From 505c20ae2b6b2f580cb21de75428f460bdf6ea6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 2 Nov 2020 13:08:18 +0100 Subject: [PATCH 01/44] Update Golang to 1.15.4 --- .go-version | 2 +- auditbeat/Dockerfile | 2 +- filebeat/Dockerfile | 2 +- go.mod | 2 +- heartbeat/Dockerfile | 2 +- journalbeat/Dockerfile | 2 +- libbeat/Dockerfile | 2 +- libbeat/common/transport/tlscommon/ca_pinning_test.go | 4 ++-- libbeat/docs/version.asciidoc | 2 +- metricbeat/Dockerfile | 2 +- metricbeat/module/http/_meta/Dockerfile | 2 +- packetbeat/Dockerfile | 2 +- winlogbeat/eventlog/bench_test.go | 2 +- .../dockerlogbeat/pipelinemanager/clientLogReader_test.go | 3 ++- x-pack/elastic-agent/pkg/agent/operation/common_test.go | 4 ++-- x-pack/elastic-agent/pkg/core/authority/ca.go | 6 +++--- .../filebeat/input/netflow/decoder/template/test_helpers.go | 5 +++-- x-pack/functionbeat/Dockerfile | 2 +- x-pack/libbeat/Dockerfile | 2 +- 19 files changed, 26 insertions(+), 24 deletions(-) diff --git a/.go-version b/.go-version index 4ed70fac17d..e34208c9371 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.14.12 +1.15.4 diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index c6d4c0c0735..2eb9072476c 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.4 RUN \ apt-get update \ diff --git a/filebeat/Dockerfile b/filebeat/Dockerfile index d9707991a5f..f6b3acb2e63 100644 --- a/filebeat/Dockerfile +++ b/filebeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.4 RUN \ apt-get update \ diff --git a/go.mod b/go.mod index 1b611711840..b0c1c974fc1 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/beats/v7 -go 1.14 +go 1.15 require ( 4d63.com/tz v1.1.1-0.20191124060701-6d37baae851b diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index f0155d34274..1608770a497 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.4 RUN \ apt-get update \ diff --git a/journalbeat/Dockerfile b/journalbeat/Dockerfile index 6df4d47d885..3db3d6ab363 100644 --- a/journalbeat/Dockerfile +++ b/journalbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.4 RUN \ apt-get update \ diff --git a/libbeat/Dockerfile b/libbeat/Dockerfile index b7dde2b92cf..7db75f37718 100644 --- a/libbeat/Dockerfile +++ b/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.4 RUN \ apt-get update \ diff --git a/libbeat/common/transport/tlscommon/ca_pinning_test.go b/libbeat/common/transport/tlscommon/ca_pinning_test.go index c188a20e63a..e522ea6fdb8 100644 --- a/libbeat/common/transport/tlscommon/ca_pinning_test.go +++ b/libbeat/common/transport/tlscommon/ca_pinning_test.go @@ -300,8 +300,8 @@ func TestCAPinning(t *testing.T) { func genCA() (tls.Certificate, error) { ca := &x509.Certificate{ SerialNumber: serial(), + DNSNames: []string{"localhost"}, Subject: pkix.Name{ - CommonName: "localhost", Organization: []string{"TESTING"}, Country: []string{"CANADA"}, Province: []string{"QUEBEC"}, @@ -344,8 +344,8 @@ func genSignedCert(ca tls.Certificate, keyUsage x509.KeyUsage, isCA bool) (tls.C // Create another Cert/key cert := &x509.Certificate{ SerialNumber: big.NewInt(2000), + DNSNames: []string{"localhost"}, Subject: pkix.Name{ - CommonName: "localhost", Organization: []string{"TESTING"}, Country: []string{"CANADA"}, Province: []string{"QUEBEC"}, diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index 906aa673a14..d9fdf77f7ec 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 8.0.0 :doc-branch: master -:go-version: 1.14.12 +:go-version: 1.15.4 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index 324f98c8d6d..7ea75bd0353 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.4 RUN \ apt update \ diff --git a/metricbeat/module/http/_meta/Dockerfile b/metricbeat/module/http/_meta/Dockerfile index 132ad0271df..aad40f22391 100644 --- a/metricbeat/module/http/_meta/Dockerfile +++ b/metricbeat/module/http/_meta/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.7 +FROM golang:1.15.3 COPY test/main.go main.go diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index 2b0faecc26f..29d0b8e78d1 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.4 RUN \ apt-get update \ diff --git a/winlogbeat/eventlog/bench_test.go b/winlogbeat/eventlog/bench_test.go index df3417eb611..ffecb69672f 100644 --- a/winlogbeat/eventlog/bench_test.go +++ b/winlogbeat/eventlog/bench_test.go @@ -37,7 +37,7 @@ const gigabyte = 1 << 30 var ( benchTest = flag.Bool("benchtest", false, "Run benchmarks for the eventlog package.") - injectAmount = flag.Int("inject", 1E6, "Number of events to inject before running benchmarks.") + injectAmount = flag.Int("inject", 1e6, "Number of events to inject before running benchmarks.") ) // TestBenchmarkRead benchmarks each event log reader implementation with diff --git a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go index fbb790479c7..4158ba554ef 100644 --- a/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go +++ b/x-pack/dockerlogbeat/pipelinemanager/clientLogReader_test.go @@ -7,6 +7,7 @@ package pipelinemanager import ( "os" "path/filepath" + "strconv" "sync" "testing" "time" @@ -84,7 +85,7 @@ func createNewClient(t *testing.T, logString string, mockConnector *pipelinemock info := logger.Info{ ContainerID: "b87d3b0379f816a5f2f7070f28cc05e2f564a3fb549a67c64ec30fc5b04142ed", - LogPath: filepath.Join("/tmp/dockerbeattest/", string(time.Now().Unix())), + LogPath: filepath.Join("/tmp/dockerbeattest/", strconv.FormatInt(time.Now().Unix(), 10)), } err = os.MkdirAll(filepath.Dir(info.LogPath), 0755) diff --git a/x-pack/elastic-agent/pkg/agent/operation/common_test.go b/x-pack/elastic-agent/pkg/agent/operation/common_test.go index 43cab2fd3b4..2ec6b531456 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/common_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/common_test.go @@ -76,7 +76,7 @@ func getTestOperator(t *testing.T, downloadPath string, installPath string, p *a } operator.config.DownloadConfig.OperatingSystem = "darwin" - operator.config.DownloadConfig.Architecture = "32" + operator.config.DownloadConfig.Architecture = "64" // make the download path so the `operation_verify` can ensure the path exists downloadConfig := operator.config.DownloadConfig @@ -101,7 +101,7 @@ func getProgram(binary, version string) *app.Descriptor { downloadCfg := &artifact.Config{ InstallPath: installPath, OperatingSystem: "darwin", - Architecture: "32", + Architecture: "64", } return app.NewDescriptor(spec, version, downloadCfg, nil) } diff --git a/x-pack/elastic-agent/pkg/core/authority/ca.go b/x-pack/elastic-agent/pkg/core/authority/ca.go index 2ddeae70410..f558e8a9eb3 100644 --- a/x-pack/elastic-agent/pkg/core/authority/ca.go +++ b/x-pack/elastic-agent/pkg/core/authority/ca.go @@ -38,10 +38,10 @@ type Pair struct { // NewCA creates a new certificate authority capable of generating child certificates func NewCA() (*CertificateAuthority, error) { ca := &x509.Certificate{ + DNSNames: []string{"localhost"}, SerialNumber: big.NewInt(1653), Subject: pkix.Name{ Organization: []string{"elastic-fleet"}, - CommonName: "localhost", }, NotBefore: time.Now(), NotAfter: time.Now().AddDate(10, 0, 0), @@ -101,13 +101,13 @@ func (c *CertificateAuthority) GeneratePair() (*Pair, error) { } // GeneratePairWithName generates child certificate with provided name as the common name. -func (c *CertificateAuthority) GeneratePairWithName(commonName string) (*Pair, error) { +func (c *CertificateAuthority) GeneratePairWithName(name string) (*Pair, error) { // Prepare certificate certTemplate := &x509.Certificate{ SerialNumber: big.NewInt(1658), + DNSNames: []string{name}, Subject: pkix.Name{ Organization: []string{"elastic-fleet"}, - CommonName: commonName, }, NotBefore: time.Now(), NotAfter: time.Now().AddDate(10, 0, 0), diff --git a/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go b/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go index 9045108c449..0fba76aaab6 100644 --- a/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go +++ b/x-pack/filebeat/input/netflow/decoder/template/test_helpers.go @@ -6,6 +6,7 @@ package template import ( "fmt" + "strconv" "sync" "testing" @@ -61,8 +62,8 @@ func ValidateTemplate(t testing.TB, template *Template) bool { func AssertFieldsEquals(t testing.TB, expected []FieldTemplate, actual []FieldTemplate) (succeeded bool) { if succeeded = assert.Len(t, actual, len(expected)); succeeded { for idx := range expected { - succeeded = assert.Equal(t, expected[idx].Length, actual[idx].Length, string(idx)) && succeeded - succeeded = assert.Equal(t, expected[idx].Info, actual[idx].Info, string(idx)) && succeeded + succeeded = assert.Equal(t, expected[idx].Length, actual[idx].Length, strconv.Itoa(idx)) && succeeded + succeeded = assert.Equal(t, expected[idx].Info, actual[idx].Info, strconv.Itoa(idx)) && succeeded } } return diff --git a/x-pack/functionbeat/Dockerfile b/x-pack/functionbeat/Dockerfile index 907a989eb4d..e5a097a237d 100644 --- a/x-pack/functionbeat/Dockerfile +++ b/x-pack/functionbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.4 RUN \ apt-get update \ diff --git a/x-pack/libbeat/Dockerfile b/x-pack/libbeat/Dockerfile index 06ca7a1ffad..f38c8f45447 100644 --- a/x-pack/libbeat/Dockerfile +++ b/x-pack/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.14.12 +FROM golang:1.15.4 RUN \ apt-get update \ From ddde79723f680579c6b6553ce76b528264429529 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 9 Nov 2020 15:37:20 +0100 Subject: [PATCH 02/44] add changelog entry --- CHANGELOG-developer.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 4d40f0c99b3..898ca4df186 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -106,3 +106,4 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827] - Update ecszap to v0.3.0 for using ECS 1.6.0 in logs {pull}22267[22267] - Add support for customized monitoring API. {pull}22605[22605] +- Update Go version to 1.15.4. {pull}22495[22495] From ddf4bd125fc84ed3eb6f58f43f9e26a732ff1345 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 10 Nov 2020 10:03:42 +0100 Subject: [PATCH 03/44] add new new cert --- .../environments/docker/logstash/gencerts.sh | 2 +- .../logstash/pki/tls/certs/logstash.crt | 32 ++++++------ .../logstash/pki/tls/private/logstash.key | 52 +++++++++---------- testing/environments/docker/logstash/ssl.conf | 18 +++++++ 4 files changed, 61 insertions(+), 43 deletions(-) create mode 100644 testing/environments/docker/logstash/ssl.conf diff --git a/testing/environments/docker/logstash/gencerts.sh b/testing/environments/docker/logstash/gencerts.sh index a04742a7672..fa53523e979 100755 --- a/testing/environments/docker/logstash/gencerts.sh +++ b/testing/environments/docker/logstash/gencerts.sh @@ -2,4 +2,4 @@ mkdir -p pki/tls/certs mkdir -p pki/tls/private -openssl req -subj '/CN=logstash/' -x509 -days $((100 * 365)) -batch -nodes -newkey rsa:2048 -keyout pki/tls/private/logstash.key -out pki/tls/certs/logstash.crt +openssl req -subj '/CN=logstash/' -x509 -days $((100 * 365)) -batch -nodes -newkey rsa:2048 -keyout pki/tls/private/logstash.key -out pki/tls/certs/logstash.crt -config ssl.conf diff --git a/testing/environments/docker/logstash/pki/tls/certs/logstash.crt b/testing/environments/docker/logstash/pki/tls/certs/logstash.crt index 1b18ba84a20..08d2903c7d7 100644 --- a/testing/environments/docker/logstash/pki/tls/certs/logstash.crt +++ b/testing/environments/docker/logstash/pki/tls/certs/logstash.crt @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC+zCCAeOgAwIBAgIJALOvd7vXvRrFMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV -BAMMCGxvZ3N0YXNoMCAXDTE2MDgyNjEyMzMyNFoYDzIxMTYwODAyMTIzMzI0WjAT -MREwDwYDVQQDDAhsb2dzdGFzaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAKw5gLdWfqG9eraHrAAfSn2NbemYq32YZgbwJGaM9SlY3DDHB1MgBKBjpzPW -FavMO4xaDcfFhZbBJXwCVjPJe3ORQeoHgm3hG2er6JtCXlt3vto8FVbs9H4jd3+U -gH4cNdomgtYh3lBobZFKOa/+mZvjQxsK71KM2Gwk4b5gnV9iLaXzAGRWmY1dlHkE -Gki4WGNg0FlGf7aDJXZK2Yyq8MmiMfUEIZ2sDRjO3f/rCLdz3amG4gJtDllekz5l -lUTLccvtTWstJiKIx1zIAUEvTqaqInjMiJkjQtwazlc9w5ofmauxI6bb9L3L1ZJX -rrt+u5mg8Mc/w63+GuS8ZETbAacCAwEAAaNQME4wHQYDVR0OBBYEFA9Ug44w4XmN -r0z225Zt1zjjrKtoMB8GA1UdIwQYMBaAFA9Ug44w4XmNr0z225Zt1zjjrKtoMAwG -A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABwl9KCqg69dv2XNZ95VCdk7 -mAT0LcUbd0FyrzDibNolzx9OlymWYiIxe86KdZsWzgBUcm9Q3Gg+TzAs7UyyfqSp -LR5fgGGIz9PCuuoFBdZCppPL9Y3Dryi91lPXveDUh5zIemOU9Jf6Ni0XVrRsO9C8 -aoY7SLtl1W7du3Nm+ZFH8T0wCcBFaYttmHejyu311ZDyAF0suu6Qu8NAWFrr5QGe -hA8VcImc335VQntT9EcztHhoyt1aW96BxLU9L4kdSZLJ6FVZrGij7IpZNipUQB8p -bPEL9KuQUDHKjoCx2YaNZqmuZ73m6u84TiTxgDYgChSfYASRXyCq90rQrQHVF74= +MIIC+jCCAeKgAwIBAgIUImV3iegTZ0b1zTQna2L4aVKmq1owDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwIbG9nc3Rhc2gwIBcNMjAxMTEwMDkwMDQ4WhgPMjEyMDEw +MTcwOTAwNDhaMBMxETAPBgNVBAMMCGxvZ3N0YXNoMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAxYKH925nceZVxHZZskBaMuUIlI8tLRMY6EeXBvsDzrqi +4+pRFSCJU45wZKhOFi/EigWxk8TqfrHqYbpe9Cbxmngup2xvhgDC2Kmr3R/SKARW +zKCAbwLiDcf0yiJyT98AVOdUXuQ7HHC9m8D3Ohp1knYEmV8dJGtiFE1vW3FtYsUW +p0MOu5WG2iOitaWTIdXmqxwxuK6Jo4I3znReS0PSBwLFXKwWzjEcM9yvXPtubIc6 +1mbbF1Stf0GvGxmOs9u3JCNJXQvTuyJ+O7OrUbnk9vN8nmS/w9GSlM1PqwUNrWIB +X0uHazTU8mSFk3QI8M3kBFfFIN5dL9zIXLGFdJYvfwIDAQABo0QwQjALBgNVHQ8E +BAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHgYDVR0RBBcwFYIIbG9nc3Rhc2iC +CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEATBSnhUXJuf5whNmBE9OdoMJK +tgSaBx/FGq1tJp6jHkI1i4Oii3Wizs6K4tmWEqepu8MB0IVXJUkxGgh70DD3svKV +1En1zNOkUoI/lAwPBMHOl9oq2Z/u4E1dOydzyLQLDBg0fLC1Ui06NfdJRONOovoX +g3DD4IR6DODVtlGqRnON24H04OvZ3VWfbumkurp2XMvv8cooKQOLcMZ4dLVEyJxm +AEyC6pxuMsY32p/vtVjKarElqOnNAJ9xxS6IPczMgAXUMaxr5cZFMQSrdju9lVh4 +kpY5UglFiIJ/yHdlD5c4O8tK93qJ0Xgo7I7ujm38S38itrShpclXiAfW1rJ/2w== -----END CERTIFICATE----- diff --git a/testing/environments/docker/logstash/pki/tls/private/logstash.key b/testing/environments/docker/logstash/pki/tls/private/logstash.key index 9d3234d202e..83d14841286 100644 --- a/testing/environments/docker/logstash/pki/tls/private/logstash.key +++ b/testing/environments/docker/logstash/pki/tls/private/logstash.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCsOYC3Vn6hvXq2 -h6wAH0p9jW3pmKt9mGYG8CRmjPUpWNwwxwdTIASgY6cz1hWrzDuMWg3HxYWWwSV8 -AlYzyXtzkUHqB4Jt4Rtnq+ibQl5bd77aPBVW7PR+I3d/lIB+HDXaJoLWId5QaG2R -Sjmv/pmb40MbCu9SjNhsJOG+YJ1fYi2l8wBkVpmNXZR5BBpIuFhjYNBZRn+2gyV2 -StmMqvDJojH1BCGdrA0Yzt3/6wi3c92phuICbQ5ZXpM+ZZVEy3HL7U1rLSYiiMdc -yAFBL06mqiJ4zIiZI0LcGs5XPcOaH5mrsSOm2/S9y9WSV667fruZoPDHP8Ot/hrk -vGRE2wGnAgMBAAECggEAArbxUXJ6koATFBd1XZcgrHPzPJBce6FQUmGsoTUtlBZD -ej1Y3zWM/R40/3srYkbY1XCB8Rkq7uJifd7nju9pE7xBZrfxlVvL+8lY5EGajSSJ -DJWP3Ivlmqticc9cayB0tNiQjWGBSJEs0PJzkFOaBjwBzcZRWWLA8otuR3rsYBl8 -cb7dV3HV4Z50Qto1ABoUWH2DGz7nX9HCr/SR1ayR1hWHCwv2Q4KQ5wJkmTKmaSNZ -I2464JXvufM9XiV9Fjy4RdiCN3sVXQcUIJ1hY+qGXsR0DUc5lOmw9Eu4SbJgdExR -EWoX4BqJuHrjCeKRF6rsDf5ocAS2cxATbQr1mEbW0QKBgQDWmZMO9TtL+pmJNmoP -g+HzgopBnMLxctcjVOEysuWgZyWYz9sFbCj6Udp2Q/9hjoVYRba3IXEHSsA2mdcY -KKcWbjEOYE+xL6oDXiZRkiJ+Poix9dOnTBg+lt2SKjphuNWnLe3jqfQhZxfV40Nf -60Wx6NGC7Dzlf+pAmkOA12BX2QKBgQDNcyTwnShbVrWzNRpzRe7RSHaAq6jSu1Yi -6dY/8bWTInVhPjB3xUGL0ckiMpDMoi0mxtnBmahvK59GPj3jhz+9HZqG6dSS6Fok -eS104GM7pCWyf66Rd9k8xu5IdrMM9Sveu24s21jgOJDtZtAplP1hsDMxxuaAEDVv -c0RwoKu1fwKBgDL0SheuIMM8oIIU+n/ul5LjNwK3Pw5nby/DcqlAEwfQFfw/tkiG -UwCEuPOF17iJR54bB3RaK2VI2XTdeFYTKQFJbrp0Idf3ck3UaBLMOQZywLBIp1W8 -2rDZz4hqIGydn5VPcYGyE/ZubRlrGc9HpMfGeSC2CQuRIMTwHAEWopiZAoGAZpKm -Trsn+vI/pUlN+19e7H4RLAyILS36w1Ob9DDpRpxdnj8+U43YO8ZxdPFp+cC+ai29 -ajsdLOPKkXdhzscnu3OcQt9bkj0PREZ7u26MHKrHZ2b38Qi1HPL05JjerAl77agG -Sb75kHitYtmB9EC+gJdH+AIl8qolA4+5C8Ir+GECgYBJgkoapPrGgSzCWHH6WpVZ -wrpZJ/rj6685J9K/ji3nHXj7gS4MzEzrtVK2K3aFjIjQe/zXJDI+dxrSCNfYFuQD -YJh+siGPF7Gosyht3ec0vUg7gY7Do1FzwL2H/OxvnaNEO+PPidXGOu/wHV5fMZJ1 -O2aLO5ZIygL6YcVr+vdm1A== +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFgof3bmdx5lXE +dlmyQFoy5QiUjy0tExjoR5cG+wPOuqLj6lEVIIlTjnBkqE4WL8SKBbGTxOp+seph +ul70JvGaeC6nbG+GAMLYqavdH9IoBFbMoIBvAuINx/TKInJP3wBU51Re5DsccL2b +wPc6GnWSdgSZXx0ka2IUTW9bcW1ixRanQw67lYbaI6K1pZMh1earHDG4romjgjfO +dF5LQ9IHAsVcrBbOMRwz3K9c+25shzrWZtsXVK1/Qa8bGY6z27ckI0ldC9O7In47 +s6tRueT283yeZL/D0ZKUzU+rBQ2tYgFfS4drNNTyZIWTdAjwzeQEV8Ug3l0v3Mhc +sYV0li9/AgMBAAECggEAXnrge7YuecfLQ12x7pjmDO6OujH7VFKMWaDVWBt/aMbS +4N/XxZl416WNkjkIkYhsJfIvThambdDB49n5TiXK8S+IccJnXtzCWE5hzjdImqfo +tZ4ZkgD5DcqXCJKNyDNOv06hh3r549LygK1AFmVN1K/r50oecKuFkVyxZjbOMq5o +pKuNOiYWYki1FXd0kVd2yLy4ZKejrgMqwKk06xpeY4o9UfWSeMHaG+rlYsxxO/Fe +3o1FueAFNdJv553xzzmjCDI6YVq43izoF11/Q6K0HHvqwPkpNEFo9ChzPuLmvwOd +3Pyif53aVyOWg01sIp7NXzrUMrBoku3QcDtvGvrm8QKBgQD5vyP6LqbaXZ33DX2N +NpxgEpp2H44KCSfuxc1+mu4IpwOKIdX2bqjkcfGqbU5uBammdwYB78ro++YP0qR/ +6MTVyJwbMxlutOHJY/FLDnh+KZdPSBmJmce62khU/+eCATwQJeHCiktK9GxLisq6 +nBlkWLfkLVtGMduq1JwO4lWf4wKBgQDKdI5yfj1GKkAR4DPUp+OBZo1RsSJj5A0H +qMS/eudKTGj9Gi6Xiw200+x6fpzRCWCzUmS3c+QfTXMgNJEBjhhIYSb3IRo1p7Gf +M3chbN53SZyYf6msQ4b7oRiGZFDtoYNm0v4lqIxuoNi98CGxGtmz1W6gejpFyb1Y +A+EkRbSMtQKBgQDb7WZROiPUx/wDQu39HMo4ECnVO5RpYga4TZfYlbZoCCslyQYS +LQCtq2mVGwyl9nafENFJg1C8Opct9+DEgsZTPIW7rhQHWWI7Zrdl0ShqcVW9i1Bx +y+oGsZJgx7mm0k+CKNnV5tLG/tce7un3yt7Rbw8A8LAf8Gfw16lVshqU4QKBgHzZ +WgrzHJhLb81WRMBMdHkVI+sP4FRXi02A3yvx//YKnugOoFLl9qLf2cJEmDI0pUSQ +d/nF5xUCrw9aO14JIaJo/x2BdWdHLbsugrXDLIHFjGNivuCzl+dPFg+yh1Gzu5PK +Y94XTdrfKCohjrVoCH7lDN674XmuCizf35R9w/TNAoGBAKqaP7TTSafEs9ugsAgt +u3RXBbd9OA8u9tLKEBys/f9XoDPYWZ5Ar8a0LjpubcC5V14S7KwBYdiTN0ynaPGK +NI89jze9Y4ByiBWIalXjR6CWh3VlBiUGYONUjxOHaoMGrbYxYACNvJYtqjlQS1yN +LJN6nFfCs4U6TgQ4XBCdVAFO -----END PRIVATE KEY----- diff --git a/testing/environments/docker/logstash/ssl.conf b/testing/environments/docker/logstash/ssl.conf new file mode 100644 index 00000000000..13fbe0dd2bf --- /dev/null +++ b/testing/environments/docker/logstash/ssl.conf @@ -0,0 +1,18 @@ +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_req +prompt = no +[req_distinguished_name] +C = US +ST = VA +L = SomeCity +O = Elastic +OU = Observability +CN = elastic.co +[v3_req] +keyUsage = keyEncipherment, dataEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[alt_names] +DNS.1 = logstash +DNS.2 = localhost From 7c8f1b10f8979fa10deb14f5a589586c080e93d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 3 Dec 2020 11:38:48 +0100 Subject: [PATCH 04/44] update to go 1.15.5 --- .go-version | 2 +- auditbeat/Dockerfile | 2 +- filebeat/Dockerfile | 2 +- heartbeat/Dockerfile | 2 +- journalbeat/Dockerfile | 2 +- libbeat/Dockerfile | 2 +- libbeat/docs/version.asciidoc | 2 +- metricbeat/Dockerfile | 2 +- packetbeat/Dockerfile | 2 +- x-pack/functionbeat/Dockerfile | 2 +- x-pack/libbeat/Dockerfile | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.go-version b/.go-version index e34208c9371..d32434904bc 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.15.4 +1.15.5 diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index 2eb9072476c..2ab7deed4b4 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.4 +FROM golang:1.15.5 RUN \ apt-get update \ diff --git a/filebeat/Dockerfile b/filebeat/Dockerfile index f6b3acb2e63..256842c89cd 100644 --- a/filebeat/Dockerfile +++ b/filebeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.4 +FROM golang:1.15.5 RUN \ apt-get update \ diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index 1608770a497..76fa8260481 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.4 +FROM golang:1.15.5 RUN \ apt-get update \ diff --git a/journalbeat/Dockerfile b/journalbeat/Dockerfile index 3db3d6ab363..f42387d41e9 100644 --- a/journalbeat/Dockerfile +++ b/journalbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.4 +FROM golang:1.15.5 RUN \ apt-get update \ diff --git a/libbeat/Dockerfile b/libbeat/Dockerfile index 7db75f37718..f5a2efa94de 100644 --- a/libbeat/Dockerfile +++ b/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.4 +FROM golang:1.15.5 RUN \ apt-get update \ diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index d9fdf77f7ec..b4f94a572fe 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 8.0.0 :doc-branch: master -:go-version: 1.15.4 +:go-version: 1.15.5 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index 7ea75bd0353..2f2fd5d30f6 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.4 +FROM golang:1.15.5 RUN \ apt update \ diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index 29d0b8e78d1..031ffc6b3e1 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.4 +FROM golang:1.15.5 RUN \ apt-get update \ diff --git a/x-pack/functionbeat/Dockerfile b/x-pack/functionbeat/Dockerfile index e5a097a237d..4c510ea7763 100644 --- a/x-pack/functionbeat/Dockerfile +++ b/x-pack/functionbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.4 +FROM golang:1.15.5 RUN \ apt-get update \ diff --git a/x-pack/libbeat/Dockerfile b/x-pack/libbeat/Dockerfile index f38c8f45447..8f1595925ac 100644 --- a/x-pack/libbeat/Dockerfile +++ b/x-pack/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.4 +FROM golang:1.15.5 RUN \ apt-get update \ From be861401918f2737c29c219c6f138de273b8d4b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 3 Dec 2020 12:05:16 +0100 Subject: [PATCH 05/44] turn off deprecating CNs --- Jenkinsfile | 1 + dev-tools/mage/crossbuild.go | 1 + dev-tools/mage/integtest.go | 1 + libbeat/scripts/Makefile | 2 ++ 4 files changed, 5 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index 072f2c3176a..3894db8e429 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -58,6 +58,7 @@ pipeline { setEnvVar('GO_MOD_CHANGES', isGitRegionMatch(patterns: [ '^go.mod' ], shouldMatchAll: false).toString()) setEnvVar('PACKAGING_CHANGES', isGitRegionMatch(patterns: [ '^dev-tools/packaging/.*' ], shouldMatchAll: false).toString()) setEnvVar('GO_VERSION', readFile(".go-version").trim()) + setEnvVar('GODEBUG', "x509ignoreCN=0") withEnv(["HOME=${env.WORKSPACE}"]) { retryWithSleep(retries: 2, seconds: 5){ sh(label: "Install Go ${env.GO_VERSION}", script: '.ci/scripts/install-go.sh') } } diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go index 4340c7fdb4e..f98d54f0fec 100644 --- a/dev-tools/mage/crossbuild.go +++ b/dev-tools/mage/crossbuild.go @@ -264,6 +264,7 @@ func (b GolangCrossBuilder) Build() error { args = append(args, "--rm", "--env", "GOFLAGS=-mod=readonly", + "--env", "GODEBUG=x509ignoreCN=0", "--env", "MAGEFILE_VERBOSE="+verbose, "--env", "MAGEFILE_TIMEOUT="+EnvOr("MAGEFILE_TIMEOUT", ""), "--env", fmt.Sprintf("SNAPSHOT=%v", Snapshot), diff --git a/dev-tools/mage/integtest.go b/dev-tools/mage/integtest.go index 16321fa9032..e984cbef9a9 100644 --- a/dev-tools/mage/integtest.go +++ b/dev-tools/mage/integtest.go @@ -237,6 +237,7 @@ func initRunner(tester IntegrationTester, dir string, passInEnv map[string]strin env := map[string]string{ insideIntegrationTestEnvVar: "true", "GOFLAGS": "-mod=readonly", + "GODEBUG": "x509ignoreCN=0", } for name, value := range passInEnv { env[name] = value diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile index 3bdf4774158..701556a5a49 100755 --- a/libbeat/scripts/Makefile +++ b/libbeat/scripts/Makefile @@ -231,6 +231,7 @@ integration-tests-environment: prepare-tests build-image -e TEST_ENVIRONMENT=${TEST_ENVIRONMENT} \ -e BEATS_INSIDE_INTEGRATION_TEST_ENV=${BEATS_INSIDE_INTEGRATION_TEST_ENV} \ -e GOFLAGS=${INSTALL_FLAG} \ + -e GODEBUG=x509ignoreCN=0 \ beat make integration-tests # Runs the system tests @@ -250,6 +251,7 @@ system-tests-environment: prepare-tests build-image -e DOCKER_COMPOSE_PROJECT_NAME=${DOCKER_COMPOSE_PROJECT_NAME} \ -e PYTHON_EXE=${PYTHON_EXE} \ -e GOFLAGS=${INSTALL_FLAG} \ + -e GODEBUG=x509ignoreCN=0 \ beat make system-tests .PHONY: fast-system-tests From a807ca6456823d5b7a8700f606657342113a7ce4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 3 Dec 2020 14:05:19 +0100 Subject: [PATCH 06/44] add warning if tls is configured --- libbeat/common/transport/tlscommon/config.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libbeat/common/transport/tlscommon/config.go b/libbeat/common/transport/tlscommon/config.go index 8d7650eb5bf..30009c2b13b 100644 --- a/libbeat/common/transport/tlscommon/config.go +++ b/libbeat/common/transport/tlscommon/config.go @@ -21,6 +21,8 @@ import ( "crypto/tls" "github.com/joeshaw/multierror" + + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" ) // Config defines the user configurable options in the yaml file. @@ -96,6 +98,8 @@ func LoadTLSConfig(config *Config) (*TLSConfig, error) { // Validate values the TLSConfig struct making sure certificate sure we have both a certificate and // a key. func (c *Config) Validate() error { + cfgwarn.Deprecate("8.0.0", "Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed.") + return c.Certificate.Validate() } From e96ea8fa47906aa666fa4b759a13d898e34598ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 7 Jan 2021 15:36:16 +0100 Subject: [PATCH 07/44] update again --- .go-version | 2 +- auditbeat/Dockerfile | 2 +- filebeat/Dockerfile | 2 +- heartbeat/Dockerfile | 2 +- journalbeat/Dockerfile | 2 +- libbeat/Dockerfile | 2 +- libbeat/docs/version.asciidoc | 2 +- metricbeat/Dockerfile | 2 +- packetbeat/Dockerfile | 2 +- x-pack/functionbeat/Dockerfile | 2 +- x-pack/libbeat/Dockerfile | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.go-version b/.go-version index d32434904bc..04cc99945d2 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.15.5 +1.15.6 diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index 2ab7deed4b4..1673f0f71c3 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.5 +FROM golang:1.15.6 RUN \ apt-get update \ diff --git a/filebeat/Dockerfile b/filebeat/Dockerfile index 256842c89cd..0ae63494d68 100644 --- a/filebeat/Dockerfile +++ b/filebeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.5 +FROM golang:1.15.6 RUN \ apt-get update \ diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index 76fa8260481..91f0e85e869 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.5 +FROM golang:1.15.6 RUN \ apt-get update \ diff --git a/journalbeat/Dockerfile b/journalbeat/Dockerfile index f42387d41e9..0f3e74033cb 100644 --- a/journalbeat/Dockerfile +++ b/journalbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.5 +FROM golang:1.15.6 RUN \ apt-get update \ diff --git a/libbeat/Dockerfile b/libbeat/Dockerfile index f5a2efa94de..5273d22b8df 100644 --- a/libbeat/Dockerfile +++ b/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.5 +FROM golang:1.15.6 RUN \ apt-get update \ diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index b4f94a572fe..7ec90e4d54e 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 8.0.0 :doc-branch: master -:go-version: 1.15.5 +:go-version: 1.15.6 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index 2f2fd5d30f6..c11fa3da2e2 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.5 +FROM golang:1.15.6 RUN \ apt update \ diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index 031ffc6b3e1..d276dedc41c 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.5 +FROM golang:1.15.6 RUN \ apt-get update \ diff --git a/x-pack/functionbeat/Dockerfile b/x-pack/functionbeat/Dockerfile index 4c510ea7763..af331286546 100644 --- a/x-pack/functionbeat/Dockerfile +++ b/x-pack/functionbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.5 +FROM golang:1.15.6 RUN \ apt-get update \ diff --git a/x-pack/libbeat/Dockerfile b/x-pack/libbeat/Dockerfile index 8f1595925ac..e3b9092dcc6 100644 --- a/x-pack/libbeat/Dockerfile +++ b/x-pack/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.5 +FROM golang:1.15.6 RUN \ apt-get update \ From 837f609f72ac04d9c02abe9f7a19da9c9590655f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Wed, 13 Jan 2021 08:37:05 +0100 Subject: [PATCH 08/44] adjust winlogbeat tests --- winlogbeat/tests/system/test_config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/winlogbeat/tests/system/test_config.py b/winlogbeat/tests/system/test_config.py index 18df0594fca..065de09fc53 100644 --- a/winlogbeat/tests/system/test_config.py +++ b/winlogbeat/tests/system/test_config.py @@ -36,7 +36,7 @@ def test_invalid_ignore_older(self): ) self.run_config_tst(exit_code=1) assert self.log_contains( - "unknown unit hour in duration 1 hour " + "unknown unit \" hour\" in duration \"1 hour\" " "accessing 'winlogbeat.event_logs.0.ignore_older'") def test_invalid_level(self): From e5e2c2f69fb4f9ba355a1e5443b5c95d6baad8e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Wed, 13 Jan 2021 10:30:02 +0100 Subject: [PATCH 09/44] update changelog entry --- CHANGELOG-developer.next.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 898ca4df186..9c64fac3e52 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -106,4 +106,4 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827] - Update ecszap to v0.3.0 for using ECS 1.6.0 in logs {pull}22267[22267] - Add support for customized monitoring API. {pull}22605[22605] -- Update Go version to 1.15.4. {pull}22495[22495] +- Update Go version to 1.15.6. {pull}22495[22495] From 97137e41551d250725f5d272b82b7e07d51a3179 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Wed, 13 Jan 2021 14:33:00 +0100 Subject: [PATCH 10/44] add missing GODEBUG adjustments --- dev-tools/packaging/templates/deb/elastic-agent.init.sh.tmpl | 2 +- dev-tools/packaging/templates/deb/init.sh.tmpl | 2 +- .../packaging/templates/docker/Dockerfile.elastic-agent.tmpl | 2 +- dev-tools/packaging/templates/docker/Dockerfile.tmpl | 2 +- dev-tools/packaging/templates/linux/beatname.sh.tmpl | 2 +- dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl | 2 +- dev-tools/packaging/templates/linux/systemd.unit.tmpl | 2 +- dev-tools/packaging/templates/rpm/elastic-agent.init.sh.tmpl | 2 +- dev-tools/packaging/templates/rpm/init.sh.tmpl | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/dev-tools/packaging/templates/deb/elastic-agent.init.sh.tmpl b/dev-tools/packaging/templates/deb/elastic-agent.init.sh.tmpl index 4ee5f6c2e5a..17615d5e1aa 100644 --- a/dev-tools/packaging/templates/deb/elastic-agent.init.sh.tmpl +++ b/dev-tools/packaging/templates/deb/elastic-agent.init.sh.tmpl @@ -31,7 +31,7 @@ SCRIPTNAME=/etc/init.d/{{.ServiceName}} # Read configuration variable file if it is present [ -r /etc/default/{{.ServiceName}} ] && . /etc/default/{{.ServiceName}} -DEFAULT_GODEBUG="madvdontneed=1" +DEFAULT_GODEBUG="madvdontneed=1,x509ignoreCN=0" export GODEBUG=${GODEBUG-$DEFAULT_GODEBUG} [ "$BEAT_USER" != "root" ] && WRAPPER_ARGS="$WRAPPER_ARGS -u $BEAT_USER" diff --git a/dev-tools/packaging/templates/deb/init.sh.tmpl b/dev-tools/packaging/templates/deb/init.sh.tmpl index 90d026dd0ba..71844d7793e 100644 --- a/dev-tools/packaging/templates/deb/init.sh.tmpl +++ b/dev-tools/packaging/templates/deb/init.sh.tmpl @@ -32,7 +32,7 @@ SCRIPTNAME=/etc/init.d/{{.ServiceName}} # Read configuration variable file if it is present [ -r /etc/default/{{.ServiceName}} ] && . /etc/default/{{.ServiceName}} -DEFAULT_GODEBUG="madvdontneed=1" +DEFAULT_GODEBUG="madvdontneed=1,x509ignoreCN=0" export GODEBUG=${GODEBUG-$DEFAULT_GODEBUG} [ "$BEAT_USER" != "root" ] && WRAPPER_ARGS="$WRAPPER_ARGS -u $BEAT_USER" diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 419cd10923e..4bed514c00c 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -65,7 +65,7 @@ LABEL \ ENV ELASTIC_CONTAINER "true" ENV PATH={{ $beatHome }}:$PATH -ENV GODEBUG="madvdontneed=1" +ENV GODEBUG="madvdontneed=1,x509ignoreCN=0" # Add an init process, check the checksum to make sure it's a match RUN set -e ; \ diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl index e42e525644c..0f8c6dcfe62 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl @@ -79,7 +79,7 @@ LABEL \ ENV ELASTIC_CONTAINER "true" ENV PATH={{ $beatHome }}:$PATH -ENV GODEBUG="madvdontneed=1" +ENV GODEBUG="madvdontneed=1,x509ignoreCN=0" # Add an init process, check the checksum to make sure it's a match RUN set -e ; \ diff --git a/dev-tools/packaging/templates/linux/beatname.sh.tmpl b/dev-tools/packaging/templates/linux/beatname.sh.tmpl index 1343ce2b4c4..c845afc369f 100644 --- a/dev-tools/packaging/templates/linux/beatname.sh.tmpl +++ b/dev-tools/packaging/templates/linux/beatname.sh.tmpl @@ -3,7 +3,7 @@ # Script to run {{.BeatName | title}} in foreground with the same path settings that # the init script / systemd unit file would do. -exec /usr/share/{{.BeatName}}/bin/{{.BeatName}} \ +exec GODEBUG="x509ignoreCN=0" /usr/share/{{.BeatName}}/bin/{{.BeatName}} \ --path.home /usr/share/{{.BeatName}} \ --path.config /etc/{{.BeatName}} \ --path.data /var/lib/{{.BeatName}} \ diff --git a/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl b/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl index c7aa5ac2a17..07d2618bf27 100644 --- a/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl +++ b/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl @@ -9,7 +9,7 @@ After=network-online.target User={{ .BeatUser }} Group={{ .BeatUser }} {{- end }} -Environment="GODEBUG='madvdontneed=1'" +Environment="GODEBUG='madvdontneed=1,x509ignoreCN=0'" Environment="BEAT_CONFIG_OPTS=-c /etc/{{.BeatName}}/{{.BeatName}}.yml" ExecStart=/usr/bin/{{.BeatName}} run --environment systemd $BEAT_CONFIG_OPTS Restart=always diff --git a/dev-tools/packaging/templates/linux/systemd.unit.tmpl b/dev-tools/packaging/templates/linux/systemd.unit.tmpl index 367f9e3532f..7351d2b3dd0 100644 --- a/dev-tools/packaging/templates/linux/systemd.unit.tmpl +++ b/dev-tools/packaging/templates/linux/systemd.unit.tmpl @@ -9,7 +9,7 @@ After=network-online.target User={{ .BeatUser }} Group={{ .BeatUser }} {{- end }} -Environment="GODEBUG='madvdontneed=1'" +Environment="GODEBUG='madvdontneed=1,x509ignoreCN=0'" Environment="BEAT_LOG_OPTS=" Environment="BEAT_CONFIG_OPTS=-c /etc/{{.BeatName}}/{{.BeatName}}.yml" Environment="BEAT_PATH_OPTS=--path.home /usr/share/{{.BeatName}} --path.config /etc/{{.BeatName}} --path.data /var/lib/{{.BeatName}} --path.logs /var/log/{{.BeatName}}" diff --git a/dev-tools/packaging/templates/rpm/elastic-agent.init.sh.tmpl b/dev-tools/packaging/templates/rpm/elastic-agent.init.sh.tmpl index eb5a96e878d..6ba093842c4 100644 --- a/dev-tools/packaging/templates/rpm/elastic-agent.init.sh.tmpl +++ b/dev-tools/packaging/templates/rpm/elastic-agent.init.sh.tmpl @@ -32,7 +32,7 @@ wrapperopts="-r / -n -p $pidfile" user_wrapper="su" user_wrapperopts="$beat_user -c" RETVAL=0 -DEFAULT_GODEBUG="madvdontneed=1" +DEFAULT_GODEBUG="madvdontneed=1,x509ignoreCN=0" export GODEBUG=${GODEBUG-$DEFAULT_GODEBUG} # Source function library. diff --git a/dev-tools/packaging/templates/rpm/init.sh.tmpl b/dev-tools/packaging/templates/rpm/init.sh.tmpl index bfdf44fff9c..7612d4f4fbb 100644 --- a/dev-tools/packaging/templates/rpm/init.sh.tmpl +++ b/dev-tools/packaging/templates/rpm/init.sh.tmpl @@ -33,7 +33,7 @@ wrapperopts="-r / -n -p $pidfile" user_wrapper="su" user_wrapperopts="$beat_user -c" RETVAL=0 -DEFAULT_GODEBUG="madvdontneed=1" +DEFAULT_GODEBUG="madvdontneed=1,x509ignoreCN=0" export GODEBUG=${GODEBUG-$DEFAULT_GODEBUG} # Source function library. From d5acc510f53f28ab2f825f11578691fba13d27bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 14 Jan 2021 14:00:16 +0100 Subject: [PATCH 11/44] minor mishaps --- dev-tools/packaging/templates/linux/beatname.sh.tmpl | 2 +- metricbeat/module/http/_meta/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev-tools/packaging/templates/linux/beatname.sh.tmpl b/dev-tools/packaging/templates/linux/beatname.sh.tmpl index c845afc369f..85fb8f2aef2 100644 --- a/dev-tools/packaging/templates/linux/beatname.sh.tmpl +++ b/dev-tools/packaging/templates/linux/beatname.sh.tmpl @@ -3,7 +3,7 @@ # Script to run {{.BeatName | title}} in foreground with the same path settings that # the init script / systemd unit file would do. -exec GODEBUG="x509ignoreCN=0" /usr/share/{{.BeatName}}/bin/{{.BeatName}} \ +exec env GODEBUG="x509ignoreCN=0" /usr/share/{{.BeatName}}/bin/{{.BeatName}} \ --path.home /usr/share/{{.BeatName}} \ --path.config /etc/{{.BeatName}} \ --path.data /var/lib/{{.BeatName}} \ diff --git a/metricbeat/module/http/_meta/Dockerfile b/metricbeat/module/http/_meta/Dockerfile index aad40f22391..9ec48348bea 100644 --- a/metricbeat/module/http/_meta/Dockerfile +++ b/metricbeat/module/http/_meta/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.3 +FROM golang:1.15.6 COPY test/main.go main.go From 07375dc447e045278bd7de3bf773e6e40caf3b2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 14 Jan 2021 14:08:04 +0100 Subject: [PATCH 12/44] add deprecation message --- CHANGELOG.next.asciidoc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0e7edfce6f2..4e25913f408 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -985,6 +985,16 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Affecting all Beats* +- Update to Golang 1.15.6 requires users to add `x509ignoreCN=0` to the `GODEBUG` environment variable if +they are using a X.509 certificates without Subject Alternative Names in the following use cases: + * running Beats/Agent on Windows + * compiling Beats/Agent and then running the binary + +In other use cases, Beats and Agent can set this variable automatically for the users. + +In the future, these certificates must be updated as the legacy behaviour of Common Name field +is going to be removed in later versions. {pull}22495[22495] + *Filebeat* - The experimental modules for Citrix Netscaler and Symantec Endpoint Protection have been removed. From 1c4327c0a8aaa9cab964cac795198e403d37e5f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 14 Jan 2021 14:09:01 +0100 Subject: [PATCH 13/44] add more context --- CHANGELOG.next.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4e25913f408..f5281c388fb 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -995,6 +995,8 @@ In other use cases, Beats and Agent can set this variable automatically for the In the future, these certificates must be updated as the legacy behaviour of Common Name field is going to be removed in later versions. {pull}22495[22495] +See more about the change in Golang here: https://golang.org/doc/go1.15#commonname + *Filebeat* - The experimental modules for Citrix Netscaler and Symantec Endpoint Protection have been removed. From 396a6100bdc3d482871d17717d2b9a4769171938 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 14 Jan 2021 17:26:47 +0100 Subject: [PATCH 14/44] remove godebug hack and add tls overwrite hack isntead --- CHANGELOG.next.asciidoc | 12 --- Jenkinsfile | 1 - dev-tools/mage/crossbuild.go | 1 - dev-tools/mage/integtest.go | 1 - .../templates/deb/elastic-agent.init.sh.tmpl | 2 +- .../packaging/templates/deb/init.sh.tmpl | 2 +- .../docker/Dockerfile.elastic-agent.tmpl | 2 +- .../templates/docker/Dockerfile.tmpl | 2 +- .../templates/linux/beatname.sh.tmpl | 2 +- .../templates/linux/elastic-agent.unit.tmpl | 2 +- .../templates/linux/systemd.unit.tmpl | 2 +- .../templates/rpm/elastic-agent.init.sh.tmpl | 2 +- .../packaging/templates/rpm/init.sh.tmpl | 2 +- .../common/transport/tlscommon/tls_config.go | 8 ++ libbeat/common/transport/tlscommon/types.go | 4 +- libbeat/common/transport/tlscommon/verify.go | 74 ++++++++++++++++--- libbeat/scripts/Makefile | 2 - 17 files changed, 84 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f5281c388fb..0e7edfce6f2 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -985,18 +985,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Affecting all Beats* -- Update to Golang 1.15.6 requires users to add `x509ignoreCN=0` to the `GODEBUG` environment variable if -they are using a X.509 certificates without Subject Alternative Names in the following use cases: - * running Beats/Agent on Windows - * compiling Beats/Agent and then running the binary - -In other use cases, Beats and Agent can set this variable automatically for the users. - -In the future, these certificates must be updated as the legacy behaviour of Common Name field -is going to be removed in later versions. {pull}22495[22495] - -See more about the change in Golang here: https://golang.org/doc/go1.15#commonname - *Filebeat* - The experimental modules for Citrix Netscaler and Symantec Endpoint Protection have been removed. diff --git a/Jenkinsfile b/Jenkinsfile index 3894db8e429..072f2c3176a 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -58,7 +58,6 @@ pipeline { setEnvVar('GO_MOD_CHANGES', isGitRegionMatch(patterns: [ '^go.mod' ], shouldMatchAll: false).toString()) setEnvVar('PACKAGING_CHANGES', isGitRegionMatch(patterns: [ '^dev-tools/packaging/.*' ], shouldMatchAll: false).toString()) setEnvVar('GO_VERSION', readFile(".go-version").trim()) - setEnvVar('GODEBUG', "x509ignoreCN=0") withEnv(["HOME=${env.WORKSPACE}"]) { retryWithSleep(retries: 2, seconds: 5){ sh(label: "Install Go ${env.GO_VERSION}", script: '.ci/scripts/install-go.sh') } } diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go index f98d54f0fec..4340c7fdb4e 100644 --- a/dev-tools/mage/crossbuild.go +++ b/dev-tools/mage/crossbuild.go @@ -264,7 +264,6 @@ func (b GolangCrossBuilder) Build() error { args = append(args, "--rm", "--env", "GOFLAGS=-mod=readonly", - "--env", "GODEBUG=x509ignoreCN=0", "--env", "MAGEFILE_VERBOSE="+verbose, "--env", "MAGEFILE_TIMEOUT="+EnvOr("MAGEFILE_TIMEOUT", ""), "--env", fmt.Sprintf("SNAPSHOT=%v", Snapshot), diff --git a/dev-tools/mage/integtest.go b/dev-tools/mage/integtest.go index e984cbef9a9..16321fa9032 100644 --- a/dev-tools/mage/integtest.go +++ b/dev-tools/mage/integtest.go @@ -237,7 +237,6 @@ func initRunner(tester IntegrationTester, dir string, passInEnv map[string]strin env := map[string]string{ insideIntegrationTestEnvVar: "true", "GOFLAGS": "-mod=readonly", - "GODEBUG": "x509ignoreCN=0", } for name, value := range passInEnv { env[name] = value diff --git a/dev-tools/packaging/templates/deb/elastic-agent.init.sh.tmpl b/dev-tools/packaging/templates/deb/elastic-agent.init.sh.tmpl index 17615d5e1aa..4ee5f6c2e5a 100644 --- a/dev-tools/packaging/templates/deb/elastic-agent.init.sh.tmpl +++ b/dev-tools/packaging/templates/deb/elastic-agent.init.sh.tmpl @@ -31,7 +31,7 @@ SCRIPTNAME=/etc/init.d/{{.ServiceName}} # Read configuration variable file if it is present [ -r /etc/default/{{.ServiceName}} ] && . /etc/default/{{.ServiceName}} -DEFAULT_GODEBUG="madvdontneed=1,x509ignoreCN=0" +DEFAULT_GODEBUG="madvdontneed=1" export GODEBUG=${GODEBUG-$DEFAULT_GODEBUG} [ "$BEAT_USER" != "root" ] && WRAPPER_ARGS="$WRAPPER_ARGS -u $BEAT_USER" diff --git a/dev-tools/packaging/templates/deb/init.sh.tmpl b/dev-tools/packaging/templates/deb/init.sh.tmpl index 71844d7793e..90d026dd0ba 100644 --- a/dev-tools/packaging/templates/deb/init.sh.tmpl +++ b/dev-tools/packaging/templates/deb/init.sh.tmpl @@ -32,7 +32,7 @@ SCRIPTNAME=/etc/init.d/{{.ServiceName}} # Read configuration variable file if it is present [ -r /etc/default/{{.ServiceName}} ] && . /etc/default/{{.ServiceName}} -DEFAULT_GODEBUG="madvdontneed=1,x509ignoreCN=0" +DEFAULT_GODEBUG="madvdontneed=1" export GODEBUG=${GODEBUG-$DEFAULT_GODEBUG} [ "$BEAT_USER" != "root" ] && WRAPPER_ARGS="$WRAPPER_ARGS -u $BEAT_USER" diff --git a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl index 4bed514c00c..419cd10923e 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl @@ -65,7 +65,7 @@ LABEL \ ENV ELASTIC_CONTAINER "true" ENV PATH={{ $beatHome }}:$PATH -ENV GODEBUG="madvdontneed=1,x509ignoreCN=0" +ENV GODEBUG="madvdontneed=1" # Add an init process, check the checksum to make sure it's a match RUN set -e ; \ diff --git a/dev-tools/packaging/templates/docker/Dockerfile.tmpl b/dev-tools/packaging/templates/docker/Dockerfile.tmpl index 0f8c6dcfe62..e42e525644c 100644 --- a/dev-tools/packaging/templates/docker/Dockerfile.tmpl +++ b/dev-tools/packaging/templates/docker/Dockerfile.tmpl @@ -79,7 +79,7 @@ LABEL \ ENV ELASTIC_CONTAINER "true" ENV PATH={{ $beatHome }}:$PATH -ENV GODEBUG="madvdontneed=1,x509ignoreCN=0" +ENV GODEBUG="madvdontneed=1" # Add an init process, check the checksum to make sure it's a match RUN set -e ; \ diff --git a/dev-tools/packaging/templates/linux/beatname.sh.tmpl b/dev-tools/packaging/templates/linux/beatname.sh.tmpl index 85fb8f2aef2..1343ce2b4c4 100644 --- a/dev-tools/packaging/templates/linux/beatname.sh.tmpl +++ b/dev-tools/packaging/templates/linux/beatname.sh.tmpl @@ -3,7 +3,7 @@ # Script to run {{.BeatName | title}} in foreground with the same path settings that # the init script / systemd unit file would do. -exec env GODEBUG="x509ignoreCN=0" /usr/share/{{.BeatName}}/bin/{{.BeatName}} \ +exec /usr/share/{{.BeatName}}/bin/{{.BeatName}} \ --path.home /usr/share/{{.BeatName}} \ --path.config /etc/{{.BeatName}} \ --path.data /var/lib/{{.BeatName}} \ diff --git a/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl b/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl index 07d2618bf27..c7aa5ac2a17 100644 --- a/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl +++ b/dev-tools/packaging/templates/linux/elastic-agent.unit.tmpl @@ -9,7 +9,7 @@ After=network-online.target User={{ .BeatUser }} Group={{ .BeatUser }} {{- end }} -Environment="GODEBUG='madvdontneed=1,x509ignoreCN=0'" +Environment="GODEBUG='madvdontneed=1'" Environment="BEAT_CONFIG_OPTS=-c /etc/{{.BeatName}}/{{.BeatName}}.yml" ExecStart=/usr/bin/{{.BeatName}} run --environment systemd $BEAT_CONFIG_OPTS Restart=always diff --git a/dev-tools/packaging/templates/linux/systemd.unit.tmpl b/dev-tools/packaging/templates/linux/systemd.unit.tmpl index 7351d2b3dd0..367f9e3532f 100644 --- a/dev-tools/packaging/templates/linux/systemd.unit.tmpl +++ b/dev-tools/packaging/templates/linux/systemd.unit.tmpl @@ -9,7 +9,7 @@ After=network-online.target User={{ .BeatUser }} Group={{ .BeatUser }} {{- end }} -Environment="GODEBUG='madvdontneed=1,x509ignoreCN=0'" +Environment="GODEBUG='madvdontneed=1'" Environment="BEAT_LOG_OPTS=" Environment="BEAT_CONFIG_OPTS=-c /etc/{{.BeatName}}/{{.BeatName}}.yml" Environment="BEAT_PATH_OPTS=--path.home /usr/share/{{.BeatName}} --path.config /etc/{{.BeatName}} --path.data /var/lib/{{.BeatName}} --path.logs /var/log/{{.BeatName}}" diff --git a/dev-tools/packaging/templates/rpm/elastic-agent.init.sh.tmpl b/dev-tools/packaging/templates/rpm/elastic-agent.init.sh.tmpl index 6ba093842c4..eb5a96e878d 100644 --- a/dev-tools/packaging/templates/rpm/elastic-agent.init.sh.tmpl +++ b/dev-tools/packaging/templates/rpm/elastic-agent.init.sh.tmpl @@ -32,7 +32,7 @@ wrapperopts="-r / -n -p $pidfile" user_wrapper="su" user_wrapperopts="$beat_user -c" RETVAL=0 -DEFAULT_GODEBUG="madvdontneed=1,x509ignoreCN=0" +DEFAULT_GODEBUG="madvdontneed=1" export GODEBUG=${GODEBUG-$DEFAULT_GODEBUG} # Source function library. diff --git a/dev-tools/packaging/templates/rpm/init.sh.tmpl b/dev-tools/packaging/templates/rpm/init.sh.tmpl index 7612d4f4fbb..bfdf44fff9c 100644 --- a/dev-tools/packaging/templates/rpm/init.sh.tmpl +++ b/dev-tools/packaging/templates/rpm/init.sh.tmpl @@ -33,7 +33,7 @@ wrapperopts="-r / -n -p $pidfile" user_wrapper="su" user_wrapperopts="$beat_user -c" RETVAL=0 -DEFAULT_GODEBUG="madvdontneed=1,x509ignoreCN=0" +DEFAULT_GODEBUG="madvdontneed=1" export GODEBUG=${GODEBUG-$DEFAULT_GODEBUG} # Source function library. diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 22cebb2bf8d..9f5d2625cfd 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -149,5 +149,13 @@ func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { } } + legacyCommonName := cfg.Verification == VerifyLegacyCommonName + if legacyCommonName { + return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + _, _, err := verifyCertificateWithLegacyCommonName(rawCerts, cfg) + return err + } + } + return nil } diff --git a/libbeat/common/transport/tlscommon/types.go b/libbeat/common/transport/tlscommon/types.go index c130a57c71a..62159f447af 100644 --- a/libbeat/common/transport/tlscommon/types.go +++ b/libbeat/common/transport/tlscommon/types.go @@ -127,13 +127,15 @@ const ( VerifyFull TLSVerificationMode = iota VerifyNone VerifyCertificate + VerifyLegacyCommonName ) var tlsVerificationModes = map[string]TLSVerificationMode{ - "": VerifyFull, + "": VerifyLegacyCommonName, "full": VerifyFull, "none": VerifyNone, "certificate": VerifyCertificate, + "common_name": VerifyLegacyCommonName, } func (m TLSVerificationMode) String() string { diff --git a/libbeat/common/transport/tlscommon/verify.go b/libbeat/common/transport/tlscommon/verify.go index 867e70874a9..d56559150a7 100644 --- a/libbeat/common/transport/tlscommon/verify.go +++ b/libbeat/common/transport/tlscommon/verify.go @@ -49,6 +49,7 @@ package tlscommon import ( "crypto/x509" + "fmt" "time" "github.com/pkg/errors" @@ -62,16 +63,9 @@ func verifyCertificateExceptServerName( rawCerts [][]byte, c *TLSConfig, ) ([]*x509.Certificate, [][]*x509.Certificate, error) { - // this is where we're a bit suboptimal, as we have to re-parse the certificates that have been presented - // during the handshake. - // the verification code here is taken from verifyServerCertificate in crypto/tls/handshake_client.go:824 - certs := make([]*x509.Certificate, len(rawCerts)) - for i, asn1Data := range rawCerts { - cert, err := x509.ParseCertificate(asn1Data) - if err != nil { - return nil, nil, errors.Wrap(err, "tls: failed to parse certificate from server") - } - certs[i] = cert + certs, err := overwriteSANWithCommonName(rawCerts) + if err != nil { + return nil, nil, errors.Wrapf(err, "failed to overwrite SAN with Common Name") } var t time.Time @@ -98,3 +92,63 @@ func verifyCertificateExceptServerName( chains, err := headCert.Verify(opts) return certs, chains, err } + +func verifyCertificateWithLegacyCommonName( + rawCerts [][]byte, + c *TLSConfig, +) ([]*x509.Certificate, [][]*x509.Certificate, error) { + certs, err := overwriteSANWithCommonName(rawCerts) + if err != nil { + return nil, nil, errors.Wrapf(err, "failed to overwrite SAN with Common Name") + } + + var t time.Time + if c.time != nil { + t = c.time() + } else { + t = time.Now() + } + + headCert := certs[0] + + opts := x509.VerifyOptions{ + DNSName: headCert.Subject.CommonName, + Roots: c.RootCAs, + CurrentTime: t, + Intermediates: x509.NewCertPool(), + } + + for _, cert := range certs[1:] { + opts.Intermediates.AddCert(cert) + } + + // defer to the default verification performed + chains, err := headCert.Verify(opts) + return certs, chains, err +} + +// overwriteSANWithCommonName adds the Common Name to DNSNames, if the list is empty. +// It is a workaround to address the changes introduced in Golang 1.15: https://golang.org/doc/go1.15#commonname. +func overwriteSANWithCommonName( + rawCerts [][]byte, +) ([]*x509.Certificate, error) { + // this is where we're a bit suboptimal, as we have to re-parse the certificates that have been presented + // during the handshake. + // the verification code here is taken from verifyServerCertificate in crypto/tls/handshake_client.go:824 + certs := make([]*x509.Certificate, len(rawCerts)) + for i, asn1Data := range rawCerts { + cert, err := x509.ParseCertificate(asn1Data) + if err != nil { + return nil, errors.Wrap(err, "tls: failed to parse certificate from server") + } + if len(cert.DNSNames) == 0 { + if len(cert.Subject.CommonName) == 0 { + return nil, fmt.Errorf("missing DNSNames and Common Name") + } + cert.DNSNames = []string{cert.Subject.CommonName} + } + certs[i] = cert + } + + return certs, nil +} diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile index 701556a5a49..3bdf4774158 100755 --- a/libbeat/scripts/Makefile +++ b/libbeat/scripts/Makefile @@ -231,7 +231,6 @@ integration-tests-environment: prepare-tests build-image -e TEST_ENVIRONMENT=${TEST_ENVIRONMENT} \ -e BEATS_INSIDE_INTEGRATION_TEST_ENV=${BEATS_INSIDE_INTEGRATION_TEST_ENV} \ -e GOFLAGS=${INSTALL_FLAG} \ - -e GODEBUG=x509ignoreCN=0 \ beat make integration-tests # Runs the system tests @@ -251,7 +250,6 @@ system-tests-environment: prepare-tests build-image -e DOCKER_COMPOSE_PROJECT_NAME=${DOCKER_COMPOSE_PROJECT_NAME} \ -e PYTHON_EXE=${PYTHON_EXE} \ -e GOFLAGS=${INSTALL_FLAG} \ - -e GODEBUG=x509ignoreCN=0 \ beat make system-tests .PHONY: fast-system-tests From 5c54a5eb3e18f3f53cfd670b602fa19f744968a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 14 Jan 2021 18:26:59 +0100 Subject: [PATCH 15/44] add to docs && minor test adjustment --- auditbeat/auditbeat.reference.yml | 36 +++++++++++++++++++ filebeat/filebeat.reference.yml | 36 +++++++++++++++++++ heartbeat/heartbeat.reference.yml | 36 +++++++++++++++++++ journalbeat/journalbeat.reference.yml | 36 +++++++++++++++++++ libbeat/_meta/config/ssl.reference.yml.tmpl | 6 ++++ .../outputs/redis/redis_integration_test.go | 2 +- metricbeat/metricbeat.reference.yml | 36 +++++++++++++++++++ packetbeat/packetbeat.reference.yml | 36 +++++++++++++++++++ winlogbeat/winlogbeat.reference.yml | 36 +++++++++++++++++++ x-pack/auditbeat/auditbeat.reference.yml | 36 +++++++++++++++++++ x-pack/filebeat/filebeat.reference.yml | 36 +++++++++++++++++++ .../functionbeat/functionbeat.reference.yml | 24 +++++++++++++ x-pack/heartbeat/heartbeat.reference.yml | 36 +++++++++++++++++++ x-pack/metricbeat/metricbeat.reference.yml | 36 +++++++++++++++++++ x-pack/packetbeat/packetbeat.reference.yml | 36 +++++++++++++++++++ x-pack/winlogbeat/winlogbeat.reference.yml | 36 +++++++++++++++++++ 16 files changed, 499 insertions(+), 1 deletion(-) diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index ef82491a4dd..2e4975e38dc 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -529,6 +529,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -656,6 +662,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -853,6 +865,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1009,6 +1027,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1305,6 +1329,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1502,6 +1532,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 91b1dfa3190..dddaee49a48 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -1409,6 +1409,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1536,6 +1542,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1733,6 +1745,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1889,6 +1907,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2185,6 +2209,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2382,6 +2412,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index 37e3e2ed122..b5e91290547 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -707,6 +707,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -834,6 +840,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1031,6 +1043,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1187,6 +1205,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1483,6 +1507,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1680,6 +1710,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index 7e875edcf8e..2b58e576f0f 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -472,6 +472,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -599,6 +605,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -796,6 +808,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -952,6 +970,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1248,6 +1272,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1445,6 +1475,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/libbeat/_meta/config/ssl.reference.yml.tmpl b/libbeat/_meta/config/ssl.reference.yml.tmpl index 88f638e21b0..1fec834e5cc 100644 --- a/libbeat/_meta/config/ssl.reference.yml.tmpl +++ b/libbeat/_meta/config/ssl.reference.yml.tmpl @@ -7,6 +7,12 @@ # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. +# * common_name, which verifies that the provided certificate is signed by a trusted +# authority (CA) and also verifies that the server's hostname (or IP address) +# matches the names identified within the certificate. If DNSNames is empty +# it is overwritten with the value from Common Name. +# * certificate, which verifies that the provided certificate is signed by a +# trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/libbeat/outputs/redis/redis_integration_test.go b/libbeat/outputs/redis/redis_integration_test.go index 3e146cad912..d7424239f49 100644 --- a/libbeat/outputs/redis/redis_integration_test.go +++ b/libbeat/outputs/redis/redis_integration_test.go @@ -112,7 +112,7 @@ func TestWithSchema(t *testing.T) { "datatype": "list", "timeout": "5s", - "ssl.verification_mode": "full", + "ssl.verification_mode": "common_name", // full + common name workaround "ssl.certificate_authorities": []string{ "../../../testing/environments/docker/sredis/pki/tls/certs/sredis.crt", }, diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index f7530d7e386..df3cecf489d 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -1306,6 +1306,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1433,6 +1439,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1630,6 +1642,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1786,6 +1804,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2082,6 +2106,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2279,6 +2309,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 57142c14263..dea46500f30 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -1024,6 +1024,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1151,6 +1157,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1348,6 +1360,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1504,6 +1522,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1800,6 +1824,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1997,6 +2027,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index 316df4ae3dd..3e091a75d53 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -452,6 +452,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -579,6 +585,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -776,6 +788,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -932,6 +950,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1228,6 +1252,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1425,6 +1455,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index ec3ef722b0c..15a917c7944 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -585,6 +585,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -712,6 +718,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -909,6 +921,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1065,6 +1083,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1361,6 +1385,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1558,6 +1588,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 0fd068e1963..90a9af9aa26 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -3207,6 +3207,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3334,6 +3340,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3531,6 +3543,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3687,6 +3705,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -3983,6 +4007,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -4180,6 +4210,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index b41a4035d68..5f0c594bc3a 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -815,6 +815,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -942,6 +948,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1221,6 +1233,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1418,6 +1436,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml index 37e3e2ed122..b5e91290547 100644 --- a/x-pack/heartbeat/heartbeat.reference.yml +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -707,6 +707,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -834,6 +840,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1031,6 +1043,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1187,6 +1205,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1483,6 +1507,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1680,6 +1710,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 66c0e02eaa2..e8e91ac85ad 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -1807,6 +1807,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1934,6 +1940,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2131,6 +2143,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2287,6 +2305,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2583,6 +2607,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -2780,6 +2810,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml index 57142c14263..dea46500f30 100644 --- a/x-pack/packetbeat/packetbeat.reference.yml +++ b/x-pack/packetbeat/packetbeat.reference.yml @@ -1024,6 +1024,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1151,6 +1157,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1348,6 +1360,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1504,6 +1522,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1800,6 +1824,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1997,6 +2027,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 03652ce2788..90a204b1478 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -495,6 +495,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -622,6 +628,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -819,6 +831,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -975,6 +993,12 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1271,6 +1295,12 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary @@ -1468,6 +1498,12 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. + # * common_name, which verifies that the provided certificate is signed by a trusted + # authority (CA) and also verifies that the server's hostname (or IP address) + # matches the names identified within the certificate. If DNSNames is empty + # it is overwritten with the value from Common Name. + # * certificate, which verifies that the provided certificate is signed by a + # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This # mode disables many of the security benefits of SSL/TLS and should only be used # after very careful consideration. It is primarily intended as a temporary From 76426ca6c1eb52a290d26a97aee0cfdc62cbdb6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Fri, 15 Jan 2021 09:03:36 +0100 Subject: [PATCH 16/44] add test && update configuration --- CHANGELOG.next.asciidoc | 5 ++ auditbeat/auditbeat.reference.yml | 24 +++---- filebeat/filebeat.reference.yml | 24 +++---- heartbeat/heartbeat.reference.yml | 24 +++---- journalbeat/journalbeat.reference.yml | 24 +++---- libbeat/_meta/config/ssl.reference.yml.tmpl | 4 +- libbeat/common/transport/tlscommon/verify.go | 11 +-- .../common/transport/tlscommon/verify_test.go | 72 +++++++++++++++++++ .../outputs/redis/redis_integration_test.go | 2 +- metricbeat/metricbeat.reference.yml | 24 +++---- packetbeat/packetbeat.reference.yml | 24 +++---- winlogbeat/winlogbeat.reference.yml | 24 +++---- x-pack/auditbeat/auditbeat.reference.yml | 24 +++---- x-pack/filebeat/filebeat.reference.yml | 24 +++---- .../functionbeat/functionbeat.reference.yml | 16 ++--- x-pack/heartbeat/heartbeat.reference.yml | 24 +++---- x-pack/metricbeat/metricbeat.reference.yml | 24 +++---- x-pack/packetbeat/packetbeat.reference.yml | 24 +++---- x-pack/winlogbeat/winlogbeat.reference.yml | 24 +++---- 19 files changed, 250 insertions(+), 172 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0e7edfce6f2..88cf16dd42e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -985,6 +985,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Affecting all Beats* +- Selecting `full` in `ssl.verification_mode` option no longer treats CommonName field in x509 certificates as + a hostname when no Subject Alternative Name is present. Please update your certificates so it contains at least + one DNSName instead of relying on CommonName. If it is not an option, use `common_name` verification mode. This + way, the Beat overwrites the DNSName field with CommonName and then does the usual `full` check of the certificate. + *Filebeat* - The experimental modules for Citrix Netscaler and Symantec Endpoint Protection have been removed. diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index 2e4975e38dc..55a73cbdd2d 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -540,8 +540,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -673,8 +673,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -876,8 +876,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1038,8 +1038,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1340,8 +1340,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1543,8 +1543,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index dddaee49a48..28c59480672 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -1420,8 +1420,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1553,8 +1553,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1756,8 +1756,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1918,8 +1918,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2220,8 +2220,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2423,8 +2423,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index b5e91290547..b372745efe5 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -718,8 +718,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -851,8 +851,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1054,8 +1054,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1216,8 +1216,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1518,8 +1518,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1721,8 +1721,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index 2b58e576f0f..d89f0644461 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -483,8 +483,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -616,8 +616,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -819,8 +819,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -981,8 +981,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1283,8 +1283,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1486,8 +1486,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/libbeat/_meta/config/ssl.reference.yml.tmpl b/libbeat/_meta/config/ssl.reference.yml.tmpl index 1fec834e5cc..a52a25a61eb 100644 --- a/libbeat/_meta/config/ssl.reference.yml.tmpl +++ b/libbeat/_meta/config/ssl.reference.yml.tmpl @@ -18,8 +18,8 @@ # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. -# The default value is full. -#ssl.verification_mode: full +# The default value is common_name. +#ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/libbeat/common/transport/tlscommon/verify.go b/libbeat/common/transport/tlscommon/verify.go index d56559150a7..4c68dcb5b2b 100644 --- a/libbeat/common/transport/tlscommon/verify.go +++ b/libbeat/common/transport/tlscommon/verify.go @@ -65,7 +65,7 @@ func verifyCertificateExceptServerName( ) ([]*x509.Certificate, [][]*x509.Certificate, error) { certs, err := overwriteSANWithCommonName(rawCerts) if err != nil { - return nil, nil, errors.Wrapf(err, "failed to overwrite SAN with Common Name") + return nil, nil, errors.Wrapf(err, "failed to overwrite SAN with CommonName") } var t time.Time @@ -99,7 +99,7 @@ func verifyCertificateWithLegacyCommonName( ) ([]*x509.Certificate, [][]*x509.Certificate, error) { certs, err := overwriteSANWithCommonName(rawCerts) if err != nil { - return nil, nil, errors.Wrapf(err, "failed to overwrite SAN with Common Name") + return nil, nil, errors.Wrapf(err, "failed to overwrite SAN with CommonName") } var t time.Time @@ -112,7 +112,7 @@ func verifyCertificateWithLegacyCommonName( headCert := certs[0] opts := x509.VerifyOptions{ - DNSName: headCert.Subject.CommonName, + DNSName: headCert.DNSNames[0], Roots: c.RootCAs, CurrentTime: t, Intermediates: x509.NewCertPool(), @@ -141,9 +141,10 @@ func overwriteSANWithCommonName( if err != nil { return nil, errors.Wrap(err, "tls: failed to parse certificate from server") } - if len(cert.DNSNames) == 0 { + fmt.Println(cert.DNSNames, cert.Subject.CommonName, len(cert.DNSNames)) + if len(cert.DNSNames) == 0 || len(cert.DNSNames) == 1 && cert.DNSNames[0] == "" { if len(cert.Subject.CommonName) == 0 { - return nil, fmt.Errorf("missing DNSNames and Common Name") + return nil, fmt.Errorf("missing DNSNames and CommonName") } cert.DNSNames = []string{cert.Subject.CommonName} } diff --git a/libbeat/common/transport/tlscommon/verify_test.go b/libbeat/common/transport/tlscommon/verify_test.go index c08e60642f5..c0936794500 100644 --- a/libbeat/common/transport/tlscommon/verify_test.go +++ b/libbeat/common/transport/tlscommon/verify_test.go @@ -101,6 +101,78 @@ func Test_verifyCertificateExceptServerName(t *testing.T) { } } +func Test_verifyCertificateWithLegacyCommonName(t *testing.T) { + + tests := []struct { + name string + ca string + chain string + cert string + time func() time.Time + wantErr bool + }{ + { + name: "no overwrite required", + // a CA for morello.ovh valid from August 9 2019 to 2029 + ca: "ca.crt", + // a cert signed by morello.ovh that expired in nov 2019 + cert: "tls.crt", + time: func() time.Time { + layout := "2006-01-02" + t, _ := time.Parse(layout, "2019-10-01") + return t + }, + wantErr: false, + }, + { + name: "with overwrite", + ca: "ca.crt", + // a self-signed cert for www.example.com valid from July 23 2020 to 2030 + cert: "unsigned_tls.crt", + time: func() time.Time { + layout := "2006-01-02" + t, _ := time.Parse(layout, "2020-07-24") + return t + }, + wantErr: true, + }, + { + name: "cert expired", + ca: "ca.crt", + cert: "tls.crt", + wantErr: true, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + cfg := &TLSConfig{time: tc.time} + // load the CA + if tc.ca != "" { + ca := loadFileBytes(tc.ca) + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(ca) + cfg.RootCAs = caCertPool + } + + // load the cert + rawCerts := [][]byte{} + if tc.cert != "" { + pemCert := loadFileBytes(tc.cert) + block, _ := pem.Decode(pemCert) + rawCerts = append(rawCerts, block.Bytes) + } + + _, _, got := verifyCertificateWithLegacyCommonName(rawCerts, cfg) + if tc.wantErr { + assert.Error(t, got) + } else { + assert.NoError(t, got) + } + }) + } +} + func loadFileBytes(fileName string) []byte { contents, err := ioutil.ReadFile(filepath.Join("testdata", fileName)) if err != nil { diff --git a/libbeat/outputs/redis/redis_integration_test.go b/libbeat/outputs/redis/redis_integration_test.go index d7424239f49..33a8fc5ce96 100644 --- a/libbeat/outputs/redis/redis_integration_test.go +++ b/libbeat/outputs/redis/redis_integration_test.go @@ -190,7 +190,7 @@ func TestPublishChannelTLS(t *testing.T) { "datatype": "channel", "timeout": "5s", - "ssl.verification_mode": "full", + "ssl.verification_mode": "common_name", // full + common name workaround, "ssl.certificate_authorities": []string{ "../../../testing/environments/docker/sredis/pki/tls/certs/sredis.crt", }, diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index df3cecf489d..588cad10ef0 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -1317,8 +1317,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1450,8 +1450,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1653,8 +1653,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1815,8 +1815,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2117,8 +2117,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2320,8 +2320,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index dea46500f30..c54b6e7d8a1 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -1035,8 +1035,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1168,8 +1168,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1371,8 +1371,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1533,8 +1533,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1835,8 +1835,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2038,8 +2038,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index 3e091a75d53..a57f37dd80b 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -463,8 +463,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -596,8 +596,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -799,8 +799,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -961,8 +961,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1263,8 +1263,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1466,8 +1466,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index 15a917c7944..69e46106f07 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -596,8 +596,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -729,8 +729,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -932,8 +932,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1094,8 +1094,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1396,8 +1396,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1599,8 +1599,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 90a9af9aa26..0bf18b80622 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -3218,8 +3218,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -3351,8 +3351,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -3554,8 +3554,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -3716,8 +3716,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -4018,8 +4018,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -4221,8 +4221,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index 5f0c594bc3a..d446961ac7a 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -826,8 +826,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -959,8 +959,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1244,8 +1244,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1447,8 +1447,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml index b5e91290547..b372745efe5 100644 --- a/x-pack/heartbeat/heartbeat.reference.yml +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -718,8 +718,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -851,8 +851,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1054,8 +1054,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1216,8 +1216,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1518,8 +1518,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1721,8 +1721,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index e8e91ac85ad..f6e375bf96a 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -1818,8 +1818,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1951,8 +1951,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2154,8 +2154,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2316,8 +2316,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2618,8 +2618,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2821,8 +2821,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml index dea46500f30..c54b6e7d8a1 100644 --- a/x-pack/packetbeat/packetbeat.reference.yml +++ b/x-pack/packetbeat/packetbeat.reference.yml @@ -1035,8 +1035,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1168,8 +1168,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1371,8 +1371,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1533,8 +1533,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1835,8 +1835,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2038,8 +2038,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 90a204b1478..460dc8fe17c 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -506,8 +506,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -639,8 +639,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -842,8 +842,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1004,8 +1004,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1306,8 +1306,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1509,8 +1509,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is full. - #ssl.verification_mode: full + # The default value is common_name. + #ssl.verification_mode: common_name # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. From 6123e02a44f8ab6d18503a488c34b00fadef0295 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Fri, 15 Jan 2021 09:59:14 +0100 Subject: [PATCH 17/44] more follow up --- libbeat/outputs/redis/redis_integration_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libbeat/outputs/redis/redis_integration_test.go b/libbeat/outputs/redis/redis_integration_test.go index 33a8fc5ce96..c3ec52a016e 100644 --- a/libbeat/outputs/redis/redis_integration_test.go +++ b/libbeat/outputs/redis/redis_integration_test.go @@ -77,7 +77,7 @@ func TestPublishListTLS(t *testing.T) { "datatype": "list", "timeout": "5s", - "ssl.verification_mode": "full", + "ssl.verification_mode": "common_name", // full + common name workaround "ssl.certificate_authorities": []string{ "../../../testing/environments/docker/sredis/pki/tls/certs/sredis.crt", }, From 3fe103db43968a479bb208079f6af1ad031fd616 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Fri, 15 Jan 2021 11:14:58 +0100 Subject: [PATCH 18/44] add legacy overwrite to ca pinning --- libbeat/common/transport/tlscommon/tls_config.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 9f5d2625cfd..6c444fa9da1 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -125,9 +125,16 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { pin := len(cfg.CASha256) > 0 skipHostName := cfg.Verification == VerifyCertificate + legacyCommonName := cfg.Verification == VerifyLegacyCommonName if pin && !skipHostName { return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + if legacyCommonName { + _, _, err := verifyCertificateWithLegacyCommonName(rawCerts, cfg) + if err != nil { + return err + } + } return verifyCAPin(cfg.CASha256, verifiedChains) } } @@ -149,7 +156,6 @@ func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { } } - legacyCommonName := cfg.Verification == VerifyLegacyCommonName if legacyCommonName { return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { _, _, err := verifyCertificateWithLegacyCommonName(rawCerts, cfg) From d0f9e535affdf2d770e9cb1e1c411972aa1d9159 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Fri, 15 Jan 2021 13:07:07 +0100 Subject: [PATCH 19/44] more adjustment --- libbeat/common/transport/tlscommon/tls_config.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 6c444fa9da1..767c8e7601d 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -130,7 +130,8 @@ func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { if pin && !skipHostName { return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { if legacyCommonName { - _, _, err := verifyCertificateWithLegacyCommonName(rawCerts, cfg) + var err error + _, verifiedChains, err = verifyCertificateWithLegacyCommonName(rawCerts, cfg) if err != nil { return err } From 415f4b3f8a88ea72a69065ccc0058fb8afa41153 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Fri, 15 Jan 2021 15:05:11 +0100 Subject: [PATCH 20/44] update setting name --- auditbeat/auditbeat.reference.yml | 60 +++++++++--------- filebeat/filebeat.reference.yml | 60 +++++++++--------- heartbeat/heartbeat.reference.yml | 60 +++++++++--------- journalbeat/journalbeat.reference.yml | 60 +++++++++--------- libbeat/_meta/config/ssl.reference.yml.tmpl | 10 +-- .../common/transport/tlscommon/tls_config.go | 8 +-- libbeat/common/transport/tlscommon/types.go | 6 +- libbeat/common/transport/tlscommon/verify.go | 63 +++++++++---------- .../outputs/redis/redis_integration_test.go | 6 +- metricbeat/metricbeat.reference.yml | 60 +++++++++--------- packetbeat/packetbeat.reference.yml | 60 +++++++++--------- winlogbeat/winlogbeat.reference.yml | 60 +++++++++--------- x-pack/auditbeat/auditbeat.reference.yml | 60 +++++++++--------- x-pack/filebeat/filebeat.reference.yml | 60 +++++++++--------- .../functionbeat/functionbeat.reference.yml | 40 ++++++------ x-pack/heartbeat/heartbeat.reference.yml | 60 +++++++++--------- x-pack/metricbeat/metricbeat.reference.yml | 60 +++++++++--------- x-pack/packetbeat/packetbeat.reference.yml | 60 +++++++++--------- x-pack/winlogbeat/winlogbeat.reference.yml | 60 +++++++++--------- 19 files changed, 455 insertions(+), 458 deletions(-) diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index 55a73cbdd2d..7a053b62884 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -529,10 +529,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -540,8 +540,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -662,10 +662,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -673,8 +673,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -865,10 +865,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -876,8 +876,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1027,10 +1027,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1038,8 +1038,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1329,10 +1329,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1340,8 +1340,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1532,10 +1532,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1543,8 +1543,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 28c59480672..6cf5f8d33fa 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -1409,10 +1409,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1420,8 +1420,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1542,10 +1542,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1553,8 +1553,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1745,10 +1745,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1756,8 +1756,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1907,10 +1907,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1918,8 +1918,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2209,10 +2209,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -2220,8 +2220,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2412,10 +2412,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -2423,8 +2423,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index b372745efe5..e39dfa16d69 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -707,10 +707,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -718,8 +718,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -840,10 +840,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -851,8 +851,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1043,10 +1043,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1054,8 +1054,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1205,10 +1205,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1216,8 +1216,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1507,10 +1507,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1518,8 +1518,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1710,10 +1710,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1721,8 +1721,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index d89f0644461..1eb7814f834 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -472,10 +472,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -483,8 +483,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -605,10 +605,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -616,8 +616,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -808,10 +808,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -819,8 +819,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -970,10 +970,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -981,8 +981,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1272,10 +1272,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1283,8 +1283,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1475,10 +1475,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1486,8 +1486,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/libbeat/_meta/config/ssl.reference.yml.tmpl b/libbeat/_meta/config/ssl.reference.yml.tmpl index a52a25a61eb..69b666f9c97 100644 --- a/libbeat/_meta/config/ssl.reference.yml.tmpl +++ b/libbeat/_meta/config/ssl.reference.yml.tmpl @@ -7,10 +7,10 @@ # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. -# * common_name, which verifies that the provided certificate is signed by a trusted +# * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) -# matches the names identified within the certificate. If DNSNames is empty -# it is overwritten with the value from Common Name. +# matches the names identified within the certificate. If the Subject Alternative +# Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -18,8 +18,8 @@ # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. -# The default value is common_name. -#ssl.verification_mode: common_name +# The default value is full. +#ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 767c8e7601d..ced6cd9016e 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -88,7 +88,7 @@ func (c *TLSConfig) ToConfig() *tls.Config { // or when we are using 'certificate' TLS verification mode, we add a custom callback verifyPeerCertFn := makeVerifyPeerCertificate(c) - insecure := c.Verification != VerifyFull + insecure := c.Verification != VerifyStrict if c.Verification == VerifyNone { logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.") } @@ -125,16 +125,16 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { pin := len(cfg.CASha256) > 0 skipHostName := cfg.Verification == VerifyCertificate - legacyCommonName := cfg.Verification == VerifyLegacyCommonName + legacyCommonName := cfg.Verification == VerifyFull if pin && !skipHostName { return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { if legacyCommonName { - var err error - _, verifiedChains, err = verifyCertificateWithLegacyCommonName(rawCerts, cfg) + _, chains, err := verifyCertificateWithLegacyCommonName(rawCerts, cfg) if err != nil { return err } + return verifyCAPin(cfg.CASha256, chains) } return verifyCAPin(cfg.CASha256, verifiedChains) } diff --git a/libbeat/common/transport/tlscommon/types.go b/libbeat/common/transport/tlscommon/types.go index 62159f447af..29b11c92010 100644 --- a/libbeat/common/transport/tlscommon/types.go +++ b/libbeat/common/transport/tlscommon/types.go @@ -127,15 +127,15 @@ const ( VerifyFull TLSVerificationMode = iota VerifyNone VerifyCertificate - VerifyLegacyCommonName + VerifyStrict ) var tlsVerificationModes = map[string]TLSVerificationMode{ - "": VerifyLegacyCommonName, + "": VerifyFull, "full": VerifyFull, + "strict": VerifyStrict, "none": VerifyNone, "certificate": VerifyCertificate, - "common_name": VerifyLegacyCommonName, } func (m TLSVerificationMode) String() string { diff --git a/libbeat/common/transport/tlscommon/verify.go b/libbeat/common/transport/tlscommon/verify.go index 4c68dcb5b2b..f92e9f7a58f 100644 --- a/libbeat/common/transport/tlscommon/verify.go +++ b/libbeat/common/transport/tlscommon/verify.go @@ -55,6 +55,10 @@ import ( "github.com/pkg/errors" ) +var ( + ErrMissingDNSNameCommonName = errors.New("missing DNSNames and CommonName") +) + // verifyCertificateExceptServerName is a TLS Certificate verification utility method that verifies that the provided // certificate chain is valid and is signed by one of the root CAs in the provided tls.Config. It is intended to be // as similar as possible to the default verify, but does not verify that the provided certificate matches the @@ -63,9 +67,16 @@ func verifyCertificateExceptServerName( rawCerts [][]byte, c *TLSConfig, ) ([]*x509.Certificate, [][]*x509.Certificate, error) { - certs, err := overwriteSANWithCommonName(rawCerts) - if err != nil { - return nil, nil, errors.Wrapf(err, "failed to overwrite SAN with CommonName") + // this is where we're a bit suboptimal, as we have to re-parse the certificates that have been presented + // during the handshake. + // the verification code here is taken from verifyServerCertificate in crypto/tls/handshake_client.go:824 + certs := make([]*x509.Certificate, len(rawCerts)) + for i, asn1Data := range rawCerts { + cert, err := x509.ParseCertificate(asn1Data) + if err != nil { + return nil, nil, fmt.Errorf("tls: failed to parse certificate from server: %+v", err) + } + certs[i] = cert } var t time.Time @@ -97,9 +108,22 @@ func verifyCertificateWithLegacyCommonName( rawCerts [][]byte, c *TLSConfig, ) ([]*x509.Certificate, [][]*x509.Certificate, error) { - certs, err := overwriteSANWithCommonName(rawCerts) - if err != nil { - return nil, nil, errors.Wrapf(err, "failed to overwrite SAN with CommonName") + // this is where we're a bit suboptimal, as we have to re-parse the certificates that have been presented + // during the handshake. + // the verification code here is taken from verifyServerCertificate in crypto/tls/handshake_client.go:824 + certs := make([]*x509.Certificate, len(rawCerts)) + for i, asn1Data := range rawCerts { + cert, err := x509.ParseCertificate(asn1Data) + if err != nil { + return nil, nil, fmt.Errorf("tls: failed to parse certificate from server: %+v", err) + } + if len(cert.DNSNames) == 0 || len(cert.DNSNames) == 1 && cert.DNSNames[0] == "" { + if len(cert.Subject.CommonName) == 0 { + return nil, nil, ErrMissingDNSNameCommonName + } + cert.DNSNames = []string{cert.Subject.CommonName} + } + certs[i] = cert } var t time.Time @@ -126,30 +150,3 @@ func verifyCertificateWithLegacyCommonName( chains, err := headCert.Verify(opts) return certs, chains, err } - -// overwriteSANWithCommonName adds the Common Name to DNSNames, if the list is empty. -// It is a workaround to address the changes introduced in Golang 1.15: https://golang.org/doc/go1.15#commonname. -func overwriteSANWithCommonName( - rawCerts [][]byte, -) ([]*x509.Certificate, error) { - // this is where we're a bit suboptimal, as we have to re-parse the certificates that have been presented - // during the handshake. - // the verification code here is taken from verifyServerCertificate in crypto/tls/handshake_client.go:824 - certs := make([]*x509.Certificate, len(rawCerts)) - for i, asn1Data := range rawCerts { - cert, err := x509.ParseCertificate(asn1Data) - if err != nil { - return nil, errors.Wrap(err, "tls: failed to parse certificate from server") - } - fmt.Println(cert.DNSNames, cert.Subject.CommonName, len(cert.DNSNames)) - if len(cert.DNSNames) == 0 || len(cert.DNSNames) == 1 && cert.DNSNames[0] == "" { - if len(cert.Subject.CommonName) == 0 { - return nil, fmt.Errorf("missing DNSNames and CommonName") - } - cert.DNSNames = []string{cert.Subject.CommonName} - } - certs[i] = cert - } - - return certs, nil -} diff --git a/libbeat/outputs/redis/redis_integration_test.go b/libbeat/outputs/redis/redis_integration_test.go index c3ec52a016e..3e146cad912 100644 --- a/libbeat/outputs/redis/redis_integration_test.go +++ b/libbeat/outputs/redis/redis_integration_test.go @@ -77,7 +77,7 @@ func TestPublishListTLS(t *testing.T) { "datatype": "list", "timeout": "5s", - "ssl.verification_mode": "common_name", // full + common name workaround + "ssl.verification_mode": "full", "ssl.certificate_authorities": []string{ "../../../testing/environments/docker/sredis/pki/tls/certs/sredis.crt", }, @@ -112,7 +112,7 @@ func TestWithSchema(t *testing.T) { "datatype": "list", "timeout": "5s", - "ssl.verification_mode": "common_name", // full + common name workaround + "ssl.verification_mode": "full", "ssl.certificate_authorities": []string{ "../../../testing/environments/docker/sredis/pki/tls/certs/sredis.crt", }, @@ -190,7 +190,7 @@ func TestPublishChannelTLS(t *testing.T) { "datatype": "channel", "timeout": "5s", - "ssl.verification_mode": "common_name", // full + common name workaround, + "ssl.verification_mode": "full", "ssl.certificate_authorities": []string{ "../../../testing/environments/docker/sredis/pki/tls/certs/sredis.crt", }, diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index 588cad10ef0..f48de895ab6 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -1306,10 +1306,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1317,8 +1317,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1439,10 +1439,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1450,8 +1450,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1642,10 +1642,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1653,8 +1653,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1804,10 +1804,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1815,8 +1815,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2106,10 +2106,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -2117,8 +2117,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2309,10 +2309,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -2320,8 +2320,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index c54b6e7d8a1..9737223098b 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -1024,10 +1024,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1035,8 +1035,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1157,10 +1157,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1168,8 +1168,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1360,10 +1360,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1371,8 +1371,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1522,10 +1522,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1533,8 +1533,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1824,10 +1824,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1835,8 +1835,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2027,10 +2027,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -2038,8 +2038,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index a57f37dd80b..5eafb6ae1cb 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -452,10 +452,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -463,8 +463,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -585,10 +585,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -596,8 +596,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -788,10 +788,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -799,8 +799,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -950,10 +950,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -961,8 +961,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1252,10 +1252,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1263,8 +1263,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1455,10 +1455,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1466,8 +1466,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index 69e46106f07..9395908a0de 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -585,10 +585,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -596,8 +596,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -718,10 +718,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -729,8 +729,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -921,10 +921,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -932,8 +932,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1083,10 +1083,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1094,8 +1094,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1385,10 +1385,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1396,8 +1396,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1588,10 +1588,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1599,8 +1599,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 0bf18b80622..242b551c510 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -3207,10 +3207,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -3218,8 +3218,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -3340,10 +3340,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -3351,8 +3351,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -3543,10 +3543,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -3554,8 +3554,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -3705,10 +3705,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -3716,8 +3716,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -4007,10 +4007,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -4018,8 +4018,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -4210,10 +4210,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -4221,8 +4221,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index d446961ac7a..d96ab60094e 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -815,10 +815,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -826,8 +826,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -948,10 +948,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -959,8 +959,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1233,10 +1233,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1244,8 +1244,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1436,10 +1436,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1447,8 +1447,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml index b372745efe5..e39dfa16d69 100644 --- a/x-pack/heartbeat/heartbeat.reference.yml +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -707,10 +707,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -718,8 +718,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -840,10 +840,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -851,8 +851,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1043,10 +1043,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1054,8 +1054,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1205,10 +1205,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1216,8 +1216,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1507,10 +1507,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1518,8 +1518,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1710,10 +1710,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1721,8 +1721,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index f6e375bf96a..c003205f76c 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -1807,10 +1807,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1818,8 +1818,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1940,10 +1940,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1951,8 +1951,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2143,10 +2143,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -2154,8 +2154,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2305,10 +2305,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -2316,8 +2316,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2607,10 +2607,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -2618,8 +2618,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2810,10 +2810,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -2821,8 +2821,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml index c54b6e7d8a1..9737223098b 100644 --- a/x-pack/packetbeat/packetbeat.reference.yml +++ b/x-pack/packetbeat/packetbeat.reference.yml @@ -1024,10 +1024,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1035,8 +1035,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1157,10 +1157,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1168,8 +1168,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1360,10 +1360,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1371,8 +1371,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1522,10 +1522,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1533,8 +1533,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1824,10 +1824,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1835,8 +1835,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -2027,10 +2027,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -2038,8 +2038,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 460dc8fe17c..43427ba20f6 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -495,10 +495,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -506,8 +506,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -628,10 +628,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -639,8 +639,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -831,10 +831,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -842,8 +842,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -993,10 +993,10 @@ output.elasticsearch: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1004,8 +1004,8 @@ output.elasticsearch: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1295,10 +1295,10 @@ setup.kibana: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1306,8 +1306,8 @@ setup.kibana: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. @@ -1498,10 +1498,10 @@ logging.files: # matches the names identified within the certificate. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. - # * common_name, which verifies that the provided certificate is signed by a trusted + # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) - # matches the names identified within the certificate. If DNSNames is empty - # it is overwritten with the value from Common Name. + # matches the names identified within the certificate. If the Subject Alternative + # Name is empty, it returns an error. # * certificate, which verifies that the provided certificate is signed by a # trusted authority (CA), but does not perform any hostname verification. # * none, which performs no verification of the server's certificate. This @@ -1509,8 +1509,8 @@ logging.files: # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. - # The default value is common_name. - #ssl.verification_mode: common_name + # The default value is full. + #ssl.verification_mode: full # List of supported/valid TLS versions. By default all TLS versions from 1.1 # up to 1.3 are enabled. From 811465408007596946c04f7ff237c4c38aba4e66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Fri, 15 Jan 2021 17:43:09 +0100 Subject: [PATCH 21/44] hack again --- .../common/transport/tlscommon/tls_config.go | 47 ++++++++++++------- 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index ced6cd9016e..3eeeda55a10 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -20,6 +20,7 @@ package tlscommon import ( "crypto/tls" "crypto/x509" + "fmt" "time" "github.com/elastic/beats/v7/libbeat/logp" @@ -87,12 +88,12 @@ func (c *TLSConfig) ToConfig() *tls.Config { // When we are using the CAsha256 pin to validate the CA used to validate the chain, // or when we are using 'certificate' TLS verification mode, we add a custom callback verifyPeerCertFn := makeVerifyPeerCertificate(c) + verifyConnectionFn := makeVerifyConnection(c) insecure := c.Verification != VerifyStrict if c.Verification == VerifyNone { logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.") } - return &tls.Config{ MinVersion: minVersion, MaxVersion: maxVersion, @@ -106,6 +107,7 @@ func (c *TLSConfig) ToConfig() *tls.Config { ClientAuth: c.ClientAuth, VerifyPeerCertificate: verifyPeerCertFn, Time: c.time, + VerifyConnection: verifyConnectionFn, } } @@ -121,21 +123,41 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { return config } +func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { + if cfg.Verification == VerifyFull { + return func(cs tls.ConnectionState) error { + dnsnames := cs.PeerCertificates[0].DNSNames + var serverName string + if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { + serverName = cs.PeerCertificates[0].Subject.CommonName + } else { + serverName = dnsnames[0] + } + if serverName != cs.ServerName { + return fmt.Errorf("invalid certificate name %q, expected %q", serverName, cs.ServerName) + } + opts := x509.VerifyOptions{ + Roots: cfg.RootCAs, + Intermediates: x509.NewCertPool(), + } + for _, cert := range cs.PeerCertificates[1:] { + opts.Intermediates.AddCert(cert) + } + _, err := cs.PeerCertificates[0].Verify(opts) + return err + } + } + return nil + +} + // makeVerifyPeerCertificate creates the verification combination of checking certificate pins and skipping host name validation depending on the config func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { pin := len(cfg.CASha256) > 0 skipHostName := cfg.Verification == VerifyCertificate - legacyCommonName := cfg.Verification == VerifyFull if pin && !skipHostName { return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - if legacyCommonName { - _, chains, err := verifyCertificateWithLegacyCommonName(rawCerts, cfg) - if err != nil { - return err - } - return verifyCAPin(cfg.CASha256, chains) - } return verifyCAPin(cfg.CASha256, verifiedChains) } } @@ -157,12 +179,5 @@ func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { } } - if legacyCommonName { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - _, _, err := verifyCertificateWithLegacyCommonName(rawCerts, cfg) - return err - } - } - return nil } From 0b16bb6368edc04d78c5edc8a688aa070ae12bb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Fri, 15 Jan 2021 18:12:09 +0100 Subject: [PATCH 22/44] rm func --- libbeat/common/transport/tlscommon/verify.go | 47 ------------ .../common/transport/tlscommon/verify_test.go | 72 ------------------- 2 files changed, 119 deletions(-) diff --git a/libbeat/common/transport/tlscommon/verify.go b/libbeat/common/transport/tlscommon/verify.go index f92e9f7a58f..21d75f89ca8 100644 --- a/libbeat/common/transport/tlscommon/verify.go +++ b/libbeat/common/transport/tlscommon/verify.go @@ -103,50 +103,3 @@ func verifyCertificateExceptServerName( chains, err := headCert.Verify(opts) return certs, chains, err } - -func verifyCertificateWithLegacyCommonName( - rawCerts [][]byte, - c *TLSConfig, -) ([]*x509.Certificate, [][]*x509.Certificate, error) { - // this is where we're a bit suboptimal, as we have to re-parse the certificates that have been presented - // during the handshake. - // the verification code here is taken from verifyServerCertificate in crypto/tls/handshake_client.go:824 - certs := make([]*x509.Certificate, len(rawCerts)) - for i, asn1Data := range rawCerts { - cert, err := x509.ParseCertificate(asn1Data) - if err != nil { - return nil, nil, fmt.Errorf("tls: failed to parse certificate from server: %+v", err) - } - if len(cert.DNSNames) == 0 || len(cert.DNSNames) == 1 && cert.DNSNames[0] == "" { - if len(cert.Subject.CommonName) == 0 { - return nil, nil, ErrMissingDNSNameCommonName - } - cert.DNSNames = []string{cert.Subject.CommonName} - } - certs[i] = cert - } - - var t time.Time - if c.time != nil { - t = c.time() - } else { - t = time.Now() - } - - headCert := certs[0] - - opts := x509.VerifyOptions{ - DNSName: headCert.DNSNames[0], - Roots: c.RootCAs, - CurrentTime: t, - Intermediates: x509.NewCertPool(), - } - - for _, cert := range certs[1:] { - opts.Intermediates.AddCert(cert) - } - - // defer to the default verification performed - chains, err := headCert.Verify(opts) - return certs, chains, err -} diff --git a/libbeat/common/transport/tlscommon/verify_test.go b/libbeat/common/transport/tlscommon/verify_test.go index c0936794500..c08e60642f5 100644 --- a/libbeat/common/transport/tlscommon/verify_test.go +++ b/libbeat/common/transport/tlscommon/verify_test.go @@ -101,78 +101,6 @@ func Test_verifyCertificateExceptServerName(t *testing.T) { } } -func Test_verifyCertificateWithLegacyCommonName(t *testing.T) { - - tests := []struct { - name string - ca string - chain string - cert string - time func() time.Time - wantErr bool - }{ - { - name: "no overwrite required", - // a CA for morello.ovh valid from August 9 2019 to 2029 - ca: "ca.crt", - // a cert signed by morello.ovh that expired in nov 2019 - cert: "tls.crt", - time: func() time.Time { - layout := "2006-01-02" - t, _ := time.Parse(layout, "2019-10-01") - return t - }, - wantErr: false, - }, - { - name: "with overwrite", - ca: "ca.crt", - // a self-signed cert for www.example.com valid from July 23 2020 to 2030 - cert: "unsigned_tls.crt", - time: func() time.Time { - layout := "2006-01-02" - t, _ := time.Parse(layout, "2020-07-24") - return t - }, - wantErr: true, - }, - { - name: "cert expired", - ca: "ca.crt", - cert: "tls.crt", - wantErr: true, - }, - } - - for _, tc := range tests { - t.Run(tc.name, func(t *testing.T) { - cfg := &TLSConfig{time: tc.time} - // load the CA - if tc.ca != "" { - ca := loadFileBytes(tc.ca) - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(ca) - cfg.RootCAs = caCertPool - } - - // load the cert - rawCerts := [][]byte{} - if tc.cert != "" { - pemCert := loadFileBytes(tc.cert) - block, _ := pem.Decode(pemCert) - rawCerts = append(rawCerts, block.Bytes) - } - - _, _, got := verifyCertificateWithLegacyCommonName(rawCerts, cfg) - if tc.wantErr { - assert.Error(t, got) - } else { - assert.NoError(t, got) - } - }) - } -} - func loadFileBytes(fileName string) []byte { contents, err := ioutil.ReadFile(filepath.Join("testdata", fileName)) if err != nil { From 178c91a4bbc60dafcadbbbc8a8d3b2ac65ec400b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Sun, 17 Jan 2021 13:10:14 +0100 Subject: [PATCH 23/44] tmp --- libbeat/common/transport/tlscommon/tls_config.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 3eeeda55a10..8bdaf6f51f9 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -127,12 +127,14 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { if cfg.Verification == VerifyFull { return func(cs tls.ConnectionState) error { dnsnames := cs.PeerCertificates[0].DNSNames + logp.Infof(">>>>> dnsnames %v", dnsnames) var serverName string if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { serverName = cs.PeerCertificates[0].Subject.CommonName } else { serverName = dnsnames[0] } + logp.Infof(">>>>> servername %v", serverName) if serverName != cs.ServerName { return fmt.Errorf("invalid certificate name %q, expected %q", serverName, cs.ServerName) } @@ -144,6 +146,7 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { opts.Intermediates.AddCert(cert) } _, err := cs.PeerCertificates[0].Verify(opts) + logp.Infof("verify result %+v", err) return err } } From cf646f7fb9e64ec1bbde272b476679e9580ed4d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Sun, 17 Jan 2021 13:11:13 +0100 Subject: [PATCH 24/44] tmp --- libbeat/common/transport/tlscommon/tls_config.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 8bdaf6f51f9..e905cd36aa1 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -127,14 +127,14 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { if cfg.Verification == VerifyFull { return func(cs tls.ConnectionState) error { dnsnames := cs.PeerCertificates[0].DNSNames - logp.Infof(">>>>> dnsnames %v", dnsnames) + logp.Info(">>>>> dnsnames %v", dnsnames) var serverName string if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { serverName = cs.PeerCertificates[0].Subject.CommonName } else { serverName = dnsnames[0] } - logp.Infof(">>>>> servername %v", serverName) + logp.Info(">>>>> servername %v", serverName) if serverName != cs.ServerName { return fmt.Errorf("invalid certificate name %q, expected %q", serverName, cs.ServerName) } @@ -146,7 +146,7 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { opts.Intermediates.AddCert(cert) } _, err := cs.PeerCertificates[0].Verify(opts) - logp.Infof("verify result %+v", err) + logp.Info("verify result %+v", err) return err } } From 555f1cce37b0ef40484baf81ca59dcd2a7d2235d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Sun, 17 Jan 2021 14:39:30 +0100 Subject: [PATCH 25/44] minor adjustments --- filebeat/tests/system/test_tcp_tls.py | 4 + .../transport/tlscommon/ca_pinning_test.go | 28 ++---- .../common/transport/tlscommon/tls_config.go | 85 +++++++++---------- .../common/transport/tlscommon/tls_test.go | 6 +- 4 files changed, 54 insertions(+), 69 deletions(-) diff --git a/filebeat/tests/system/test_tcp_tls.py b/filebeat/tests/system/test_tcp_tls.py index 4001fd863c9..e208a07c8d4 100644 --- a/filebeat/tests/system/test_tcp_tls.py +++ b/filebeat/tests/system/test_tcp_tls.py @@ -127,6 +127,8 @@ def test_tcp_over_tls_and_verify_invalid_server_without_mutual_auth(self): with pytest.raises(ssl.SSLError): tls.connect((config.get('host'), config.get('port'))) + sock.close() + def test_tcp_over_tls_mutual_auth_fails(self): """ Test filebeat TCP with TLS with default setting to enforce client auth, with bad client certificates @@ -275,6 +277,8 @@ def test_tcp_tls_with_a_plain_text_socket(self): assert path.isfile(path.join(self.working_dir, "output/" + self.beat_name)) is False + sock.close() + def assert_output(self, output): assert len(output) == 2 assert output[0]["input.type"] == "tcp" diff --git a/libbeat/common/transport/tlscommon/ca_pinning_test.go b/libbeat/common/transport/tlscommon/ca_pinning_test.go index e522ea6fdb8..a4060bc05e1 100644 --- a/libbeat/common/transport/tlscommon/ca_pinning_test.go +++ b/libbeat/common/transport/tlscommon/ca_pinning_test.go @@ -44,23 +44,6 @@ var ser int64 = 1 func TestCAPinning(t *testing.T) { host := "127.0.0.1" - t.Run("when the ca_sha256 field is not defined we use normal certificate validation", - func(t *testing.T) { - cfg := common.MustNewConfigFrom(map[string]interface{}{ - "certificate_authorities": []string{"ca_test.pem"}, - }) - - config := &Config{} - err := cfg.Unpack(config) - require.NoError(t, err) - - tlsCfg, err := LoadTLSConfig(config) - require.NoError(t, err) - - tls := tlsCfg.BuildModuleConfig(host) - require.Nil(t, tls.VerifyPeerCertificate) - }) - t.Run("when the ca_sha256 field is defined we use CA cert pinning", func(t *testing.T) { cfg := common.MustNewConfigFrom(map[string]interface{}{ "ca_sha256": "hello", @@ -74,7 +57,7 @@ func TestCAPinning(t *testing.T) { require.NoError(t, err) tls := tlsCfg.BuildModuleConfig(host) - require.NotNil(t, tls.VerifyPeerCertificate) + require.NotNil(t, tls.VerifyConnection) }) t.Run("CA Root -> Certificate and we have the CA root pin", func(t *testing.T) { @@ -119,8 +102,9 @@ func TestCAPinning(t *testing.T) { pin := Fingerprint(ca.Leaf) tlsC := &TLSConfig{ - RootCAs: rootCAs, - CASha256: []string{pin}, + Verification: VerifyFull, + RootCAs: rootCAs, + CASha256: []string{pin}, } config := tlsC.BuildModuleConfig("localhost") @@ -300,8 +284,8 @@ func TestCAPinning(t *testing.T) { func genCA() (tls.Certificate, error) { ca := &x509.Certificate{ SerialNumber: serial(), - DNSNames: []string{"localhost"}, Subject: pkix.Name{ + CommonName: "localhost", Organization: []string{"TESTING"}, Country: []string{"CANADA"}, Province: []string{"QUEBEC"}, @@ -344,8 +328,8 @@ func genSignedCert(ca tls.Certificate, keyUsage x509.KeyUsage, isCA bool) (tls.C // Create another Cert/key cert := &x509.Certificate{ SerialNumber: big.NewInt(2000), - DNSNames: []string{"localhost"}, Subject: pkix.Name{ + CommonName: "localhost", Organization: []string{"TESTING"}, Country: []string{"CANADA"}, Province: []string{"QUEBEC"}, diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index e905cd36aa1..24ae395b4f3 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -87,7 +87,6 @@ func (c *TLSConfig) ToConfig() *tls.Config { // When we are using the CAsha256 pin to validate the CA used to validate the chain, // or when we are using 'certificate' TLS verification mode, we add a custom callback - verifyPeerCertFn := makeVerifyPeerCertificate(c) verifyConnectionFn := makeVerifyConnection(c) insecure := c.Verification != VerifyStrict @@ -95,19 +94,18 @@ func (c *TLSConfig) ToConfig() *tls.Config { logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.") } return &tls.Config{ - MinVersion: minVersion, - MaxVersion: maxVersion, - Certificates: c.Certificates, - RootCAs: c.RootCAs, - ClientCAs: c.ClientCAs, - InsecureSkipVerify: insecure, - CipherSuites: c.CipherSuites, - CurvePreferences: c.CurvePreferences, - Renegotiation: c.Renegotiation, - ClientAuth: c.ClientAuth, - VerifyPeerCertificate: verifyPeerCertFn, - Time: c.time, - VerifyConnection: verifyConnectionFn, + MinVersion: minVersion, + MaxVersion: maxVersion, + Certificates: c.Certificates, + RootCAs: c.RootCAs, + ClientCAs: c.ClientCAs, + InsecureSkipVerify: insecure, + CipherSuites: c.CipherSuites, + CurvePreferences: c.CurvePreferences, + Renegotiation: c.Renegotiation, + ClientAuth: c.ClientAuth, + Time: c.time, + VerifyConnection: verifyConnectionFn, } } @@ -124,17 +122,18 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { } func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { - if cfg.Verification == VerifyFull { + pin := len(cfg.CASha256) > 0 + + switch cfg.Verification { + case VerifyFull: return func(cs tls.ConnectionState) error { dnsnames := cs.PeerCertificates[0].DNSNames - logp.Info(">>>>> dnsnames %v", dnsnames) var serverName string if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { serverName = cs.PeerCertificates[0].Subject.CommonName } else { serverName = dnsnames[0] } - logp.Info(">>>>> servername %v", serverName) if serverName != cs.ServerName { return fmt.Errorf("invalid certificate name %q, expected %q", serverName, cs.ServerName) } @@ -146,41 +145,39 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { opts.Intermediates.AddCert(cert) } _, err := cs.PeerCertificates[0].Verify(opts) - logp.Info("verify result %+v", err) - return err - } - } - return nil - -} - -// makeVerifyPeerCertificate creates the verification combination of checking certificate pins and skipping host name validation depending on the config -func makeVerifyPeerCertificate(cfg *TLSConfig) verifyPeerCertFunc { - pin := len(cfg.CASha256) > 0 - skipHostName := cfg.Verification == VerifyCertificate + if err != nil { + return err + } - if pin && !skipHostName { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - return verifyCAPin(cfg.CASha256, verifiedChains) + if pin { + verifiedChains := [][]*x509.Certificate{cs.PeerCertificates} + return verifyCAPin(cfg.CASha256, verifiedChains) + } + return nil } - } - - if pin && skipHostName { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - _, _, err := verifyCertificateExceptServerName(rawCerts, cfg) + case VerifyCertificate: + return func(cs tls.ConnectionState) error { + opts := x509.VerifyOptions{ + Roots: cfg.RootCAs, + Intermediates: x509.NewCertPool(), + } + for _, cert := range cs.PeerCertificates[1:] { + opts.Intermediates.AddCert(cert) + } + _, err := cs.PeerCertificates[0].Verify(opts) if err != nil { return err } - return verifyCAPin(cfg.CASha256, verifiedChains) - } - } - if !pin && skipHostName { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - _, _, err := verifyCertificateExceptServerName(rawCerts, cfg) - return err + if pin { + verifiedChains := [][]*x509.Certificate{cs.PeerCertificates} + return verifyCAPin(cfg.CASha256, verifiedChains) + } + return nil } + default: } return nil + } diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go index 53e9da18db3..21eacab4039 100644 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ b/libbeat/common/transport/tlscommon/tls_test.go @@ -137,7 +137,7 @@ func TestApplyEmptyConfig(t *testing.T) { assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) assert.Len(t, cfg.Certificates, 0) assert.Nil(t, cfg.RootCAs) - assert.Equal(t, false, cfg.InsecureSkipVerify) + assert.Equal(t, true, cfg.InsecureSkipVerify) assert.Len(t, cfg.CipherSuites, 0) assert.Len(t, cfg.CurvePreferences, 0) assert.Equal(t, tls.RenegotiateNever, cfg.Renegotiation) @@ -193,7 +193,7 @@ key: mykey.pem assert.Len(t, cfg.CipherSuites, 0) assert.Len(t, cfg.CurvePreferences, 0) // values set by default - assert.Equal(t, false, cfg.InsecureSkipVerify) + assert.Equal(t, true, cfg.InsecureSkipVerify) assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) assert.Equal(t, tls.NoClientCert, cfg.ClientAuth) @@ -222,7 +222,7 @@ key: mykey.pem assert.Len(t, cfg.CipherSuites, 0) assert.Len(t, cfg.CurvePreferences, 0) // values set by default - assert.Equal(t, false, cfg.InsecureSkipVerify) + assert.Equal(t, true, cfg.InsecureSkipVerify) assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) assert.Equal(t, tls.RequireAndVerifyClientCert, cfg.ClientAuth) From 8a61ad8e92f5b1fb5f23e3919bf92c7ddc7997f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 18 Jan 2021 10:13:39 +0100 Subject: [PATCH 26/44] tmp rm --- heartbeat/monitors/active/http/http_test.go | 4 +++- .../common/transport/tlscommon/tls_config.go | 22 ++++++++++--------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go index 2e5a43656ad..0b240adae39 100644 --- a/heartbeat/monitors/active/http/http_test.go +++ b/heartbeat/monitors/active/http/http_test.go @@ -626,7 +626,9 @@ func TestNewRoundTripper(t *testing.T) { require.NotNil(t, transp.Dial) require.NotNil(t, transport.TLSDialer) - require.Equal(t, (&tlscommon.TLSConfig{}).ToConfig(), transp.TLSClientConfig) + expected := (&tlscommon.TLSConfig{}).ToConfig() + require.Equal(t, expected.InsecureSkipVerify, transp.TLSClientConfig.InsecureSkipVerify) + require.NotNil(t, transp.TLSClientConfig.VerifyConnection) require.True(t, transp.DisableKeepAlives) }) } diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 24ae395b4f3..3bfba642204 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -89,6 +89,7 @@ func (c *TLSConfig) ToConfig() *tls.Config { // or when we are using 'certificate' TLS verification mode, we add a custom callback verifyConnectionFn := makeVerifyConnection(c) + fmt.Println(c.Verification) insecure := c.Verification != VerifyStrict if c.Verification == VerifyNone { logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.") @@ -127,16 +128,17 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { switch cfg.Verification { case VerifyFull: return func(cs tls.ConnectionState) error { - dnsnames := cs.PeerCertificates[0].DNSNames - var serverName string - if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { - serverName = cs.PeerCertificates[0].Subject.CommonName - } else { - serverName = dnsnames[0] - } - if serverName != cs.ServerName { - return fmt.Errorf("invalid certificate name %q, expected %q", serverName, cs.ServerName) - } + //dnsnames := cs.PeerCertificates[0].DNSNames + //var serverName string + //if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { + // serverName = cs.PeerCertificates[0].Subject.CommonName + //} else { + // serverName = dnsnames[0] + //} + //if serverName != cs.ServerName { + // fmt.Println("mas", serverName, "mas", cs.ServerName) + // return fmt.Errorf("invalid certificate name %q, expected %q", serverName, cs.ServerName) + //} opts := x509.VerifyOptions{ Roots: cfg.RootCAs, Intermediates: x509.NewCertPool(), From 9a4faa7c5f2ed98d907a39ebab85547cd22a6d90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 18 Jan 2021 10:24:01 +0100 Subject: [PATCH 27/44] only check if not emtpy --- .../common/transport/tlscommon/tls_config.go | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 3bfba642204..78a1fd7c455 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -128,17 +128,16 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { switch cfg.Verification { case VerifyFull: return func(cs tls.ConnectionState) error { - //dnsnames := cs.PeerCertificates[0].DNSNames - //var serverName string - //if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { - // serverName = cs.PeerCertificates[0].Subject.CommonName - //} else { - // serverName = dnsnames[0] - //} - //if serverName != cs.ServerName { - // fmt.Println("mas", serverName, "mas", cs.ServerName) - // return fmt.Errorf("invalid certificate name %q, expected %q", serverName, cs.ServerName) - //} + dnsnames := cs.PeerCertificates[0].DNSNames + var serverName string + if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { + serverName = cs.PeerCertificates[0].Subject.CommonName + } else { + serverName = dnsnames[0] + } + if len(serverName) > 0 && len(cs.ServerName) > 0 && serverName != cs.ServerName { + return fmt.Errorf("invalid certificate name %q, expected %q", serverName, cs.ServerName) + } opts := x509.VerifyOptions{ Roots: cfg.RootCAs, Intermediates: x509.NewCertPool(), From 5ad938c0c19b4b0f6562f8c40356840605786607 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 18 Jan 2021 10:36:04 +0100 Subject: [PATCH 28/44] return more golang like error --- libbeat/common/transport/tlscommon/tls_config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 78a1fd7c455..ccb8856b6d4 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -136,7 +136,7 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { serverName = dnsnames[0] } if len(serverName) > 0 && len(cs.ServerName) > 0 && serverName != cs.ServerName { - return fmt.Errorf("invalid certificate name %q, expected %q", serverName, cs.ServerName) + return x509.HostnameError{Certificate: cs.PeerCertificates[0], Host: cs.ServerName} } opts := x509.VerifyOptions{ Roots: cfg.RootCAs, From 82dd6bedc47ca00c03f37c301a46983ae84df41b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 18 Jan 2021 10:59:47 +0100 Subject: [PATCH 29/44] fix ca pinning --- libbeat/common/transport/tlscommon/tls_config.go | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index ccb8856b6d4..ed55f78ebb4 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -145,13 +145,12 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { for _, cert := range cs.PeerCertificates[1:] { opts.Intermediates.AddCert(cert) } - _, err := cs.PeerCertificates[0].Verify(opts) + verifiedChains, err := cs.PeerCertificates[0].Verify(opts) if err != nil { return err } if pin { - verifiedChains := [][]*x509.Certificate{cs.PeerCertificates} return verifyCAPin(cfg.CASha256, verifiedChains) } return nil @@ -165,17 +164,22 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { for _, cert := range cs.PeerCertificates[1:] { opts.Intermediates.AddCert(cert) } - _, err := cs.PeerCertificates[0].Verify(opts) + verifiedChains, err := cs.PeerCertificates[0].Verify(opts) if err != nil { return err } if pin { - verifiedChains := [][]*x509.Certificate{cs.PeerCertificates} return verifyCAPin(cfg.CASha256, verifiedChains) } return nil } + case VerifyStrict: + if pin { + return func(cs tls.ConnectionState) error { + return verifyCAPin(cfg.CASha256, cs.VerifiedChains) + } + } default: } From fe140687dcb4ff9d66b6ded73f10c5505ead2a63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 18 Jan 2021 13:27:09 +0100 Subject: [PATCH 30/44] more fixes to tls --- .../common/transport/tlscommon/tls_config.go | 18 +++++++++++++++++- libbeat/common/transport/transptest/testing.go | 1 + 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index ed55f78ebb4..ae80507a2c4 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -114,7 +114,13 @@ func (c *TLSConfig) ToConfig() *tls.Config { func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { if c == nil { // use default TLS settings, if config is empty. - return &tls.Config{ServerName: host} + return &tls.Config{ + ServerName: host, + InsecureSkipVerify: true, + VerifyConnection: makeVerifyConnection(&TLSConfig{ + Verification: VerifyFull, + }), + } } config := c.ToConfig() @@ -128,6 +134,11 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { switch cfg.Verification { case VerifyFull: return func(cs tls.ConnectionState) error { + // On the client side, PeerCertificates can't be empty. + if len(cs.PeerCertificates) == 0 { + return fmt.Errorf("no peer certificates") + } + dnsnames := cs.PeerCertificates[0].DNSNames var serverName string if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { @@ -157,6 +168,11 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { } case VerifyCertificate: return func(cs tls.ConnectionState) error { + // On the client side, PeerCertificates can't be empty. + if len(cs.PeerCertificates) == 0 { + return fmt.Errorf("no peer certificates") + } + opts := x509.VerifyOptions{ Roots: cfg.RootCAs, Intermediates: x509.NewCertPool(), diff --git a/libbeat/common/transport/transptest/testing.go b/libbeat/common/transport/transptest/testing.go index 64763ba9b71..5ffd88fd1e8 100644 --- a/libbeat/common/transport/transptest/testing.go +++ b/libbeat/common/transport/transptest/testing.go @@ -126,6 +126,7 @@ func NewMockServerTLS(t *testing.T, to time.Duration, cert string, proxy *transp } tlsConfig, err := tlscommon.LoadTLSConfig(&tlscommon.Config{ + VerificationMode: tlscommon.VerifyStrict, Certificate: tlscommon.CertificateConfig{ Certificate: cert + ".pem", Key: cert + ".key", From 0bce7d4494c20792d1aa9b6a006404b261c7f30a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 18 Jan 2021 14:57:24 +0100 Subject: [PATCH 31/44] adjust server callback --- filebeat/input/kafka/config.go | 2 +- filebeat/input/mqtt/client.go | 2 +- filebeat/inputsource/tcp/server.go | 2 +- libbeat/common/transport/tls.go | 2 +- .../transport/tlscommon/ca_pinning_test.go | 8 +-- .../transport/tlscommon/server_config.go | 2 +- .../common/transport/tlscommon/tls_config.go | 65 ++++++++++++++++++- .../common/transport/tlscommon/tls_test.go | 10 +-- .../common/transport/transptest/testing.go | 3 +- libbeat/outputs/kafka/config.go | 2 +- 10 files changed, 79 insertions(+), 19 deletions(-) diff --git a/filebeat/input/kafka/config.go b/filebeat/input/kafka/config.go index 0e4888b90c3..75a0957744a 100644 --- a/filebeat/input/kafka/config.go +++ b/filebeat/input/kafka/config.go @@ -177,7 +177,7 @@ func newSaramaConfig(config kafkaInputConfig) (*sarama.Config, error) { } if tls != nil { k.Net.TLS.Enable = true - k.Net.TLS.Config = tls.BuildModuleConfig("") + k.Net.TLS.Config = tls.BuildModuleClientConfig("") } if config.Kerberos.IsEnabled() { diff --git a/filebeat/input/mqtt/client.go b/filebeat/input/mqtt/client.go index 701498f3c56..068dca04386 100644 --- a/filebeat/input/mqtt/client.go +++ b/filebeat/input/mqtt/client.go @@ -40,7 +40,7 @@ func createClientOptions(config mqttInputConfig, onConnectHandler func(client li if err != nil { return nil, err } - clientOptions.SetTLSConfig(tlsConfig.BuildModuleConfig("")) + clientOptions.SetTLSConfig(tlsConfig.BuildModuleClientConfig("")) } return clientOptions, nil } diff --git a/filebeat/inputsource/tcp/server.go b/filebeat/inputsource/tcp/server.go index 270ebc9c0c5..96b39d038a8 100644 --- a/filebeat/inputsource/tcp/server.go +++ b/filebeat/inputsource/tcp/server.go @@ -68,7 +68,7 @@ func (s *Server) createServer() (net.Listener, error) { var l net.Listener var err error if s.tlsConfig != nil { - t := s.tlsConfig.BuildModuleConfig(s.config.Host) + t := s.tlsConfig.BuildModuleServerConfig(s.config.Host) l, err = tls.Listen("tcp", s.config.Host, t) if err != nil { return nil, err diff --git a/libbeat/common/transport/tls.go b/libbeat/common/transport/tls.go index 0373297fd00..1b320834864 100644 --- a/libbeat/common/transport/tls.go +++ b/libbeat/common/transport/tls.go @@ -62,7 +62,7 @@ func TestTLSDialer( tlsConfig = lastTLSConfig } if tlsConfig == nil { - tlsConfig = config.BuildModuleConfig(host) + tlsConfig = config.BuildModuleServerConfig(host) lastNetwork = network lastAddress = address lastTLSConfig = tlsConfig diff --git a/libbeat/common/transport/tlscommon/ca_pinning_test.go b/libbeat/common/transport/tlscommon/ca_pinning_test.go index a4060bc05e1..a2c6b51f6d4 100644 --- a/libbeat/common/transport/tlscommon/ca_pinning_test.go +++ b/libbeat/common/transport/tlscommon/ca_pinning_test.go @@ -56,7 +56,7 @@ func TestCAPinning(t *testing.T) { tlsCfg, err := LoadTLSConfig(config) require.NoError(t, err) - tls := tlsCfg.BuildModuleConfig(host) + tls := tlsCfg.BuildModuleClientConfig(host) require.NotNil(t, tls.VerifyConnection) }) @@ -107,7 +107,7 @@ func TestCAPinning(t *testing.T) { CASha256: []string{pin}, } - config := tlsC.BuildModuleConfig("localhost") + config := tlsC.BuildModuleClientConfig("localhost") hostToConnect := l.Addr().String() transport := &http.Transport{ @@ -189,7 +189,7 @@ func TestCAPinning(t *testing.T) { CASha256: []string{pin}, } - config := tlsC.BuildModuleConfig("localhost") + config := tlsC.BuildModuleClientConfig("localhost") hostToConnect := l.Addr().String() transport := &http.Transport{ @@ -263,7 +263,7 @@ func TestCAPinning(t *testing.T) { CASha256: []string{pin}, } - config := tlsC.BuildModuleConfig("localhost") + config := tlsC.BuildModuleClientConfig("localhost") hostToConnect := l.Addr().String() transport := &http.Transport{ diff --git a/libbeat/common/transport/tlscommon/server_config.go b/libbeat/common/transport/tlscommon/server_config.go index 866d6e3c28c..d41e419e9c4 100644 --- a/libbeat/common/transport/tlscommon/server_config.go +++ b/libbeat/common/transport/tlscommon/server_config.go @@ -28,7 +28,7 @@ import ( // ServerConfig defines the user configurable tls options for any TCP based service. type ServerConfig struct { Enabled *bool `config:"enabled"` - VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full' + VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full', 'strict' Versions []TLSVersion `config:"supported_protocols"` CipherSuites []tlsCipherSuite `config:"cipher_suites"` CAs []string `config:"certificate_authorities"` diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index ae80507a2c4..e1dd63c55b5 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -89,7 +89,6 @@ func (c *TLSConfig) ToConfig() *tls.Config { // or when we are using 'certificate' TLS verification mode, we add a custom callback verifyConnectionFn := makeVerifyConnection(c) - fmt.Println(c.Verification) insecure := c.Verification != VerifyStrict if c.Verification == VerifyNone { logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.") @@ -111,7 +110,7 @@ func (c *TLSConfig) ToConfig() *tls.Config { } // BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`. -func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { +func (c *TLSConfig) BuildModuleClientConfig(host string) *tls.Config { if c == nil { // use default TLS settings, if config is empty. return &tls.Config{ @@ -125,6 +124,26 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config { config := c.ToConfig() config.ServerName = host + config.VerifyConnection = makeVerifyConnection(c) + return config +} + +// BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`. +func (c *TLSConfig) BuildModuleServerConfig(host string) *tls.Config { + if c == nil { + // use default TLS settings, if config is empty. + return &tls.Config{ + ServerName: host, + InsecureSkipVerify: true, + VerifyConnection: makeVerifyServerConnection(&TLSConfig{ + Verification: VerifyFull, + }), + } + } + + config := c.ToConfig() + config.ServerName = host + config.VerifyConnection = makeVerifyServerConnection(c) return config } @@ -202,3 +221,45 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { return nil } + +func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error { + switch cfg.Verification { + case VerifyFull: + return func(cs tls.ConnectionState) error { + fmt.Println("srever full") + if len(cs.PeerCertificates) == 0 { + if cfg.ClientAuth == tls.RequireAndVerifyClientCert { + return fmt.Errorf("no peer certificates") + } + return nil + } + + dnsnames := cs.PeerCertificates[0].DNSNames + var serverName string + if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { + serverName = cs.PeerCertificates[0].Subject.CommonName + } else { + serverName = dnsnames[0] + } + if len(serverName) > 0 && len(cs.ServerName) > 0 && serverName != cs.ServerName { + return x509.HostnameError{Certificate: cs.PeerCertificates[0], Host: cs.ServerName} + } + opts := x509.VerifyOptions{ + DNSName: cs.ServerName, + Roots: cfg.RootCAs, + Intermediates: x509.NewCertPool(), + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + } + for _, cert := range cs.PeerCertificates[1:] { + opts.Intermediates.AddCert(cert) + } + _, err := cs.PeerCertificates[0].Verify(opts) + fmt.Println(err) + return err + } + default: + } + + return nil + +} diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go index 21eacab4039..45c0ebf1f7f 100644 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ b/libbeat/common/transport/tlscommon/tls_test.go @@ -132,7 +132,7 @@ func TestApplyEmptyConfig(t *testing.T) { t.Fatal(err) } - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.Equal(t, int(TLSVersionDefaultMin), int(cfg.MinVersion)) assert.Equal(t, int(TLSVersionDefaultMax), int(cfg.MaxVersion)) assert.Len(t, cfg.Certificates, 0) @@ -159,7 +159,7 @@ func TestApplyWithConfig(t *testing.T) { t.Fatal(err) } - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) assert.Len(t, cfg.Certificates, 1) assert.NotNil(t, cfg.RootCAs) @@ -184,7 +184,7 @@ key: mykey.pem tmp, err := LoadTLSServerConfig(&c) require.NoError(t, err) - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) // values not set by default @@ -213,7 +213,7 @@ key: mykey.pem tmp, err := LoadTLSServerConfig(&c) require.NoError(t, err) - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) // values not set by default @@ -260,7 +260,7 @@ func TestApplyWithServerConfig(t *testing.T) { return } - cfg := tmp.BuildModuleConfig("") + cfg := tmp.BuildModuleClientConfig("") assert.NotNil(t, cfg) assert.Len(t, cfg.Certificates, 1) assert.NotNil(t, cfg.ClientCAs) diff --git a/libbeat/common/transport/transptest/testing.go b/libbeat/common/transport/transptest/testing.go index 5ffd88fd1e8..81cfad6cbdf 100644 --- a/libbeat/common/transport/transptest/testing.go +++ b/libbeat/common/transport/transptest/testing.go @@ -126,7 +126,6 @@ func NewMockServerTLS(t *testing.T, to time.Duration, cert string, proxy *transp } tlsConfig, err := tlscommon.LoadTLSConfig(&tlscommon.Config{ - VerificationMode: tlscommon.VerifyStrict, Certificate: tlscommon.CertificateConfig{ Certificate: cert + ".pem", Key: cert + ".key", @@ -136,7 +135,7 @@ func NewMockServerTLS(t *testing.T, to time.Duration, cert string, proxy *transp t.Fatalf("failed to load certificate") } - listener := tls.NewListener(tcpListener, tlsConfig.BuildModuleConfig("")) + listener := tls.NewListener(tcpListener, tlsConfig.BuildModuleServerConfig("")) server := &MockServer{Listener: listener, Timeout: to} server.Handshake = func(client net.Conn) { diff --git a/libbeat/outputs/kafka/config.go b/libbeat/outputs/kafka/config.go index b3c8e984fe9..56708841750 100644 --- a/libbeat/outputs/kafka/config.go +++ b/libbeat/outputs/kafka/config.go @@ -227,7 +227,7 @@ func newSaramaConfig(log *logp.Logger, config *kafkaConfig) (*sarama.Config, err if tls != nil { k.Net.TLS.Enable = true - k.Net.TLS.Config = tls.BuildModuleConfig("") + k.Net.TLS.Config = tls.BuildModuleClientConfig("") } switch { From b427bb781289b6dc5bddfe5543ae7d8b5a65d1e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 18 Jan 2021 15:41:23 +0100 Subject: [PATCH 32/44] more fixes --- libbeat/common/transport/tls.go | 2 +- libbeat/common/transport/tlscommon/tls_config.go | 2 -- metricbeat/helper/server/http/http.go | 2 +- metricbeat/module/kafka/metricset.go | 2 +- metricbeat/module/mongodb/metricset.go | 2 +- x-pack/filebeat/input/http_endpoint/input.go | 2 +- 6 files changed, 5 insertions(+), 7 deletions(-) diff --git a/libbeat/common/transport/tls.go b/libbeat/common/transport/tls.go index 1b320834864..10ece84dc47 100644 --- a/libbeat/common/transport/tls.go +++ b/libbeat/common/transport/tls.go @@ -62,7 +62,7 @@ func TestTLSDialer( tlsConfig = lastTLSConfig } if tlsConfig == nil { - tlsConfig = config.BuildModuleServerConfig(host) + tlsConfig = config.BuildModuleClientConfig(host) lastNetwork = network lastAddress = address lastTLSConfig = tlsConfig diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index e1dd63c55b5..0992de4caca 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -226,7 +226,6 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error switch cfg.Verification { case VerifyFull: return func(cs tls.ConnectionState) error { - fmt.Println("srever full") if len(cs.PeerCertificates) == 0 { if cfg.ClientAuth == tls.RequireAndVerifyClientCert { return fmt.Errorf("no peer certificates") @@ -254,7 +253,6 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error opts.Intermediates.AddCert(cert) } _, err := cs.PeerCertificates[0].Verify(opts) - fmt.Println(err) return err } default: diff --git a/metricbeat/helper/server/http/http.go b/metricbeat/helper/server/http/http.go index b4bd17477b6..98b292dbcce 100644 --- a/metricbeat/helper/server/http/http.go +++ b/metricbeat/helper/server/http/http.go @@ -76,7 +76,7 @@ func getDefaultHttpServer(mb mb.BaseMetricSet) (*HttpServer, error) { Addr: net.JoinHostPort(config.Host, strconv.Itoa(int(config.Port))), } if tlsConfig != nil { - httpServer.TLSConfig = tlsConfig.BuildModuleConfig(config.Host) + httpServer.TLSConfig = tlsConfig.BuildModuleServerConfig(config.Host) } h.server = httpServer return h, nil diff --git a/metricbeat/module/kafka/metricset.go b/metricbeat/module/kafka/metricset.go index 73c1be02218..5ec46332b35 100644 --- a/metricbeat/module/kafka/metricset.go +++ b/metricbeat/module/kafka/metricset.go @@ -49,7 +49,7 @@ func NewMetricSet(base mb.BaseMetricSet, options MetricSetOptions) (*MetricSet, var tls *tls.Config if tlsCfg != nil { - tls = tlsCfg.BuildModuleConfig("") + tls = tlsCfg.BuildModuleClientConfig("") } timeout := base.Module().Config().Timeout diff --git a/metricbeat/module/mongodb/metricset.go b/metricbeat/module/mongodb/metricset.go index b1b09a7ac4d..dc329b57f25 100644 --- a/metricbeat/module/mongodb/metricset.go +++ b/metricbeat/module/mongodb/metricset.go @@ -65,7 +65,7 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { logp.Warn("Failed to obtain hostname from `%s`: %s", hostname, err) hostname = "" } - return tls.Dial("tcp", addr.String(), tlsConfig.BuildModuleConfig(hostname)) + return tls.Dial("tcp", addr.String(), tlsConfig.BuildModuleClientConfig(hostname)) } } diff --git a/x-pack/filebeat/input/http_endpoint/input.go b/x-pack/filebeat/input/http_endpoint/input.go index bddf2be0a9e..2c799c1f14f 100644 --- a/x-pack/filebeat/input/http_endpoint/input.go +++ b/x-pack/filebeat/input/http_endpoint/input.go @@ -59,7 +59,7 @@ func newHTTPEndpoint(config config) (*httpEndpoint, error) { return nil, err } if tlsConfigBuilder != nil { - tlsConfig = tlsConfigBuilder.BuildModuleConfig(addr) + tlsConfig = tlsConfigBuilder.BuildModuleClientConfig(addr) } return &httpEndpoint{ From 8ff9011af9f2212f6921bbd3bba0e55bb26efa3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 18 Jan 2021 16:49:53 +0100 Subject: [PATCH 33/44] not yet expired certs --- .../monitors/active/fixtures/expired.cert | 40 +++++++------- .../monitors/active/fixtures/expired.key | 52 +++++++++---------- 2 files changed, 45 insertions(+), 47 deletions(-) diff --git a/heartbeat/monitors/active/fixtures/expired.cert b/heartbeat/monitors/active/fixtures/expired.cert index e39ad893bd6..959486cec37 100644 --- a/heartbeat/monitors/active/fixtures/expired.cert +++ b/heartbeat/monitors/active/fixtures/expired.cert @@ -1,23 +1,21 @@ -----BEGIN CERTIFICATE----- -MIID3zCCAsegAwIBAgIUS+ahW2wxDZ1bT/qYnenS8jrXUcAwDQYJKoZIhvcNAQEL -BQAwfzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk1OMRQwEgYDVQQHDAtNaW5uZWFw -b2xpczEVMBMGA1UECgwMRWxhc3RpYywgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmlu -ZzEgMB4GA1UEAwwXZXhwaXJlZHRlc3QuZXhhbXBsZS5uZXQwHhcNMjAwNDIxMTQw -MDE0WhcNMjAwNDIyMTQwMDE0WjB/MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTU4x -FDASBgNVBAcMC01pbm5lYXBvbGlzMRUwEwYDVQQKDAxFbGFzdGljLCBJbmMxFDAS -BgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBdleHBpcmVkdGVzdC5leGFtcGxl -Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKh1iS5EZ7bDSKgW -R3JXAepMIaEewMSdbaoBtuNQb48XJGwI0mudF983a7JxGCSfw9mhVYa4YsSv79UE -XomGrWVrS01Cmf1VRIOmxevWMPhvnE6UH+5VxKUBk5ooNSty4iHkDFy2i5WWjxiv -de6Xqnn/dVQhuT/sW+rU/grCsGcdUwqsWnC547ekqiYRTtyZrdh+U0KRKqy5iBlH -9Woua+CnXmsD7+4MgGekErg9XLRHYveLOmLucbNlAIlRyfMDZL1RlXufcGwhzItz -JNM9N0NJ5bwrpuP0RYlYbbMYal+b1Tn2e8qkMm88hniQkuu69kUpKeewIOr62vIK -tI273GECAwEAAaNTMFEwHQYDVR0OBBYEFKgd6wQcgIdUSjtJREObD+R3q3MPMB8G -A1UdIwQYMBaAFKgd6wQcgIdUSjtJREObD+R3q3MPMA8GA1UdEwEB/wQFMAMBAf8w -DQYJKoZIhvcNAQELBQADggEBADkBqmCUcvVTqu5IIZ5PLz40jdg2luaDHEA6I2Ga -1ioabETfQhXeaNJflojYm0Bzsy2aneVLGM2KaZ76wN0yvib3MZ4miu4C/mDsR3bB -wq7/CAK2AcJXv1jk0vIrK6DhZfA2HaelBkQ8UHwWK7AO+JmS6jozIt1vySwPI1E7 -lMFWbs3bmsSmunj3+66XS2XguUKzFwUIAEOfsPFqT2OMsPIa7weUWuCV/zMi7fuB -HbgVouYvMTve8wx7+ozDk6CyvlRlx20xwdOvXaH3JILw7gTQWcAEWZLcB2ct1Zks -UTtbIAjBV6s0Pm/2/6MxxkDCVVUpwXiiKBRkHxzkgoH7TQw= +MIIDazCCAlOgAwIBAgIUJGs/M/NeLac1U+H58kwZYgSUoMgwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTAxMTgxNTQxNDdaFw0yMTAx +MTkxNTQxNDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDGo1zHFcEZT4gFe24in23O1C1AtCSP2wfZCHyA9Tvj +fak3dgI5BESPHHu8lqo8V4C2ViAnBBoQ9Uq3nd38CdVJyYK5vtrHpTVLK8OIasOD +eMHBwEOMQQN6js9in0lvixBTK2oZOOcONSSxQVFUKIgSfY8sBJViYftkolPmT/OZ +bipzBoikclKDQykM9GAh/IVSQpfC+PIJT31xOXmwvy9zL5eiLDRIsZpuauI6L7/f +RkapMXtDz0QuP3aZ/VZNydagmfrz0LiBfoX7B93ZRAPLmk9KzRb/RTcuxD28d45v +KtZXUr/cR6S5gwqzb1sEaOOR+kz9aeNzwGFl6LmcgpqfAgMBAAGjUzBRMB0GA1Ud +DgQWBBTKlcyCuhJ07eTv/y33LN6/SVB1FzAfBgNVHSMEGDAWgBTKlcyCuhJ07eTv +/y33LN6/SVB1FzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBo +mv85XCM+qNvn7nNXXvI8h7PFBYZAn6trD713liiD4fURjRmQt/EDXo1ZyJhmqm3n +UHqTbQ1srnhz2zTKbBD1m4rby3bu9l0IvoCihNnd3jEzcz6IkT5TqPy6FwQdKoD4 +U0miGvmSyKs7/IyJepy6k+XUI9KSsi4k/ECx4nAvvf05Yv7XtSvPpVPHW6uvLsTu +jv8C8CcND66LrUsqn2CRkiXXX68KJSDPvT4fdNDz1nIykN0AAvVs8rA3R35dgjiR +9aHsDqkqf6QIZ0jCKbZL4Z/j5tj26P1nEUsDeZ46FECipie2z9oZII897X+Yzrcg +d9RKMlVpBwQg/iFD9orw -----END CERTIFICATE----- diff --git a/heartbeat/monitors/active/fixtures/expired.key b/heartbeat/monitors/active/fixtures/expired.key index 2a11440f7aa..3f29313cc4e 100644 --- a/heartbeat/monitors/active/fixtures/expired.key +++ b/heartbeat/monitors/active/fixtures/expired.key @@ -1,28 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCodYkuRGe2w0io -FkdyVwHqTCGhHsDEnW2qAbbjUG+PFyRsCNJrnRffN2uycRgkn8PZoVWGuGLEr+/V -BF6Jhq1la0tNQpn9VUSDpsXr1jD4b5xOlB/uVcSlAZOaKDUrcuIh5AxctouVlo8Y -r3Xul6p5/3VUIbk/7Fvq1P4KwrBnHVMKrFpwueO3pKomEU7cma3YflNCkSqsuYgZ -R/VqLmvgp15rA+/uDIBnpBK4PVy0R2L3izpi7nGzZQCJUcnzA2S9UZV7n3BsIcyL -cyTTPTdDSeW8K6bj9EWJWG2zGGpfm9U59nvKpDJvPIZ4kJLruvZFKSnnsCDq+try -CrSNu9xhAgMBAAECggEBAIc32QYvWESmWeK6B11rI5lqxK+snLT1XLpSp/esb++e -dtjU9/nzXd8JgEP6bZOwPiepTZpW1MjmJA+Lc0rWtMYsqoP4ityDHfzC2CmmgyZX -iFK2qS7I35BHRLA/x/X5QDRN9fJRgJdxA6mf5Xy/dtJ4UDhY3XbHBTzo/IWsoqYQ -4V3WBQYMGlhBArCoOx07pwc9NMTnXwpfe4rUdm3EaGGpe/9JT08JcTyFZfFUeFT1 -lfSYo5i+xPOCQ/FcC5GfWdciyY0c8ej8iwdxZb0kPI4hBu36+D6zD+YoNoC3CQTb -MecRFQ0MeTTuUMCdzFWtg+2FWnJucaLiaK9fKbVzi7UCgYEA0BAlfUdXdeDYMlW3 -2ReeOgH32bchPYwn2UvHYkIhhDp40STVw3BYQ0Zj9yJQXLFaoY1SFhwRJR1kpbSd -IfME/IzR/oMFvRUNQEPQZVH0Mg9FWIXLdXlV4qbU3AyA2r4x+VUCt3jp1n/5rG7g -cmoKBdCXNUAhK30bRGTdXB06Fp8CgYEAz0V+IlkGyDKcyCkja0ypA3AdSod/43az -7HMS3nf32hOFpgQuEtVYZc3NW/rdJFPksnRd6+RlD2nIoHZEa+adl2gESjGH2asw -nhxP/Pr4m8PGZF5BwdILRTVFukf5yrM6g63FgrgA9d+QdCsqoqrctItRyCgcfpL4 -XYXEKVWELP8CgYATxbUKVsFE/n0NK4AxLUFoGc/H7NNH2g3fZIgqGka9HiFlHq8B -x6dbnVDap3QjmucV+ywV1cz7TfPGm4djNoj+xxMdsK3W7i04MjmXp1Yhe7oHU4+m -NkWnKFuKHdYQ84okO6Pqc58lNzwu2sqRlOom60+zS8jbLSRuN3ehzVU72QKBgGm0 -qCo+Ou44maqfCFg9hWiicd3Dkt5feE0bNsFMb5PBJwTO1ux175ojxhqlqshPHLBC -FnAqT7v3mAD1r9lTiIVh3+YysnS5EJdiGw0KtWVDB9fCFkkRpPvLul7RPDw7AZmM -MtGCo8LBHHuSVDEXcG2HK9MnWbjXnWCcyrjFyx3jAoGAYsNGYm+OBr16NNsPtx3S -nRQJz9wqB2mIqNU8rRSjd5EUp03jhHiTEN9DT6iEnLGaTDBUgD2RlPvEVGk1N7FT -nh9tLtg2ytWIC/P+QrKwzdUUa00MSswTxRS3Cmy459UbLBiPgHBJ2h1G7gsiHPOt -erJWqYJ8DXvLzCPdMVzQxj8= +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDGo1zHFcEZT4gF +e24in23O1C1AtCSP2wfZCHyA9Tvjfak3dgI5BESPHHu8lqo8V4C2ViAnBBoQ9Uq3 +nd38CdVJyYK5vtrHpTVLK8OIasODeMHBwEOMQQN6js9in0lvixBTK2oZOOcONSSx +QVFUKIgSfY8sBJViYftkolPmT/OZbipzBoikclKDQykM9GAh/IVSQpfC+PIJT31x +OXmwvy9zL5eiLDRIsZpuauI6L7/fRkapMXtDz0QuP3aZ/VZNydagmfrz0LiBfoX7 +B93ZRAPLmk9KzRb/RTcuxD28d45vKtZXUr/cR6S5gwqzb1sEaOOR+kz9aeNzwGFl +6LmcgpqfAgMBAAECggEAdd93LMSiA80IIIiwQGdvF+8cs2qyz5LgQ1Af4b6kvUhS +ZBDpHMCFlo8GdlDJ0Gj0fj75cW2jsjB9GBzcH7YOFW0439R7q0FEMMlVjNweDSRZ +hgn7i30A/XdFZXa0czaIh3IZ0cHMisfKcE0cX951cNOFZE+L/ge60Grrcp47Je4H +r5F8fBaP2j729fQlpF3Kzl0uYCRqn9CD+KRMmz8nx9ifxmPM4ddVK8Xg8quVSU1x +HyeN7VfF0Hcvsv6+DRiZqgASu9pSggVffEmW4EBRNuJK4RPKFUriTTUTd8DUS39d +xxA4CjM/t+YjQOYcKlZGxxqu+ILPJnSTfyVe+lvp0QKBgQDvi5GRPuVGegO8nPqE +EHn9fh0CuVtRZjr+7YwJmlYY6WsEuVFOGlo+OdPQwk+iJuT187FYc83PwozRRoI+ +NfMC8lByMGXK0deTfCuK422U+PBuXP/U3xEK6rb1plFiNyw37wxivRTvSX/xZ8ZI +u+zS89LmWQn4oX2fbJUjcfol0wKBgQDUSHAv4PgYQutydgm2n2+asY/BeZupKqmR +FUINmcM8zZ6OC37xrT2TZoGT4WfCRJlvsj6Gpwzf6gM+MAluTQJ6ZxdAP8ifsUJT +69lyRL4o11qLvXsIexdHFUDRxv9E0pWQbEOUH7dZnWuZAXOc9sBVQLW7Hb9UJhzU +JNhsjWK8hQKBgESqO0XpQ4uaOiv8y4rDtlRFrEc1nsmMhmjA6x1tkjR95GFsRbQf +tbKUnPUAXhdbEtK10iZKu7pMSFVM4tS2Xjx//TNeUC99S1BJjam4W5cSbMkV+3en +oZkBgwSTcky3CAPYkDJVhQS6iuRGHP6Ib/BgWBoTd9o/YGUsmOuaJlxlAoGAUkH7 +juH64NPVjlXk76oaQfQ6AzuPMN8CM+Dr5n9FoyL+JIaZ2yZJLPvUjCwU27dfSWPl +TKIgoAd62DcfAGnA4xNddB0DLbYvQHusl9XBZewE/w8eRKwF2hqHMoKM2etL31nE +WfpsPsJ8Nh7U4ObQonhfszEUuZPHKgFZB79Fmk0CgYB0XEuZuSva3uKACbQQS2L2 +jeO23cmE+rSdfw9tL6O2OLZkKbDkHxMXu/G305ciyW+Hmw4CwC6B2IDJuCjzYGVr +7FL/XP0d/pksOIqjNi2VQvARO+7NStXqcgmB9p/vlyYkKLIcGKQ2w169QaNOLylc +L/DKQsIUqMqNsRcd4at/Kg== -----END PRIVATE KEY----- From eaadf6def73879b973068f2683247d53b9fbe4fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 18 Jan 2021 17:04:37 +0100 Subject: [PATCH 34/44] one more fixes --- filebeat/tests/system/test_tcp_tls.py | 2 ++ libbeat/common/transport/tlscommon/tls_config.go | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/filebeat/tests/system/test_tcp_tls.py b/filebeat/tests/system/test_tcp_tls.py index e208a07c8d4..845ade6b288 100644 --- a/filebeat/tests/system/test_tcp_tls.py +++ b/filebeat/tests/system/test_tcp_tls.py @@ -173,6 +173,8 @@ def test_tcp_over_tls_mutual_auth_fails(self): # so that the failure can be reported as an exception when it arrives. tls.recv(1) + sock.close() + def test_tcp_over_tls_mutual_auth_succeed(self): """ Test filebeat TCP with TLS when enforcing client auth with good client certificates. diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 0992de4caca..50477cb94d7 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -245,7 +245,7 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error } opts := x509.VerifyOptions{ DNSName: cs.ServerName, - Roots: cfg.RootCAs, + Roots: cfg.ClientCAs, Intermediates: x509.NewCertPool(), KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, } From b217316985152d9f4238ed9755efee799b5026f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 18 Jan 2021 17:43:29 +0100 Subject: [PATCH 35/44] address review notes --- heartbeat/monitors/active/http/http_test.go | 3 + .../transport/tlscommon/ca_pinning_test.go | 17 +++ libbeat/common/transport/tlscommon/verify.go | 105 ----------------- .../common/transport/tlscommon/verify_test.go | 110 ------------------ 4 files changed, 20 insertions(+), 215 deletions(-) delete mode 100644 libbeat/common/transport/tlscommon/verify.go delete mode 100644 libbeat/common/transport/tlscommon/verify_test.go diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go index 0b240adae39..cd2c03dee3f 100644 --- a/heartbeat/monitors/active/http/http_test.go +++ b/heartbeat/monitors/active/http/http_test.go @@ -628,6 +628,9 @@ func TestNewRoundTripper(t *testing.T) { expected := (&tlscommon.TLSConfig{}).ToConfig() require.Equal(t, expected.InsecureSkipVerify, transp.TLSClientConfig.InsecureSkipVerify) + // When we remove support for the legacy common name treatment + // this test has to be adjusted, as we will not depend on our + // VerifyConnection callback. require.NotNil(t, transp.TLSClientConfig.VerifyConnection) require.True(t, transp.DisableKeepAlives) }) diff --git a/libbeat/common/transport/tlscommon/ca_pinning_test.go b/libbeat/common/transport/tlscommon/ca_pinning_test.go index a2c6b51f6d4..7e8d13de3e6 100644 --- a/libbeat/common/transport/tlscommon/ca_pinning_test.go +++ b/libbeat/common/transport/tlscommon/ca_pinning_test.go @@ -44,6 +44,23 @@ var ser int64 = 1 func TestCAPinning(t *testing.T) { host := "127.0.0.1" + t.Run("when the ca_sha256 field is not defined we use normal certificate validation", func(t *testing.T) { + cfg := common.MustNewConfigFrom(map[string]interface{}{ + "verification_mode": "strict", + "certificate_authorities": []string{"ca_test.pem"}, + }) + + config := &Config{} + err := cfg.Unpack(config) + require.NoError(t, err) + + tlsCfg, err := LoadTLSConfig(config) + require.NoError(t, err) + + tls := tlsCfg.BuildModuleClientConfig(host) + require.Nil(t, tls.VerifyConnection) + }) + t.Run("when the ca_sha256 field is defined we use CA cert pinning", func(t *testing.T) { cfg := common.MustNewConfigFrom(map[string]interface{}{ "ca_sha256": "hello", diff --git a/libbeat/common/transport/tlscommon/verify.go b/libbeat/common/transport/tlscommon/verify.go deleted file mode 100644 index 21d75f89ca8..00000000000 --- a/libbeat/common/transport/tlscommon/verify.go +++ /dev/null @@ -1,105 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Copyright (c) 2009 The Go Authors. All rights reserved. - -// Redistribution and use in source and binary forms, with or without -// modification, are permitted provided that the following conditions are -// met: - -// * Redistributions of source code must retain the above copyright -// notice, this list of conditions and the following disclaimer. -// * Redistributions in binary form must reproduce the above -// copyright notice, this list of conditions and the following disclaimer -// in the documentation and/or other materials provided with the -// distribution. -// * Neither the name of Google Inc. nor the names of its -// contributors may be used to endorse or promote products derived from -// this software without specific prior written permission. - -// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -// This file contains code adapted from golang's crypto/tls/handshake_client.go - -package tlscommon - -import ( - "crypto/x509" - "fmt" - "time" - - "github.com/pkg/errors" -) - -var ( - ErrMissingDNSNameCommonName = errors.New("missing DNSNames and CommonName") -) - -// verifyCertificateExceptServerName is a TLS Certificate verification utility method that verifies that the provided -// certificate chain is valid and is signed by one of the root CAs in the provided tls.Config. It is intended to be -// as similar as possible to the default verify, but does not verify that the provided certificate matches the -// ServerName in the tls.Config. -func verifyCertificateExceptServerName( - rawCerts [][]byte, - c *TLSConfig, -) ([]*x509.Certificate, [][]*x509.Certificate, error) { - // this is where we're a bit suboptimal, as we have to re-parse the certificates that have been presented - // during the handshake. - // the verification code here is taken from verifyServerCertificate in crypto/tls/handshake_client.go:824 - certs := make([]*x509.Certificate, len(rawCerts)) - for i, asn1Data := range rawCerts { - cert, err := x509.ParseCertificate(asn1Data) - if err != nil { - return nil, nil, fmt.Errorf("tls: failed to parse certificate from server: %+v", err) - } - certs[i] = cert - } - - var t time.Time - if c.time != nil { - t = c.time() - } else { - t = time.Now() - } - - // DNSName omitted in VerifyOptions in order to skip ServerName verification - opts := x509.VerifyOptions{ - Roots: c.RootCAs, - CurrentTime: t, - Intermediates: x509.NewCertPool(), - } - - for _, cert := range certs[1:] { - opts.Intermediates.AddCert(cert) - } - - headCert := certs[0] - - // defer to the default verification performed - chains, err := headCert.Verify(opts) - return certs, chains, err -} diff --git a/libbeat/common/transport/tlscommon/verify_test.go b/libbeat/common/transport/tlscommon/verify_test.go deleted file mode 100644 index c08e60642f5..00000000000 --- a/libbeat/common/transport/tlscommon/verify_test.go +++ /dev/null @@ -1,110 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package tlscommon - -import ( - "crypto/x509" - "encoding/pem" - "io/ioutil" - "path/filepath" - "testing" - "time" - - "github.com/stretchr/testify/assert" -) - -// This does not actually test that it ignores the server name because no part of the func even consumes the server name -func Test_verifyCertificateExceptServerName(t *testing.T) { - - tests := []struct { - name string - ca string - chain string - cert string - time func() time.Time - wantErr bool - }{ - { - name: "happy path", - // a CA for morello.ovh valid from August 9 2019 to 2029 - ca: "ca.crt", - // a cert signed by morello.ovh that expired in nov 2019 - cert: "tls.crt", - time: func() time.Time { - layout := "2006-01-02" - t, _ := time.Parse(layout, "2019-10-01") - return t - }, - wantErr: false, - }, - { - name: "cert not signed by CA", - ca: "ca.crt", - // a self-signed cert for www.example.com valid from July 23 2020 to 2030 - cert: "unsigned_tls.crt", - time: func() time.Time { - layout := "2006-01-02" - t, _ := time.Parse(layout, "2020-07-24") - return t - }, - wantErr: true, - }, - { - name: "cert expired", - ca: "ca.crt", - cert: "tls.crt", - wantErr: true, - }, - } - - for _, tc := range tests { - t.Run(tc.name, func(t *testing.T) { - cfg := &TLSConfig{time: tc.time} - // load the CA - if tc.ca != "" { - ca := loadFileBytes(tc.ca) - caCertPool := x509.NewCertPool() - caCertPool.AppendCertsFromPEM(ca) - cfg.RootCAs = caCertPool - } - - // load the cert - rawCerts := [][]byte{} - if tc.cert != "" { - pemCert := loadFileBytes(tc.cert) - block, _ := pem.Decode(pemCert) - rawCerts = append(rawCerts, block.Bytes) - } - - _, _, got := verifyCertificateExceptServerName(rawCerts, cfg) - if tc.wantErr { - assert.Error(t, got) - } else { - assert.NoError(t, got) - } - }) - } -} - -func loadFileBytes(fileName string) []byte { - contents, err := ioutil.ReadFile(filepath.Join("testdata", fileName)) - if err != nil { - panic(err) - } - return contents -} From ab511c3df3f83b359933238580d04fc9968ab5c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 18 Jan 2021 18:01:23 +0100 Subject: [PATCH 36/44] add more test cases for CA pinning --- .../transport/tlscommon/ca_pinning_test.go | 152 ++++++++++-------- .../common/transport/tlscommon/tls_config.go | 15 +- 2 files changed, 91 insertions(+), 76 deletions(-) diff --git a/libbeat/common/transport/tlscommon/ca_pinning_test.go b/libbeat/common/transport/tlscommon/ca_pinning_test.go index 7e8d13de3e6..ac441225090 100644 --- a/libbeat/common/transport/tlscommon/ca_pinning_test.go +++ b/libbeat/common/transport/tlscommon/ca_pinning_test.go @@ -78,79 +78,88 @@ func TestCAPinning(t *testing.T) { }) t.Run("CA Root -> Certificate and we have the CA root pin", func(t *testing.T) { - msg := []byte("OK received message") - - ca, err := genCA() - require.NoError(t, err) - - serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false) - require.NoError(t, err) - - mux := http.NewServeMux() - mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - w.WriteHeader(http.StatusOK) - w.Write(msg) - }) - - // Select a random available port from the OS. - addr := "localhost:0" - - l, err := net.Listen("tcp", addr) - - server := &http.Server{ - Handler: mux, - TLSConfig: &tls.Config{ - Certificates: []tls.Certificate{ - serverCert, - }, - }, - } - - // Start server and shut it down when the tests are over. - go server.ServeTLS(l, "", "") - defer l.Close() - - // Root CA Pool - require.NoError(t, err) - rootCAs := x509.NewCertPool() - rootCAs.AddCert(ca.Leaf) - - // Get the pin of the RootCA. - pin := Fingerprint(ca.Leaf) - - tlsC := &TLSConfig{ - Verification: VerifyFull, - RootCAs: rootCAs, - CASha256: []string{pin}, + verificationModes := []TLSVerificationMode{ + VerifyFull, + VerifyStrict, + VerifyCertificate, } - - config := tlsC.BuildModuleClientConfig("localhost") - hostToConnect := l.Addr().String() - - transport := &http.Transport{ - TLSClientConfig: config, + for _, mode := range verificationModes { + t.Run(mode.String(), func(t *testing.T) { + msg := []byte("OK received message") + + ca, err := genCA() + require.NoError(t, err) + + serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false) + require.NoError(t, err) + + mux := http.NewServeMux() + mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + w.Write(msg) + }) + + // Select a random available port from the OS. + addr := "localhost:0" + + l, err := net.Listen("tcp", addr) + + server := &http.Server{ + Handler: mux, + TLSConfig: &tls.Config{ + Certificates: []tls.Certificate{ + serverCert, + }, + }, + } + + // Start server and shut it down when the tests are over. + go server.ServeTLS(l, "", "") + defer l.Close() + + // Root CA Pool + require.NoError(t, err) + rootCAs := x509.NewCertPool() + rootCAs.AddCert(ca.Leaf) + + // Get the pin of the RootCA. + pin := Fingerprint(ca.Leaf) + + tlsC := &TLSConfig{ + Verification: mode, + RootCAs: rootCAs, + CASha256: []string{pin}, + } + + config := tlsC.BuildModuleClientConfig("localhost") + hostToConnect := l.Addr().String() + + transport := &http.Transport{ + TLSClientConfig: config, + } + + client := &http.Client{Transport: transport} + + port := strings.TrimPrefix(hostToConnect, "127.0.0.1:") + + req, err := http.NewRequest("GET", "https://localhost:"+port, nil) + require.NoError(t, err) + resp, err := client.Do(req) + require.NoError(t, err) + content, err := ioutil.ReadAll(resp.Body) + require.NoError(t, err) + + assert.True(t, bytes.Equal(msg, content)) + + // 1. create key-pair + // 2. create pin + // 3. start server + // 4. Connect + // 5. Check wrong key do not work + // 6. Check good key work + // 7. check plain text fails to work. + }) } - - client := &http.Client{Transport: transport} - - port := strings.TrimPrefix(hostToConnect, "127.0.0.1:") - - req, err := http.NewRequest("GET", "https://localhost:"+port, nil) - require.NoError(t, err) - resp, err := client.Do(req) - require.NoError(t, err) - content, err := ioutil.ReadAll(resp.Body) - require.NoError(t, err) - - assert.True(t, bytes.Equal(msg, content)) - - // 1. create key-pair - // 2. create pin - // 3. start server - // 4. Connect - // 5. Check wrong key do not work - // 6. Check good key work - // 7. check plain text fails to work. }) t.Run("CA Root -> Intermediate -> Certificate and we receive the CA Root Pin", func(t *testing.T) { @@ -344,6 +353,7 @@ func genCA() (tls.Certificate, error) { func genSignedCert(ca tls.Certificate, keyUsage x509.KeyUsage, isCA bool) (tls.Certificate, error) { // Create another Cert/key cert := &x509.Certificate{ + DNSNames: []string{"localhost"}, SerialNumber: big.NewInt(2000), Subject: pkix.Name{ CommonName: "localhost", diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 50477cb94d7..6e27b3a4e3c 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -20,9 +20,10 @@ package tlscommon import ( "crypto/tls" "crypto/x509" - "fmt" "time" + "github.com/pkg/errors" + "github.com/elastic/beats/v7/libbeat/logp" ) @@ -76,6 +77,10 @@ type TLSConfig struct { time func() time.Time } +var ( + MissingPeerCertificate = errors.New("missing peer certificates") +) + // ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with // ServerName set, use that method for servers with SNI. func (c *TLSConfig) ToConfig() *tls.Config { @@ -155,7 +160,7 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { return func(cs tls.ConnectionState) error { // On the client side, PeerCertificates can't be empty. if len(cs.PeerCertificates) == 0 { - return fmt.Errorf("no peer certificates") + return MissingPeerCertificate } dnsnames := cs.PeerCertificates[0].DNSNames @@ -189,7 +194,7 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { return func(cs tls.ConnectionState) error { // On the client side, PeerCertificates can't be empty. if len(cs.PeerCertificates) == 0 { - return fmt.Errorf("no peer certificates") + return MissingPeerCertificate } opts := x509.VerifyOptions{ @@ -228,7 +233,7 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error return func(cs tls.ConnectionState) error { if len(cs.PeerCertificates) == 0 { if cfg.ClientAuth == tls.RequireAndVerifyClientCert { - return fmt.Errorf("no peer certificates") + return MissingPeerCertificate } return nil } @@ -247,7 +252,7 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error DNSName: cs.ServerName, Roots: cfg.ClientCAs, Intermediates: x509.NewCertPool(), - KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, } for _, cert := range cs.PeerCertificates[1:] { opts.Intermediates.AddCert(cert) From 137f549ba303f76258896620f3d93a219195c43d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 19 Jan 2021 16:14:54 +0100 Subject: [PATCH 37/44] tmp --- .../common/transport/tlscommon/tls_config.go | 75 ++++++++++++++----- 1 file changed, 56 insertions(+), 19 deletions(-) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 6e27b3a4e3c..107fc5b2cc9 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -20,6 +20,7 @@ package tlscommon import ( "crypto/tls" "crypto/x509" + "net" "time" "github.com/pkg/errors" @@ -163,16 +164,6 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { return MissingPeerCertificate } - dnsnames := cs.PeerCertificates[0].DNSNames - var serverName string - if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { - serverName = cs.PeerCertificates[0].Subject.CommonName - } else { - serverName = dnsnames[0] - } - if len(serverName) > 0 && len(cs.ServerName) > 0 && serverName != cs.ServerName { - return x509.HostnameError{Certificate: cs.PeerCertificates[0], Host: cs.ServerName} - } opts := x509.VerifyOptions{ Roots: cfg.RootCAs, Intermediates: x509.NewCertPool(), @@ -238,16 +229,11 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error return nil } - dnsnames := cs.PeerCertificates[0].DNSNames - var serverName string - if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { - serverName = cs.PeerCertificates[0].Subject.CommonName - } else { - serverName = dnsnames[0] - } - if len(serverName) > 0 && len(cs.ServerName) > 0 && serverName != cs.ServerName { - return x509.HostnameError{Certificate: cs.PeerCertificates[0], Host: cs.ServerName} + err := verifyHostname(cs.PeerCertificates[0], cs.ServerName) + if err != nil { + return err } + opts := x509.VerifyOptions{ DNSName: cs.ServerName, Roots: cfg.ClientCAs, @@ -257,6 +243,26 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error for _, cert := range cs.PeerCertificates[1:] { opts.Intermediates.AddCert(cert) } + _, err = cs.PeerCertificates[0].Verify(opts) + return err + } + case VerifyCertificate: + return func(cs tls.ConnectionState) error { + if len(cs.PeerCertificates) == 0 { + if cfg.ClientAuth == tls.RequireAndVerifyClientCert { + return MissingPeerCertificate + } + return nil + } + + opts := x509.VerifyOptions{ + Roots: cfg.ClientCAs, + Intermediates: x509.NewCertPool(), + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, + } + for _, cert := range cs.PeerCertificates[1:] { + opts.Intermediates.AddCert(cert) + } _, err := cs.PeerCertificates[0].Verify(opts) return err } @@ -266,3 +272,34 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error return nil } + +func verifyHostname(cert *x509.Certificate, hostname string) error { + // check if the server name is an IP + ip := hostname + if len(ip) >= 3 && ip[0] == '[' && ip[len(ip)-1] == ']' { + ip = ip[1 : len(ip)-1] + } + parsedIP := net.ParseIP(ip) + if parsedIP != nil { + for _, certIP := range cert.IPAddresses { + if parsedIP.Equal(certIP) { + return nil + } + } + return x509.HostnameError{Certificate: cert, Host: hostname} + } + + dnsnames := cert.DNSNames + if len(dnsnames) == 0 || len(dnsnames) == 1 && dnsnames[0] == "" { + if cert.Subject.CommonName != "" { + dnsnames = []string{cert.Subject.CommonName} + } + } + + for _, name := range dