHMoKM2etL31nE +WfpsPsJ8Nh7U4ObQonhfszEUuZPHKgFZB79Fmk0CgYB0XEuZuSva3uKACbQQS2L2 +jeO23cmE+rSdfw9tL6O2OLZkKbDkHxMXu/G305ciyW+Hmw4CwC6B2IDJuCjzYGVr +7FL/XP0d/pksOIqjNi2VQvARO+7NStXqcgmB9p/vlyYkKLIcGKQ2w169QaNOLylc +L/DKQsIUqMqNsRcd4at/Kg== -----END PRIVATE KEY----- diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go index 2e5a43656ad..cd2c03dee3f 100644 --- a/heartbeat/monitors/active/http/http_test.go +++ b/heartbeat/monitors/active/http/http_test.go @@ -626,7 +626,12 @@ func TestNewRoundTripper(t *testing.T) { require.NotNil(t, transp.Dial) require.NotNil(t, transport.TLSDialer) - require.Equal(t, (&tlscommon.TLSConfig{}).ToConfig(), transp.TLSClientConfig) + expected := (&tlscommon.TLSConfig{}).ToConfig() + require.Equal(t, expected.InsecureSkipVerify, transp.TLSClientConfig.InsecureSkipVerify) + // When we remove support for the legacy common name treatment + // this test has to be adjusted, as we will not depend on our + // VerifyConnection callback. + require.NotNil(t, transp.TLSClientConfig.VerifyConnection) require.True(t, transp.DisableKeepAlives) }) } diff --git a/journalbeat/Dockerfile b/journalbeat/Dockerfile index 6df4d47d885..36af746307c 100644 --- a/journalbeat/Dockerfile +++ b/journalbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index 7e875edcf8e..1eb7814f834 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -472,6 +472,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -599,6 +605,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -796,6 +808,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -952,6 +970,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1248,6 +1272,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1445,6 +1475,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/libbeat/Dockerfile b/libbeat/Dockerfile index b7dde2b92cf..cc9829656ed 100644 --- a/libbeat/Dockerfile +++ b/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/libbeat/_meta/config/ssl.reference.yml.tmpl b/libbeat/_meta/config/ssl.reference.yml.tmpl index 88f638e21b0..69b666f9c97 100644 --- a/libbeat/_meta/config/ssl.reference.yml.tmpl +++ b/libbeat/_meta/config/ssl.reference.yml.tmpl @@ -7,6 +7,12 @@ # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. +# * strict, which verifies that the provided certificate is signed by a trusted +# authority (CA) and also verifies that the server's hostname (or IP address) +# matches the names identified within the certificate. If the Subject Alternative +# Name is empty, it returns an error. +# * certificate, which verifies that the provided certificate is signed by a +# trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/libbeat/common/transport/tls.go b/libbeat/common/transport/tls.go index 0373297fd00..10ece84dc47 100644 --- a/libbeat/common/transport/tls.go +++ b/libbeat/common/transport/tls.go @@ -62,7 +62,7 @@ func TestTLSDialer( tlsConfig = lastTLSConfig } if tlsConfig == nil { - tlsConfig = config.BuildModuleConfig(host) + tlsConfig = config.BuildModuleClientConfig(host) lastNetwork = network lastAddress = address lastTLSConfig = tlsConfig diff --git a/libbeat/common/transport/tlscommon/ca_pinning_test.go b/libbeat/common/transport/tlscommon/ca_pinning_test.go index c188a20e63a..ac441225090 100644 --- a/libbeat/common/transport/tlscommon/ca_pinning_test.go +++ b/libbeat/common/transport/tlscommon/ca_pinning_test.go @@ -44,22 +44,22 @@ var ser int64 = 1 func TestCAPinning(t *testing.T) { host := "127.0.0.1" - t.Run("when the ca_sha256 field is not defined we use normal certificate validation", - func(t *testing.T) { - cfg := common.MustNewConfigFrom(map[string]interface{}{ - "certificate_authorities": []string{"ca_test.pem"}, - }) + t.Run("when the ca_sha256 field is not defined we use normal certificate validation", func(t *testing.T) { + cfg := common.MustNewConfigFrom(map[string]interface{}{ + "verification_mode": "strict", + "certificate_authorities": []string{"ca_test.pem"}, + }) - config := &Config{} - err := cfg.Unpack(config) - require.NoError(t, err) + config := &Config{} + err := cfg.Unpack(config) + require.NoError(t, err) - tlsCfg, err := LoadTLSConfig(config) - require.NoError(t, err) + tlsCfg, err := LoadTLSConfig(config) + require.NoError(t, err) - tls := tlsCfg.BuildModuleConfig(host) - require.Nil(t, tls.VerifyPeerCertificate) - }) + tls := tlsCfg.BuildModuleClientConfig(host) + require.Nil(t, tls.VerifyConnection) + }) t.Run("when the ca_sha256 field is defined we use CA cert pinning", func(t *testing.T) { cfg := common.MustNewConfigFrom(map[string]interface{}{ @@ -73,83 +73,93 @@ func TestCAPinning(t *testing.T) { tlsCfg, err := LoadTLSConfig(config) require.NoError(t, err) - tls := tlsCfg.BuildModuleConfig(host) - require.NotNil(t, tls.VerifyPeerCertificate) + tls := tlsCfg.BuildModuleClientConfig(host) + require.NotNil(t, tls.VerifyConnection) }) t.Run("CA Root -> Certificate and we have the CA root pin", func(t *testing.T) { - msg := []byte("OK received message") - - ca, err := genCA() - require.NoError(t, err) - - serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false) - require.NoError(t, err) - - mux := http.NewServeMux() - mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - w.WriteHeader(http.StatusOK) - w.Write(msg) - }) - - // Select a random available port from the OS. - addr := "localhost:0" - - l, err := net.Listen("tcp", addr) - - server := &http.Server{ - Handler: mux, - TLSConfig: &tls.Config{ - Certificates: []tls.Certificate{ - serverCert, - }, - }, - } - - // Start server and shut it down when the tests are over. - go server.ServeTLS(l, "", "") - defer l.Close() - - // Root CA Pool - require.NoError(t, err) - rootCAs := x509.NewCertPool() - rootCAs.AddCert(ca.Leaf) - - // Get the pin of the RootCA. - pin := Fingerprint(ca.Leaf) - - tlsC := &TLSConfig{ - RootCAs: rootCAs, - CASha256: []string{pin}, + verificationModes := []TLSVerificationMode{ + VerifyFull, + VerifyStrict, + VerifyCertificate, } - - config := tlsC.BuildModuleConfig("localhost") - hostToConnect := l.Addr().String() - - transport := &http.Transport{ - TLSClientConfig: config, + for _, mode := range verificationModes { + t.Run(mode.String(), func(t *testing.T) { + msg := []byte("OK received message") + + ca, err := genCA() + require.NoError(t, err) + + serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false) + require.NoError(t, err) + + mux := http.NewServeMux() + mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + w.Write(msg) + }) + + // Select a random available port from the OS. + addr := "localhost:0" + + l, err := net.Listen("tcp", addr) + + server := &http.Server{ + Handler: mux, + TLSConfig: &tls.Config{ + Certificates: []tls.Certificate{ + serverCert, + }, + }, + } + + // Start server and shut it down when the tests are over. + go server.ServeTLS(l, "", "") + defer l.Close() + + // Root CA Pool + require.NoError(t, err) + rootCAs := x509.NewCertPool() + rootCAs.AddCert(ca.Leaf) + + // Get the pin of the RootCA. + pin := Fingerprint(ca.Leaf) + + tlsC := &TLSConfig{ + Verification: mode, + RootCAs: rootCAs, + CASha256: []string{pin}, + } + + config := tlsC.BuildModuleClientConfig("localhost") + hostToConnect := l.Addr().String() + + transport := &http.Transport{ + TLSClientConfig: config, + } + + client := &http.Client{Transport: transport} + + port := strings.TrimPrefix(hostToConnect, "127.0.0.1:") + + req, err := http.NewRequest("GET", "https://localhost:"+port, nil) + require.NoError(t, err) + resp, err := client.Do(req) + require.NoError(t, err) + content, err := ioutil.ReadAll(resp.Body) + require.NoError(t, err) + + assert.True(t, bytes.Equal(msg, content)) + + // 1. create key-pair + // 2. create pin + // 3. start server + // 4. Connect + // 5. Check wrong key do not work + // 6. Check good key work + // 7. check plain text fails to work. + }) } - - client := &http.Client{Transport: transport} - - port := strings.TrimPrefix(hostToConnect, "127.0.0.1:") - - req, err := http.NewRequest("GET", "https://localhost:"+port, nil) - require.NoError(t, err) - resp, err := client.Do(req) - require.NoError(t, err) - content, err := ioutil.ReadAll(resp.Body) - require.NoError(t, err) - - assert.True(t, bytes.Equal(msg, content)) - - // 1. create key-pair - // 2. create pin - // 3. start server - // 4. Connect - // 5. Check wrong key do not work - // 6. Check good key work - // 7. check plain text fails to work. }) t.Run("CA Root -> Intermediate -> Certificate and we receive the CA Root Pin", func(t *testing.T) { @@ -205,7 +215,7 @@ func TestCAPinning(t *testing.T) { CASha256: []string{pin}, } - config := tlsC.BuildModuleConfig("localhost") + config := tlsC.BuildModuleClientConfig("localhost") hostToConnect := l.Addr().String() transport := &http.Transport{ @@ -279,7 +289,7 @@ func TestCAPinning(t *testing.T) { CASha256: []string{pin}, } - config := tlsC.BuildModuleConfig("localhost") + config := tlsC.BuildModuleClientConfig("localhost") hostToConnect := l.Addr().String() transport := &http.Transport{ @@ -343,6 +353,7 @@ func genCA() (tls.Certificate, error) { func genSignedCert(ca tls.Certificate, keyUsage x509.KeyUsage, isCA bool) (tls.Certificate, error) { // Create another Cert/key cert := &x509.Certificate{ + DNSNames: []string{"localhost"}, SerialNumber: big.NewInt(2000), Subject: pkix.Name{ CommonName: "localhost", diff --git a/libbeat/common/transport/tlscommon/config.go b/libbeat/common/transport/tlscommon/config.go index 8d7650eb5bf..30009c2b13b 100644 --- a/libbeat/common/transport/tlscommon/config.go +++ b/libbeat/common/transport/tlscommon/config.go @@ -21,6 +21,8 @@ import ( "crypto/tls" "github.com/joeshaw/multierror" + + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" ) // Config defines the user configurable options in the yaml file. @@ -96,6 +98,8 @@ func LoadTLSConfig(config *Config) (*TLSConfig, error) { // Validate values the TLSConfig struct making sure certificate sure we have both a certificate and // a key. func (c *Config) Validate() error { + cfgwarn.Deprecate("8.0.0", "Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed.") + return c.Certificate.Validate() } diff --git a/libbeat/common/transport/tlscommon/server_config.go b/libbeat/common/transport/tlscommon/server_config.go index 866d6e3c28c..e85a0c409c3 100644 --- a/libbeat/common/transport/tlscommon/server_config.go +++ b/libbeat/common/transport/tlscommon/server_config.go @@ -28,13 +28,14 @@ import ( // ServerConfig defines the user configurable tls options for any TCP based service. type ServerConfig struct { Enabled *bool `config:"enabled"` - VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full' + VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full', 'strict', 'certificate' Versions []TLSVersion `config:"supported_protocols"` CipherSuites []tlsCipherSuite `config:"cipher_suites"` CAs []string `config:"certificate_authorities"` Certificate CertificateConfig `config:",inline"` CurveTypes []tlsCurveType `config:"curve_types"` ClientAuth tlsClientAuth `config:"client_authentication"` //`none`, `optional` or `required` + CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"` } // LoadTLSServerConfig tranforms a ServerConfig into a `tls.Config` to be used directly with golang @@ -88,6 +89,7 @@ func LoadTLSServerConfig(config *ServerConfig) (*TLSConfig, error) { CipherSuites: cipherSuites, CurvePreferences: curves, ClientAuth: tls.ClientAuthType(config.ClientAuth), + CASha256: config.CASha256, }, nil } diff --git a/libbeat/common/transport/tlscommon/testdata/cacert.crt b/libbeat/common/transport/tlscommon/testdata/cacert.crt new file mode 100644 index 00000000000..debdf7e246e --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/cacert.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL +BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u +dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 +MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG +UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV +BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW +ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo +yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu +5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP +7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI +p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a +tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB +nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP +BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU +XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P +dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg +blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn +in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug +B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq +A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/cacert.key b/libbeat/common/transport/tlscommon/testdata/cacert.key new file mode 100644 index 00000000000..e864b93ed66 --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/cacert.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArV7J/lQq1om7raAcjORHiCtvV2H3wcDe/BHjYw3WmWajBeMB +mWes9sUFx+phcfptYI53+UdqqMn3p7WB+VUWc+QBLQRj7DqjH31fbuT5B0qP9opQ +l+NHgVaebt6oemhT2eQyqnsVruY1DGKJU16bwLTC+WGzB/V71uqZ+VgKsBzyzXvn +1bj4OLSTdLv339MCqklASIVTj+xD4c98i35QAknII/iz18/+YLVF3vUUeUQfM8lh +nzS/dXqFVWgKXHaeJCFPgx5oCKfk+AqYHWFrGLjlh+PRe0Sci6aHFFOB/oXnguPs +x9CyFHBC2vp/zNg1A1t0RNdPWrb/ThCSkfP2BwIDAQABAoIBAQCQmLJYENL5xD5n +/VZSnEKc670dYHRHgRl5m2HPR8doghYN3tuCmtnDp2e+6VkEux1mnuypWEs5I9oO +YnBZCAKF/fCNH1BHwlAy/1oNH6Qj1Khls86sH7+PvDK/va0/CqyE2rL3RVk8Wnx8 +K+LlSc8V1q2XWUj8pl33TgvFzwx6/QpmGa1ofK84GaeWNskRt8xyf2HECiRl6ZFm +zZr2Ror3nRbgZK9FYWpcp6HUgxAH/8GQ3+8vMvftfTsDGD5TmmEq6CFgAFCVj92L +d7AZmNWR1483NzZF0HWOQ6ew9qrWkqVpER7kKKp/kkfoh2qXgvtQBTrw4IcCRwwa +szaSsIEBAoGBANiqXhBzPQJszm1Ajln07ZeyvgRB8PgzZXcAHS9AfGqh/mGQw5/X +3vqHdGiEynphoYtNqK1YT7RH7pkjkpqDzdunZGz1xog7i4ys8kVtivkDGlhn6cXI +4wmFcmyCaf76VPPr1RX8PNjsEKDK3jq1d86lBjSLPgcHT7J16WZgOcJnAoGBAMzY +QVNpjk1WNT7gid3MUXciIIZAovej4AiVyn97XxxLSyByXmNds65f3dM8NOJkJUvT +iV7pAjKl9pd1lE+WTNQSjCgSxw7G+4u9cQfNE7p6klAh/Rek76Mani9rAmQ2PdJl +EFaEgLom3wbR5eOkYURjw2jfqzFYQ8T1YZkWBithAoGAa3EYkknDIFe6ifzwWnWV ++Jr/lXbpuvspvrhEwLDWwb4xOkqiZ7qR7WSMemQXUFbn1/+bvNJFPB5LmI9GXO8t +f1Zj+5BpchctHYaJ4Znvx4odX2ewSo9S3t7ZHiwRygpzZD43fd6Ggf+WQ1Y2m6Bv +l/7Hs/i0uqGKiPHl2wmuutMCgYABZN9c7/T19cY6/VAy4DcVtne+MiZpxQW7STmt +kGtfR+vk9qJJztNwNlrOGzTI7aGLWI8wxCktqw94jGZL/FvdfZrSkv4jzZrcopdo +VC70L+1a+kA8rvSqiX3WGMZVZEEbc3CfBhvSKH2QEFGeMPowevVTe2Iw3cboSjs1 +zX6RQQKBgFV7gOstMfvixCSUCD2s5j/skhNJsB3Wd/tVYRbl/vgA6hHW8UOy2oWv +UTE45vJNVzRv030G5katjOYhlxHf9rpeSAbeIyty54I3X9/vDJZLXwe8WilQjUr7 +Dw8yNwH44j/0s8xcQXG8yE0h1Aa9GxHHtJtYrRYdx7sSwNHtwpnp +-----END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/testdata/client1.crt b/libbeat/common/transport/tlscommon/testdata/client1.crt new file mode 100644 index 00000000000..c3139a72a77 --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/client1.crt @@ -0,0 +1,48 @@ +-----BEGIN CERTIFICATE----- +MIIEFzCCAv+gAwIBAgIUeaB7uk2DjAM2cuRl0kaE9ly7Lj4wDQYJKoZIhvcNAQEL +BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u +dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 +MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBmMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG +UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDzANBgNV +BAsMBnNlcnZlcjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6 +hdpzNpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n +26nDMY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL5 +5qTPRJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Z +zd0W3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjU +mt+N/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABo4HQMIHNMAwGA1Ud +EwEB/wQCMAAwHQYDVR0OBBYEFAuDdHxE9/Zr7iVwfnUJ/lRtJnZkMIGNBgNVHSME +gYUwgYKAFH8hDdUHuxZVmvtkQZ5fFXeGQhZCoVSkUjBQMQswCQYDVQQGEwJDQTEP +MA0GA1UECAwGUXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVh +dHMxDTALBgNVBAsMBHJvb3SCFF8Gy28Bo1lpUDazFLHQ6Ss3hosRMA4GA1UdDwEB +/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAQEACzuX6AiVHk5Igs/LdOW2sJ9lm95N +Su1PQCobM0Jo8wX3pDAEQlLmaWTDcr4bfrQPfI8pih1F89DQU9z0nzNCRfxiQaA7 +myF8ftvf8v5j3LpaPWlkdWgCRieCl58fgy5vtcKx73eTY4a6SRB4zbWpl0rX9H6w +En1kQbpCJDzh8W+xmr8AKvY77CSC1vt7TaKan6F+fGwbt8kIng6P6C7dvMGsDKQN +2Tiq/wtH16DB8mOeO+zfxJfa84TPWL4UcSbZJ8w5Fyz4GJormaymxJGtKv58RO7J +u63WF9vlEnKGyqY1FckTsp3P9ivGEb/Y75+NyRwmNq5VO5BPrRBMOF3VAg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL +BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u +dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 +MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG +UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV +BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW +ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo +yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu +5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP +7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI +p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a +tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB +nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP +BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU +XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P +dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg +blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn +in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug +B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq +A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/client1.key b/libbeat/common/transport/tlscommon/testdata/client1.key new file mode 100644 index 00000000000..ce5274b758f --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/client1.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6hdpz +NpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n26nD +MY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL55qTP +RJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Zzd0W +3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjUmt+N +/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABAoIBABdTza7JKHZCT9ck +04vBX2KVIVrA50VScNOkNVuIYVmihEJJDI9N5asZhRtykHkmeqKlzGCBE63asf85 +1vrjAVhQ+KoCGLpUWxXgPbbzcS3wqKaGy9cIJT65957Z5Rz8zAvjMb0rkXHryOvR +iMaTGkM1KRcntZ3L5zr06HSk6J7K8QCEexKHl7Q7Ki1498tvBWdJGeGWRiUtI89j +wOUdcf3pVSVqI7J8gmmqVwNrVMbVxhlen7nkckXofWAackYVQDBD+hU1n3doNKLa +NP6mZkI02BOB29WLDXLuHtKDZtgnXex4JUz6zw53uV42FCDoQf3DUiVsMEL8xRCJ +27H6bwECgYEA/w53zS00mNdYdXO7dGhAw3UYPc3PDyg6Z823BQzfdOzsn5Yw0BIw +nPgstzwzOL0kw2p/PgwkG/7LOsF5CWs2xvU3LhUdOhgmw4B5IbMOYvbkVoYGz+22 +HJf4qyexAr7tKCITB+LCzUwoAgXp8uju1XdLVpk6xmJ3u+kIhMYTxkUCgYEA3wgx +71/uIUsoW6bVL5K00yXPWTTFtTBWM768VJ8Y++k2igPgcvKaBVaElr4AbvX5iCGz +1Ycc9xsGAYAo7+q4D+4cuOki/m0PMKD3DgXWpTtN0kJ+npWUBdE98NyDlTJYsa/w +xjeMQoDvC8tE2bAiwtVIOPQL2C/3emqkJcsVcDMCgYB8NeOJ/DXdKSJfMJldu1eu +2FuR3aS00PaAjuJOh1JbcvZZUZ879V/PUd0U7zBStWot8LM+2FLNf2whlQ8I0zm9 +8rWIr6eoHxLhqrNTAgxDjdDtgh/XKwDBNBFZ6N5/Y9PC87Uo5fnQWQIy2gZw0Zde +RdZeugixjEqbLIWFg6ElsQKBgHRy6O+c3M6RWU8ROnoOVU9xjGN9REUoKbn2uopM +T1UoHQvOnmAl/vkOhUfXiI5m65SCVE0GsL7sYyRhb/5kRRo8Ls71GwpQkv/G63ds +4PeAkU9Y3JecbZ7j8z1RRXqewOR1gndcBWWrwCQeS6KFboDfr0fdVFnaIZLPH0mE +UXs1AoGBAM3zpcyl5o99dO6x9N/8SSnyLT9TzzbJ6pU6d0F0ELn3OxTUBH1oA1dy +q1fADcRgN5vNuJljY4es/scK2BMeX1isFitXoIzk01F4R61xoXr8T33731eXFG6L +ehoECH2Yj9H4qNbVW531iYKheuSyaMaxCxaDoK9jBzcKaxMGbTlc +-----END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 22cebb2bf8d..9e7eb4548db 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -20,8 +20,12 @@ package tlscommon import ( "crypto/tls" "crypto/x509" + "fmt" + "net" "time" + "github.com/pkg/errors" + "github.com/elastic/beats/v7/libbeat/logp" ) @@ -75,8 +79,13 @@ type TLSConfig struct { time func() time.Time } -// ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with +var ( + MissingPeerCertificate = errors.New("missing peer certificates") +) + +// ToConfig generates a tls.Config object. Note, you must use BuildModuleClientConfig to generate a config with // ServerName set, use that method for servers with SNI. +// By default VerifyConnection is set to client mode. func (c *TLSConfig) ToConfig() *tls.Config { if c == nil { return &tls.Config{} @@ -84,36 +93,37 @@ func (c *TLSConfig) ToConfig() *tls.Config { minVersion, maxVersion := extractMinMaxVersion(c.Versions) - // When we are using the CAsha256 pin to validate the CA used to validate the chain, - // or when we are using 'certificate' TLS verification mode, we add a custom callback - verifyPeerCertFn := makeVerifyPeerCertificate(c) - - insecure := c.Verification != VerifyFull + insecure := c.Verification != VerifyStrict if c.Verification == VerifyNone { logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.") } - return &tls.Config{ - MinVersion: minVersion, - MaxVersion: maxVersion, - Certificates: c.Certificates, - RootCAs: c.RootCAs, - ClientCAs: c.ClientCAs, - InsecureSkipVerify: insecure, - CipherSuites: c.CipherSuites, - CurvePreferences: c.CurvePreferences, - Renegotiation: c.Renegotiation, - ClientAuth: c.ClientAuth, - VerifyPeerCertificate: verifyPeerCertFn, - Time: c.time, + MinVersion: minVersion, + MaxVersion: maxVersion, + Certificates: c.Certificates, + RootCAs: c.RootCAs, + ClientCAs: c.ClientCAs, + InsecureSkipVerify: insecure, + CipherSuites: c.CipherSuites, + CurvePreferences: c.CurvePreferences, + Renegotiation: c.Renegotiation, + ClientAuth: c.ClientAuth, + Time: c.time, + VerifyConnection: makeVerifyConnection(c), } } // BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`. -func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { +func (c *TLSConfig) BuildModuleClientConfig(host string) *tls.Config { if c == nil { // use default TLS settings, if config is empty. - return &tls.Config{ServerName: host} + return &tls.Config{ + ServerName: host, + InsecureSkipVerify: true, + VerifyConnection: makeVerifyConnection(&TLSConfig{ + Verification: VerifyFull, + }), + } } config := c.ToConfig() @@ -121,33 +131,169 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { return config } -// makeVerifyPeerCertificate creates the verification combination of checking certificate pins and skipping host name validation depending on the config -func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { - pin := len(cfg.CASha256) > 0 - skipHostName := cfg.Verification == VerifyCertificate - - if pin && !skipHostName { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - return verifyCAPin(cfg.CASha256, verifiedChains) +// BuildServerConfig takes the TLSConfig and transform it into a `tls.Config` for server side objects. +func (c *TLSConfig) BuildServerConfig(host string) *tls.Config { + if c == nil { + // use default TLS settings, if config is empty. + return &tls.Config{ + ServerName: host, + InsecureSkipVerify: true, + VerifyConnection: makeVerifyServerConnection(&TLSConfig{ + Verification: VerifyFull, + }), } } - if pin && skipHostName { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - _, _, err := verifyCertificateExceptServerName(rawCerts, cfg) + config := c.ToConfig() + config.ServerName = host + config.VerifyConnection = makeVerifyServerConnection(c) + return config +} + +func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { + switch cfg.Verification { + case VerifyFull: + return func(cs tls.ConnectionState) error { + // On the client side, PeerCertificates can't be empty. + if len(cs.PeerCertificates) == 0 { + return MissingPeerCertificate + } + + opts := x509.VerifyOptions{ + Roots: cfg.RootCAs, + Intermediates: x509.NewCertPool(), + } + err := verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) if err != nil { return err } - return verifyCAPin(cfg.CASha256, verifiedChains) + return verifyHostname(cs.PeerCertificates[0], cs.ServerName) + } + case VerifyCertificate: + return func(cs tls.ConnectionState) error { + // On the client side, PeerCertificates can't be empty. + if len(cs.PeerCertificates) == 0 { + return MissingPeerCertificate + } + + opts := x509.VerifyOptions{ + Roots: cfg.RootCAs, + Intermediates: x509.NewCertPool(), + } + return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) + } + case VerifyStrict: + if len(cfg.CASha256) > 0 { + return func(cs tls.ConnectionState) error { + return verifyCAPin(cfg.CASha256, cs.VerifiedChains) + } } + default: } - if !pin && skipHostName { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - _, _, err := verifyCertificateExceptServerName(rawCerts, cfg) - return err + return nil + +} + +func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error { + switch cfg.Verification { + case VerifyFull: + return func(cs tls.ConnectionState) error { + if len(cs.PeerCertificates) == 0 { + if cfg.ClientAuth == tls.RequireAndVerifyClientCert { + return MissingPeerCertificate + } + return nil + } + + opts := x509.VerifyOptions{ + Roots: cfg.ClientCAs, + Intermediates: x509.NewCertPool(), + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, + } + err := verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) + if err != nil { + return err + } + return verifyHostname(cs.PeerCertificates[0], cs.ServerName) + } + case VerifyCertificate: + return func(cs tls.ConnectionState) error { + if len(cs.PeerCertificates) == 0 { + if cfg.ClientAuth == tls.RequireAndVerifyClientCert { + return MissingPeerCertificate + } + return nil + } + + opts := x509.VerifyOptions{ + Roots: cfg.ClientCAs, + Intermediates: x509.NewCertPool(), + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, + } + return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) + } + case VerifyStrict: + if len(cfg.CASha256) > 0 { + return func(cs tls.ConnectionState) error { + return verifyCAPin(cfg.CASha256, cs.VerifiedChains) + } } + default: + } + + return nil + +} + +func verifyCertsWithOpts(certs []*x509.Certificate, casha256 []string, opts x509.VerifyOptions) error { + for _, cert := range certs[1:] { + opts.Intermediates.AddCert(cert) + } + verifiedChains, err := certs[0].Verify(opts) + if err != nil { + return err } + if len(casha256) > 0 { + return verifyCAPin(casha256, verifiedChains) + } return nil } + +func verifyHostname(cert *x509.Certificate, hostname string) error { + if hostname == "" { + return nil + } + // check if the server name is an IP + ip := hostname + if len(ip) >= 3 && ip[0] == '[' && ip[len(ip)-1] == ']' { + ip = ip[1 : len(ip)-1] + } + parsedIP := net.ParseIP(ip) + if parsedIP != nil { + for _, certIP := range cert.IPAddresses { + if parsedIP.Equal(certIP) { + return nil + } + } + return x509.HostnameError{Certificate: cert, Host: hostname} + } + + dnsnames := cert.DNSNames + if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { + if cert.Subject.CommonName != "" { + dnsnames = []string{cert.Subject.CommonName} + } + } + + for _, name := range dnsnames { + if len(name) > 0 && len(hostname) > 0 && name == hostname { + if !validHostname(name, true) { + return fmt.Errorf("invalid hostname in cert") + } + return nil + } + } + return x509.HostnameError{Certificate: cert, Host: hostname} +} diff --git a/libbeat/common/transport/tlscommon/tls_config_test.go b/libbeat/common/transport/tlscommon/tls_config_test.go new file mode 100644 index 00000000000..1490664d3d3 --- /dev/null +++ b/libbeat/common/transport/tlscommon/tls_config_test.go @@ -0,0 +1,199 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package tlscommon + +import ( + "crypto/tls" + "crypto/x509" + "encoding/pem" + "io/ioutil" + "path/filepath" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestMakeVerifyServerConnection(t *testing.T) { + testCerts, err := openTestCerts() + if err != nil { + t.Fatalf("failed to open test certs: %+v", err) + } + + testCA, errs := LoadCertificateAuthorities([]string{filepath.Join("testdata", "cacert.crt")}) + if len(errs) > 0 { + t.Fatalf("failed to load test certificate authorities: %+v", errs) + } + + testcases := map[string]struct { + verificationMode TLSVerificationMode + clientAuth tls.ClientAuthType + certAuthorities *x509.CertPool + peerCerts []*x509.Certificate + serverName string + expectedCallback bool + expectedError error + }{ + "default verification without certificates when required": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + peerCerts: nil, + serverName: "", + expectedCallback: true, + expectedError: MissingPeerCertificate, + }, + "default verification with certificates when required with expired cert": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["expired"]}, + serverName: "", + expectedCallback: true, + expectedError: x509.CertificateInvalidError{Cert: testCerts["expired"], Reason: x509.Expired}, + }, + "default verification with certificates when required with incorrect server name in cert": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "bad.example.com", + expectedCallback: true, + expectedError: x509.HostnameError{Certificate: testCerts["correct"], Host: "bad.example.com"}, + }, + "default verification with certificates when required with correct cert": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "localhost", + expectedCallback: true, + expectedError: nil, + }, + "certificate verification with certificates when required with correct cert": { + verificationMode: VerifyCertificate, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "localhost", + expectedCallback: true, + expectedError: nil, + }, + "certificate verification with certificates when required with expired cert": { + verificationMode: VerifyCertificate, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["expired"]}, + serverName: "localhost", + expectedCallback: true, + expectedError: x509.CertificateInvalidError{Cert: testCerts["expired"], Reason: x509.Expired}, + }, + "certificate verification with certificates when required with incorrect server name in cert": { + verificationMode: VerifyCertificate, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "bad.example.com", + expectedCallback: true, + expectedError: nil, + }, + "strict verification with certificates when required with correct cert": { + verificationMode: VerifyStrict, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "localhost", + expectedCallback: false, + expectedError: nil, + }, + "default verification with certificates when required with cert signed by unkown authority": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["unknown authority"]}, + serverName: "", + expectedCallback: true, + expectedError: x509.UnknownAuthorityError{Cert: testCerts["unknown authority"]}, + }, + "default verification without certificates not required": { + verificationMode: VerifyFull, + clientAuth: tls.NoClientCert, + peerCerts: nil, + serverName: "", + expectedCallback: true, + expectedError: nil, + }, + "no verification without certificates not required": { + verificationMode: VerifyNone, + clientAuth: tls.NoClientCert, + peerCerts: nil, + serverName: "", + expectedError: nil, + }, + } + + for name, test := range testcases { + t.Run(name, func(t *testing.T) { + test := test + cfg := &TLSConfig{ + Verification: test.verificationMode, + ClientAuth: test.clientAuth, + ClientCAs: test.certAuthorities, + } + + verifier := makeVerifyServerConnection(cfg) + if !test.expectedCallback { + assert.Nil(t, verifier) + return + } + + err := verifier(tls.ConnectionState{ + PeerCertificates: test.peerCerts, + ServerName: test.serverName, + }) + if test.expectedError == nil { + assert.Nil(t, err) + } else { + assert.Error(t, test.expectedError, err) + } + }) + } + +} + +func openTestCerts() (map[string]*x509.Certificate, error) { + certs := make(map[string]*x509.Certificate, 0) + + for testcase, certname := range map[string]string{ + "expired": "tls.crt", + "unknown authority": "unsigned_tls.crt", + "correct": "client1.crt", + } { + + certBytes, err := ioutil.ReadFile(filepath.Join("testdata", certname)) + if err != nil { + return nil, err + } + block, _ := pem.Decode(certBytes) + testCert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return nil, err + } + certs[testcase] = testCert + } + + return certs, nil +} diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go index 53e9da18db3..45c0ebf1f7f 100644 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ b/libbeat/common/transport/tlscommon/tls_test.go @@ -132,12 +132,12 @@ func TestApplyEmptyConfig(t *testing.T) { t.Fatal(err) } - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) assert.Len(t, cfg.Certificates, 0) assert.Nil(t, cfg.RootCAs) - assert.Equal(t, false, cfg.InsecureSkipVerify) + assert.Equal(t, true, cfg.InsecureSkipVerify) assert.Len(t, cfg.CipherSuites, 0) assert.Len(t, cfg.CurvePreferences, 0) assert.Equal(t, tls.RenegotiateNever, cfg.Renegotiation) @@ -159,7 +159,7 @@ func TestApplyWithConfig(t *testing.T) { t.Fatal(err) } - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) assert.Len(t, cfg.Certificates, 1) assert.NotNil(t, cfg.RootCAs) @@ -184,7 +184,7 @@ key: mykey.pem tmp, err := LoadTLSServerConfig(&c) require.NoError(t, err) - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) // values not set by default @@ -193,7 +193,7 @@ key: mykey.pem assert.Len(t, cfg.CipherSuites, 0) assert.Len(t, cfg.CurvePreferences, 0) // values set by default - assert.Equal(t, false, cfg.InsecureSkipVerify) + assert.Equal(t, true, cfg.InsecureSkipVerify) assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) assert.Equal(t, tls.NoClientCert, cfg.ClientAuth) @@ -213,7 +213,7 @@ key: mykey.pem tmp, err := LoadTLSServerConfig(&c) require.NoError(t, err) - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) // values not set by default @@ -222,7 +222,7 @@ key: mykey.pem assert.Len(t, cfg.CipherSuites, 0) assert.Len(t, cfg.CurvePreferences, 0) // values set by default - assert.Equal(t, false, cfg.InsecureSkipVerify) + assert.Equal(t, true, cfg.InsecureSkipVerify) assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) assert.Equal(t, tls.RequireAndVerifyClientCert, cfg.ClientAuth) @@ -260,7 +260,7 @@ func TestApplyWithServerConfig(t *testing.T) { return } - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) assert.Len(t, cfg.Certificates, 1) assert.NotNil(t, cfg.ClientCAs) diff --git a/libbeat/common/transport/tlscommon/types.go b/libbeat/common/transport/tlscommon/types.go index c130a57c71a..29b11c92010 100644 --- a/libbeat/common/transport/tlscommon/types.go +++ b/libbeat/common/transport/tlscommon/types.go @@ -127,11 +127,13 @@ const ( VerifyFull TLSVerificationMode = iota VerifyNone VerifyCertificate + VerifyStrict ) var tlsVerificationModes = map[string]TLSVerificationMode{ "": VerifyFull, "full": VerifyFull, + "strict": VerifyStrict, "none": VerifyNone, "certificate": VerifyCertificate, } diff --git a/libbeat/common/transport/tlscommon/verify.go b/libbeat/common/transport/tlscommon/validhostname.go similarity index 59% rename from libbeat/common/transport/tlscommon/verify.go rename to libbeat/common/transport/tlscommon/validhostname.go index 867e70874a9..15370b4d4f9 100644 --- a/libbeat/common/transport/tlscommon/verify.go +++ b/libbeat/common/transport/tlscommon/validhostname.go @@ -43,58 +43,55 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -// This file contains code adapted from golang's crypto/tls/handshake_client.go +// This file contains code adapted from golang's crypto/x509/verify.go package tlscommon -import ( - "crypto/x509" - "time" +import "strings" - "github.com/pkg/errors" -) - -// verifyCertificateExceptServerName is a TLS Certificate verification utility method that verifies that the provided -// certificate chain is valid and is signed by one of the root CAs in the provided tls.Config. It is intended to be -// as similar as possible to the default verify, but does not verify that the provided certificate matches the -// ServerName in the tls.Config. -func verifyCertificateExceptServerName( - rawCerts [][]byte, - c *TLSConfig, -) ([]*x509.Certificate, [][]*x509.Certificate, error) { - // this is where we're a bit suboptimal, as we have to re-parse the certificates that have been presented - // during the handshake. - // the verification code here is taken from verifyServerCertificate in crypto/tls/handshake_client.go:824 - certs := make([]*x509.Certificate, len(rawCerts)) - for i, asn1Data := range rawCerts { - cert, err := x509.ParseCertificate(asn1Data) - if err != nil { - return nil, nil, errors.Wrap(err, "tls: failed to parse certificate from server") - } - certs[i] = cert +// validHostname reports whether host is a valid hostname that can be matched or +// matched against according to RFC 6125 2.2, with some leniency to accommodate +// legacy values. +func validHostname(host string, isPattern bool) bool { + if !isPattern { + host = strings.TrimSuffix(host, ".") } - - var t time.Time - if c.time != nil { - t = c.time() - } else { - t = time.Now() - } - - // DNSName omitted in VerifyOptions in order to skip ServerName verification - opts := x509.VerifyOptions{ - Roots: c.RootCAs, - CurrentTime: t, - Intermediates: x509.NewCertPool(), + if len(host) == 0 { + return false } - for _, cert := range certs[1:] { - opts.Intermediates.AddCert(cert) + for i, part := range strings.Split(host, ".") { + if part == "" { + // Empty label. + return false + } + if isPattern && i == 0 && part == "*" { + // Only allow full left-most wildcards, as those are the only ones + // we match, and matching literal '*' characters is probably never + // the expected behavior. + continue + } + for j, c := range part { + if 'a' <= c && c <= 'z' { + continue + } + if '0' <= c && c <= '9' { + continue + } + if 'A' <= c && c <= 'Z' { + continue + } + if c == '-' && j != 0 { + continue + } + if c == '_' { + // Not a valid character in hostnames, but commonly + // found in deployments outside the WebPKI. + continue + } + return false + } } - headCert := certs[0] - - // defer to the default verification performed - chains, err := headCert.Verify(opts) - return certs, chains, err + return true } diff --git a/libbeat/common/transport/tlscommon/verify_test.go b/libbeat/common/transport/tlscommon/verify_test.go deleted file mode 100644 index c08e60642f5..00000000000 --- a/libbeat/common/transport/tlscommon/verify_test.go +++ /dev/null @@ -1,110 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "crypto/x509" - "encoding/pem" - "io/ioutil" - "path/filepath" - "testing" - "time" - - "github.com/stretchr/testify/assert" -) - -// This does not actually test that it ignores the server name because no part of the func even consumes the server name -func Test_verifyCertificateExceptServerName(t *testing.T) { - - tests := []struct { - name string - ca string - chain string - cert string - time func() time.Time - wantErr bool - }{ - { - name: "happy path", - // a CA for morello.ovh valid from August 9 2019 to 2029 - ca: "ca.crt", - // a cert signed by morello.ovh that expired in nov 2019 - cert: "tls.crt", - time: func() time.Time { - layout := "2006-01-02" - t, _ := time.Parse(layout, "2019-10-01") - return t - }, - wantErr: false, - }, - { - name: "cert not signed by CA", - ca: "ca.crt", - // a self-signed cert for www.example.com valid from July 23 2020 to 2030 - cert: "unsigned_tls.crt", - time: func() time.Time { - layout := "2006-01-02" - t, _ := time.Parse(layout, "2020-07-24") - return t - }, - wantErr: true, - }, - { - name: "cert expired", - ca: "ca.crt", - cert: "tls.crt", - wantErr: true, - }, - } - - for _, tc := range tests { - t.Run(tc.name, func(t *testing.T) { - cfg := &TLSConfig{time: tc.time} - // load the CA - if tc.ca != "" { - ca := loadFileBytes(tc.ca) - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(ca) - cfg.RootCAs = caCertPool - } - - // load the cert - rawCerts := [][]byte{} - if tc.cert != "" { - pemCert := loadFileBytes(tc.cert) - block, _ := pem.Decode(pemCert) - rawCerts = append(rawCerts, block.Bytes) - } - - _, _, got := verifyCertificateExceptServerName(rawCerts, cfg) - if tc.wantErr { - assert.Error(t, got) - } else { - assert.NoError(t, got) - } - }) - } -} - -func loadFileBytes(fileName string) []byte { - contents, err := ioutil.ReadFile(filepath.Join("testdata", fileName)) - if err != nil { - panic(err) - } - return contents -} diff --git a/libbeat/common/transport/transptest/testing.go b/libbeat/common/transport/transptest/testing.go index 64763ba9b71..1649957c624 100644 --- a/libbeat/common/transport/transptest/testing.go +++ b/libbeat/common/transport/transptest/testing.go @@ -135,7 +135,7 @@ func NewMockServerTLS(t *testing.T, to time.Duration, cert string, proxy *transp t.Fatalf("failed to load certificate") } - listener := tls.NewListener(tcpListener, tlsConfig.BuildModuleConfig("")) + listener := tls.NewListener(tcpListener, tlsConfig.BuildServerConfig("")) server := &MockServer{Listener: listener, Timeout: to} server.Handshake = func(client net.Conn) { diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index 906aa673a14..89578a6f7a2 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 8.0.0 :doc-branch: master -:go-version: 1.14.12 +:go-version: 1.15.7 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/libbeat/outputs/kafka/config.go b/libbeat/outputs/kafka/config.go index b3c8e984fe9..56708841750 100644 --- a/libbeat/outputs/kafka/config.go +++ b/libbeat/outputs/kafka/config.go @@ -227,7 +227,7 @@ func newSaramaConfig(log *logp.Logger, config *kafkaConfig) (*sarama.Config, err if tls != nil { k.Net.TLS.Enable = true - k.Net.TLS.Config = tls.BuildModuleConfig("") + k.Net.TLS.Config = tls.BuildModuleClientConfig("") } switch { diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index 324f98c8d6d..4b76f73bafb 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt update \ diff --git a/metricbeat/helper/server/http/http.go b/metricbeat/helper/server/http/http.go index b4bd17477b6..3fe02001d7a 100644 --- a/metricbeat/helper/server/http/http.go +++ b/metricbeat/helper/server/http/http.go @@ -76,7 +76,7 @@ func getDefaultHttpServer(mb mb.BaseMetricSet) (*HttpServer, error) { Addr: net.JoinHostPort(config.Host, strconv.Itoa(int(config.Port))), } if tlsConfig != nil { - httpServer.TLSConfig = tlsConfig.BuildModuleConfig(config.Host) + httpServer.TLSConfig = tlsConfig.BuildModuleClientConfig(config.Host) } h.server = httpServer return h, nil diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index f7530d7e386..f48de895ab6 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -1306,6 +1306,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1433,6 +1439,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1630,6 +1642,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1786,6 +1804,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2082,6 +2106,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2279,6 +2309,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/metricbeat/module/http/_meta/Dockerfile b/metricbeat/module/http/_meta/Dockerfile index 132ad0271df..9d104c32a7e 100644 --- a/metricbeat/module/http/_meta/Dockerfile +++ b/metricbeat/module/http/_meta/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.7 +FROM golang:1.15.7 COPY test/main.go main.go diff --git a/metricbeat/module/kafka/metricset.go b/metricbeat/module/kafka/metricset.go index 73c1be02218..5ec46332b35 100644 --- a/metricbeat/module/kafka/metricset.go +++ b/metricbeat/module/kafka/metricset.go @@ -49,7 +49,7 @@ func NewMetricSet(base mb.BaseMetricSet, options MetricSetOptions) (*MetricSet, var tls *tls.Config if tlsCfg != nil { - tls = tlsCfg.BuildModuleConfig("") + tls = tlsCfg.BuildModuleClientConfig("") } timeout := base.Module().Config().Timeout diff --git a/metricbeat/module/mongodb/metricset.go b/metricbeat/module/mongodb/metricset.go index b1b09a7ac4d..dc329b57f25 100644 --- a/metricbeat/module/mongodb/metricset.go +++ b/metricbeat/module/mongodb/metricset.go @@ -65,7 +65,7 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { logp.Warn("Failed to obtain hostname from `%s`: %s", hostname, err) hostname = "" } - return tls.Dial("tcp", addr.String(), tlsConfig.BuildModuleConfig(hostname)) + return tls.Dial("tcp", addr.String(), tlsConfig.BuildModuleClientConfig(hostname)) } } diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index 2b0faecc26f..6c5abe6309a 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 57142c14263..9737223098b 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -1024,6 +1024,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1151,6 +1157,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1348,6 +1360,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1504,6 +1522,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1800,6 +1824,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1997,6 +2027,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/testing/environments/docker/logstash/gencerts.sh b/testing/environments/docker/logstash/gencerts.sh index a04742a7672..fa53523e979 100755 --- a/testing/environments/docker/logstash/gencerts.sh +++ b/testing/environments/docker/logstash/gencerts.sh @@ -2,4 +2,4 @@ mkdir -p pki/tls/certs mkdir -p pki/tls/private -openssl req -subj '/CN=logstash/' -x509 -days $((100 * 365)) -batch -nodes -newkey rsa:2048 -keyout pki/tls/private/logstash.key -out pki/tls/certs/logstash.crt +openssl req -subj '/CN=logstash/' -x509 -days $((100 * 365)) -batch -nodes -newkey rsa:2048 -keyout pki/tls/private/logstash.key -out pki/tls/certs/logstash.crt -config ssl.conf diff --git a/testing/environments/docker/logstash/pki/tls/certs/logstash.crt b/testing/environments/docker/logstash/pki/tls/certs/logstash.crt index 1b18ba84a20..08d2903c7d7 100644 --- a/testing/environments/docker/logstash/pki/tls/certs/logstash.crt +++ b/testing/environments/docker/logstash/pki/tls/certs/logstash.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC+zCCAeOgAwIBAgIJALOvd7vXvRrFMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV -BAMMCGxvZ3N0YXNoMCAXDTE2MDgyNjEyMzMyNFoYDzIxMTYwODAyMTIzMzI0WjAT -MREwDwYDVQQDDAhsb2dzdGFzaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAKw5gLdWfqG9eraHrAAfSn2NbemYq32YZgbwJGaM9SlY3DDHB1MgBKBjpzPW -FavMO4xaDcfFhZbBJXwCVjPJe3ORQeoHgm3hG2er6JtCXlt3vto8FVbs9H4jd3+U -gH4cNdomgtYh3lBobZFKOa/+mZvjQxsK71KM2Gwk4b5gnV9iLaXzAGRWmY1dlHkE -Gki4WGNg0FlGf7aDJXZK2Yyq8MmiMfUEIZ2sDRjO3f/rCLdz3amG4gJtDllekz5l -lUTLccvtTWstJiKIx1zIAUEvTqaqInjMiJkjQtwazlc9w5ofmauxI6bb9L3L1ZJX -rrt+u5mg8Mc/w63+GuS8ZETbAacCAwEAAaNQME4wHQYDVR0OBBYEFA9Ug44w4XmN -r0z225Zt1zjjrKtoMB8GA1UdIwQYMBaAFA9Ug44w4XmNr0z225Zt1zjjrKtoMAwG -A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABwl9KCqg69dv2XNZ95VCdk7 -mAT0LcUbd0FyrzDibNolzx9OlymWYiIxe86KdZsWzgBUcm9Q3Gg+TzAs7UyyfqSp -LR5fgGGIz9PCuuoFBdZCppPL9Y3Dryi91lPXveDUh5zIemOU9Jf6Ni0XVrRsO9C8 -aoY7SLtl1W7du3Nm+ZFH8T0wCcBFaYttmHejyu311ZDyAF0suu6Qu8NAWFrr5QGe -hA8VcImc335VQntT9EcztHhoyt1aW96BxLU9L4kdSZLJ6FVZrGij7IpZNipUQB8p -bPEL9KuQUDHKjoCx2YaNZqmuZ73m6u84TiTxgDYgChSfYASRXyCq90rQrQHVF74= +MIIC+jCCAeKgAwIBAgIUImV3iegTZ0b1zTQna2L4aVKmq1owDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwIbG9nc3Rhc2gwIBcNMjAxMTEwMDkwMDQ4WhgPMjEyMDEw +MTcwOTAwNDhaMBMxETAPBgNVBAMMCGxvZ3N0YXNoMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAxYKH925nceZVxHZZskBaMuUIlI8tLRMY6EeXBvsDzrqi +4+pRFSCJU45wZKhOFi/EigWxk8TqfrHqYbpe9Cbxmngup2xvhgDC2Kmr3R/SKARW +zKCAbwLiDcf0yiJyT98AVOdUXuQ7HHC9m8D3Ohp1knYEmV8dJGtiFE1vW3FtYsUW +p0MOu5WG2iOitaWTIdXmqxwxuK6Jo4I3znReS0PSBwLFXKwWzjEcM9yvXPtubIc6 +1mbbF1Stf0GvGxmOs9u3JCNJXQvTuyJ+O7OrUbnk9vN8nmS/w9GSlM1PqwUNrWIB +X0uHazTU8mSFk3QI8M3kBFfFIN5dL9zIXLGFdJYvfwIDAQABo0QwQjALBgNVHQ8E +BAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHgYDVR0RBBcwFYIIbG9nc3Rhc2iC +CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEATBSnhUXJuf5whNmBE9OdoMJK +tgSaBx/FGq1tJp6jHkI1i4Oii3Wizs6K4tmWEqepu8MB0IVXJUkxGgh70DD3svKV +1En1zNOkUoI/lAwPBMHOl9oq2Z/u4E1dOydzyLQLDBg0fLC1Ui06NfdJRONOovoX +g3DD4IR6DODVtlGqRnON24H04OvZ3VWfbumkurp2XMvv8cooKQOLcMZ4dLVEyJxm +AEyC6pxuMsY32p/vtVjKarElqOnNAJ9xxS6IPczMgAXUMaxr5cZFMQSrdju9lVh4 +kpY5UglFiIJ/yHdlD5c4O8tK93qJ0Xgo7I7ujm38S38itrShpclXiAfW1rJ/2w== -----END CERTIFICATE----- diff --git a/testing/environments/docker/logstash/pki/tls/private/logstash.key b/testing/environments/docker/logstash/pki/tls/private/logstash.key index 9d3234d202e..83d14841286 100644 --- a/testing/environments/docker/logstash/pki/tls/private/logstash.key +++ b/testing/environments/docker/logstash/pki/tls/private/logstash.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCsOYC3Vn6hvXq2 -h6wAH0p9jW3pmKt9mGYG8CRmjPUpWNwwxwdTIASgY6cz1hWrzDuMWg3HxYWWwSV8 -AlYzyXtzkUHqB4Jt4Rtnq+ibQl5bd77aPBVW7PR+I3d/lIB+HDXaJoLWId5QaG2R -Sjmv/pmb40MbCu9SjNhsJOG+YJ1fYi2l8wBkVpmNXZR5BBpIuFhjYNBZRn+2gyV2 -StmMqvDJojH1BCGdrA0Yzt3/6wi3c92phuICbQ5ZXpM+ZZVEy3HL7U1rLSYiiMdc -yAFBL06mqiJ4zIiZI0LcGs5XPcOaH5mrsSOm2/S9y9WSV667fruZoPDHP8Ot/hrk -vGRE2wGnAgMBAAECggEAArbxUXJ6koATFBd1XZcgrHPzPJBce6FQUmGsoTUtlBZD -ej1Y3zWM/R40/3srYkbY1XCB8Rkq7uJifd7nju9pE7xBZrfxlVvL+8lY5EGajSSJ -DJWP3Ivlmqticc9cayB0tNiQjWGBSJEs0PJzkFOaBjwBzcZRWWLA8otuR3rsYBl8 -cb7dV3HV4Z50Qto1ABoUWH2DGz7nX9HCr/SR1ayR1hWHCwv2Q4KQ5wJkmTKmaSNZ -I2464JXvufM9XiV9Fjy4RdiCN3sVXQcUIJ1hY+qGXsR0DUc5lOmw9Eu4SbJgdExR -EWoX4BqJuHrjCeKRF6rsDf5ocAS2cxATbQr1mEbW0QKBgQDWmZMO9TtL+pmJNmoP -g+HzgopBnMLxctcjVOEysuWgZyWYz9sFbCj6Udp2Q/9hjoVYRba3IXEHSsA2mdcY -KKcWbjEOYE+xL6oDXiZRkiJ+Poix9dOnTBg+lt2SKjphuNWnLe3jqfQhZxfV40Nf -60Wx6NGC7Dzlf+pAmkOA12BX2QKBgQDNcyTwnShbVrWzNRpzRe7RSHaAq6jSu1Yi -6dY/8bWTInVhPjB3xUGL0ckiMpDMoi0mxtnBmahvK59GPj3jhz+9HZqG6dSS6Fok -eS104GM7pCWyf66Rd9k8xu5IdrMM9Sveu24s21jgOJDtZtAplP1hsDMxxuaAEDVv -c0RwoKu1fwKBgDL0SheuIMM8oIIU+n/ul5LjNwK3Pw5nby/DcqlAEwfQFfw/tkiG -UwCEuPOF17iJR54bB3RaK2VI2XTdeFYTKQFJbrp0Idf3ck3UaBLMOQZywLBIp1W8 -2rDZz4hqIGydn5VPcYGyE/ZubRlrGc9HpMfGeSC2CQuRIMTwHAEWopiZAoGAZpKm -Trsn+vI/pUlN+19e7H4RLAyILS36w1Ob9DDpRpxdnj8+U43YO8ZxdPFp+cC+ai29 -ajsdLOPKkXdhzscnu3OcQt9bkj0PREZ7u26MHKrHZ2b38Qi1HPL05JjerAl77agG -Sb75kHitYtmB9EC+gJdH+AIl8qolA4+5C8Ir+GECgYBJgkoapPrGgSzCWHH6WpVZ -wrpZJ/rj6685J9K/ji3nHXj7gS4MzEzrtVK2K3aFjIjQe/zXJDI+dxrSCNfYFuQD -YJh+siGPF7Gosyht3ec0vUg7gY7Do1FzwL2H/OxvnaNEO+PPidXGOu/wHV5fMZJ1 -O2aLO5ZIygL6YcVr+vdm1A== +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFgof3bmdx5lXE +dlmyQFoy5QiUjy0tExjoR5cG+wPOuqLj6lEVIIlTjnBkqE4WL8SKBbGTxOp+seph +ul70JvGaeC6nbG+GAMLYqavdH9IoBFbMoIBvAuINx/TKInJP3wBU51Re5DsccL2b +wPc6GnWSdgSZXx0ka2IUTW9bcW1ixRanQw67lYbaI6K1pZMh1earHDG4romjgjfO +dF5LQ9IHAsVcrBbOMRwz3K9c+25shzrWZtsXVK1/Qa8bGY6z27ckI0ldC9O7In47 +s6tRueT283yeZL/D0ZKUzU+rBQ2tYgFfS4drNNTyZIWTdAjwzeQEV8Ug3l0v3Mhc +sYV0li9/AgMBAAECggEAXnrge7YuecfLQ12x7pjmDO6OujH7VFKMWaDVWBt/aMbS +4N/XxZl416WNkjkIkYhsJfIvThambdDB49n5TiXK8S+IccJnXtzCWE5hzjdImqfo +tZ4ZkgD5DcqXCJKNyDNOv06hh3r549LygK1AFmVN1K/r50oecKuFkVyxZjbOMq5o +pKuNOiYWYki1FXd0kVd2yLy4ZKejrgMqwKk06xpeY4o9UfWSeMHaG+rlYsxxO/Fe +3o1FueAFNdJv553xzzmjCDI6YVq43izoF11/Q6K0HHvqwPkpNEFo9ChzPuLmvwOd +3Pyif53aVyOWg01sIp7NXzrUMrBoku3QcDtvGvrm8QKBgQD5vyP6LqbaXZ33DX2N +NpxgEpp2H44KCSfuxc1+mu4IpwOKIdX2bqjkcfGqbU5uBammdwYB78ro++YP0qR/ +6MTVyJwbMxlutOHJY/FLDnh+KZdPSBmJmce62khU/+eCATwQJeHCiktK9GxLisq6 +nBlkWLfkLVtGMduq1JwO4lWf4wKBgQDKdI5yfj1GKkAR4DPUp+OBZo1RsSJj5A0H +qMS/eudKTGj9Gi6Xiw200+x6fpzRCWCzUmS3c+QfTXMgNJEBjhhIYSb3IRo1p7Gf +M3chbN53SZyYf6msQ4b7oRiGZFDtoYNm0v4lqIxuoNi98CGxGtmz1W6gejpFyb1Y +A+EkRbSMtQKBgQDb7WZROiPUx/wDQu39HMo4ECnVO5RpYga4TZfYlbZoCCslyQYS +LQCtq2mVGwyl9nafENFJg1C8Opct9+DEgsZTPIW7rhQHWWI7Zrdl0ShqcVW9i1Bx +y+oGsZJgx7mm0k+CKNnV5tLG/tce7un3yt7Rbw8A8LAf8Gfw16lVshqU4QKBgHzZ +WgrzHJhLb81WRMBMdHkVI+sP4FRXi02A3yvx//YKnugOoFLl9qLf2cJEmDI0pUSQ +d/nF5xUCrw9aO14JIaJo/x2BdWdHLbsugrXDLIHFjGNivuCzl+dPFg+yh1Gzu5PK +Y94XTdrfKCohjrVoCH7lDN674XmuCizf35R9w/TNAoGBAKqaP7TTSafEs9ugsAgt +u3RXBbd9OA8u9tLKEBys/f9XoDPYWZ5Ar8a0LjpubcC5V14S7KwBYdiTN0ynaPGK +NI89jze9Y4ByiBWIalXjR6CWh3VlBiUGYONUjxOHaoMGrbYxYACNvJYtqjlQS1yN +LJN6nFfCs4U6TgQ4XBCdVAFO -----END PRIVATE KEY----- diff --git a/testing/environments/docker/logstash/ssl.conf b/testing/environments/docker/logstash/ssl.conf new file mode 100644 index 00000000000..13fbe0dd2bf --- /dev/null +++ b/testing/environments/docker/logstash/ssl.conf @@ -0,0 +1,18 @@ +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_req +prompt = no +[req_distinguished_name] +C = US +ST = VA +L = SomeCity +O = Elastic +OU = Observability +CN = elastic.co +[v3_req] +keyUsage = keyEncipherment, dataEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[alt_names] +DNS.1 = logstash +DNS.2 = localhost diff --git a/winlogbeat/eventlog/bench_test.go b/winlogbeat/eventlog/bench_test.go index df3417eb611..ffecb69672f 100644 --- a/winlogbeat/eventlog/bench_test.go +++ b/winlogbeat/eventlog/bench_test.go @@ -37,7 +37,7 @@ const gigabyte = 1 << 30 var ( benchTest = flag.Bool("benchtest", false, "Run benchmarks for the eventlog package.") - injectAmount = flag.Int("inject", 1E6, "Number of events to inject before running benchmarks.") + injectAmount = flag.Int("inject", 1e6, "Number of events to inject before running benchmarks.") ) // TestBenchmarkRead benchmarks each event log reader implementation with diff --git a/winlogbeat/tests/system/test_config.py b/winlogbeat/tests/system/test_config.py index 18df0594fca..065de09fc53 100644 --- a/winlogbeat/tests/system/test_config.py +++ b/winlogbeat/tests/system/test_config.py @@ -36,7 +36,7 @@ def test_invalid_ignore_older(self): ) self.run_config_tst(exit_code=1) assert self.log_contains( - "unknown unit hour in duration 1 hour " + "unknown unit \" hour\" in duration \"1 hour\" " "accessing 'winlogbeat.event_logs.0.ignore_older'") def test_invalid_level(self): diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index 316df4ae3dd..5eafb6ae1cb 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -452,6 +452,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -579,6 +585,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -776,6 +788,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -932,6 +950,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1228,6 +1252,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1425,6 +1455,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index ec3ef722b0c..9395908a0de 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -585,6 +585,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -712,6 +718,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -909,6 +921,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1065,6 +1083,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1361,6 +1385,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1558,6 +1588,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go index fbb790479c7..4158ba554ef 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go +++ b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go @@ -7,6 +7,7 @@ package pipelinemanager import ( "os" "path/filepath" + "strconv" "sync" "testing" "time" @@ -84,7 +85,7 @@ func createNewClient(t *testing.T, logString string, mockConnector *pipelinemock info := logger.Info{ ContainerID: "b87d3b0379f816a5f2f7070f28cc05e2f564a3fb549a67c64ec30fc5b04142ed", - LogPath: filepath.Join("/tmp/dockerbeattest/", string(time.Now().Unix())), + LogPath: filepath.Join("/tmp/dockerbeattest/", strconv.FormatInt(time.Now().Unix(), 10)), } err = os.MkdirAll(filepath.Dir(info.LogPath), 0755) diff --git a/x-pack/elastic-agent/pkg/agent/operation/common_test.go b/x-pack/elastic-agent/pkg/agent/operation/common_test.go index 43cab2fd3b4..2ec6b531456 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/common_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/common_test.go @@ -76,7 +76,7 @@ func getTestOperator(t *testing.T, downloadPath string, installPath string, p *a } operator.config.DownloadConfig.OperatingSystem = "darwin" - operator.config.DownloadConfig.Architecture = "32" + operator.config.DownloadConfig.Architecture = "64" // make the download path so the `operation_verify` can ensure the path exists downloadConfig := operator.config.DownloadConfig @@ -101,7 +101,7 @@ func getProgram(binary, version string) *app.Descriptor { downloadCfg := &artifact.Config{ InstallPath: installPath, OperatingSystem: "darwin", - Architecture: "32", + Architecture: "64", } return app.NewDescriptor(spec, version, downloadCfg, nil) } diff --git a/x-pack/elastic-agent/pkg/core/authority/ca.go b/x-pack/elastic-agent/pkg/core/authority/ca.go index 2ddeae70410..f558e8a9eb3 100644 --- a/x-pack/elastic-agent/pkg/core/authority/ca.go +++ b/x-pack/elastic-agent/pkg/core/authority/ca.go @@ -38,10 +38,10 @@ type Pair struct { // NewCA creates a new certificate authority capable of generating child certificates func NewCA() (*CertificateAuthority, error) { ca := &x509.Certificate{ + DNSNames: []string{"localhost"}, SerialNumber: big.NewInt(1653), Subject: pkix.Name{ Organization: []string{"elastic-fleet"}, - CommonName: "localhost", }, NotBefore: time.Now(), NotAfter: time.Now().AddDate(10, 0, 0), @@ -101,13 +101,13 @@ func (c *CertificateAuthority) GeneratePair() (*Pair, error) { } // GeneratePairWithName generates child certificate with provided name as the common name. -func (c *CertificateAuthority) GeneratePairWithName(commonName string) (*Pair, error) { +func (c *CertificateAuthority) GeneratePairWithName(name string) (*Pair, error) { // Prepare certificate certTemplate := &x509.Certificate{ SerialNumber: big.NewInt(1658), + DNSNames: []string{name}, Subject: pkix.Name{ Organization: []string{"elastic-fleet"}, - CommonName: commonName, }, NotBefore: time.Now(), NotAfter: time.Now().AddDate(10, 0, 0), diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 0fd068e1963..242b551c510 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -3207,6 +3207,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3334,6 +3340,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3531,6 +3543,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3687,6 +3705,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3983,6 +4007,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -4180,6 +4210,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/filebeat/input/http_endpoint/input.go b/x-pack/filebeat/input/http_endpoint/input.go index bddf2be0a9e..2c799c1f14f 100644 --- a/x-pack/filebeat/input/http_endpoint/input.go +++ b/x-pack/filebeat/input/http_endpoint/input.go @@ -59,7 +59,7 @@ func newHTTPEndpoint(config config) (*httpEndpoint, error) { return nil, err } if tlsConfigBuilder != nil { - tlsConfig = tlsConfigBuilder.BuildModuleConfig(addr) + tlsConfig = tlsConfigBuilder.BuildModuleClientConfig(addr) } return &httpEndpoint{ diff --git a/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go b/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go index 9045108c449..0fba76aaab6 100644 --- a/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go +++ b/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go @@ -6,6 +6,7 @@ package template import ( "fmt" + "strconv" "sync" "testing" @@ -61,8 +62,8 @@ func ValidateTemplate(t testing.TB, template *Template) bool { func AssertFieldsEquals(t testing.TB, expected []FieldTemplate, actual []FieldTemplate) (succeeded bool) { if succeeded = assert.Len(t, actual, len(expected)); succeeded { for idx := range expected { - succeeded = assert.Equal(t, expected[idx].Length, actual[idx].Length, string(idx)) && succeeded - succeeded = assert.Equal(t, expected[idx].Info, actual[idx].Info, string(idx)) && succeeded + succeeded = assert.Equal(t, expected[idx].Length, actual[idx].Length, strconv.Itoa(idx)) && succeeded + succeeded = assert.Equal(t, expected[idx].Info, actual[idx].Info, strconv.Itoa(idx)) && succeeded } } return diff --git a/x-pack/functionbeat/Dockerfile b/x-pack/functionbeat/Dockerfile index 907a989eb4d..77daddd7a86 100644 --- a/x-pack/functionbeat/Dockerfile +++ b/x-pack/functionbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index b41a4035d68..d96ab60094e 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -815,6 +815,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -942,6 +948,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1221,6 +1233,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1418,6 +1436,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml index 37e3e2ed122..e39dfa16d69 100644 --- a/x-pack/heartbeat/heartbeat.reference.yml +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -707,6 +707,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -834,6 +840,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1031,6 +1043,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1187,6 +1205,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1483,6 +1507,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1680,6 +1710,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/libbeat/Dockerfile b/x-pack/libbeat/Dockerfile index 06ca7a1ffad..1a0c44db398 100644 --- a/x-pack/libbeat/Dockerfile +++ b/x-pack/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/x-pack/metricbeat/Jenkinsfile.yml b/x-pack/metricbeat/Jenkinsfile.yml index 8406f20f5ac..19f9941ee47 100644 --- a/x-pack/metricbeat/Jenkinsfile.yml +++ b/x-pack/metricbeat/Jenkinsfile.yml @@ -115,14 +115,14 @@ stages: - "windows-7" branches: true ## for all the branches tags: true ## for all the tags - windows-7-32: - mage: "mage build unitTest" - platforms: ## override default labels in this specific stage. - - "windows-7-32-bit" - when: ## Override the top-level when. - comments: - - "/test x-pack/metricbeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags +# windows-7-32: +# mage: "mage build unitTest" +# platforms: ## override default labels in this specific stage. +# - "windows-7-32-bit" +# when: ## Override the top-level when. +# comments: +# - "/test x-pack/metricbeat for windows-7-32" +# labels: +# - "windows-7-32" +# branches: true ## for all the branches +# tags: true ## for all the tags diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 66c0e02eaa2..c003205f76c 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -1807,6 +1807,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1934,6 +1940,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2131,6 +2143,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2287,6 +2305,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2583,6 +2607,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2780,6 +2810,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml index 57142c14263..9737223098b 100644 --- a/x-pack/packetbeat/packetbeat.reference.yml +++ b/x-pack/packetbeat/packetbeat.reference.yml @@ -1024,6 +1024,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1151,6 +1157,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1348,6 +1360,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1504,6 +1522,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1800,6 +1824,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1997,6 +2027,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 03652ce2788..43427ba20f6 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -495,6 +495,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -622,6 +628,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -819,6 +831,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -975,6 +993,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1271,6 +1295,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1468,6 +1498,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * strict, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary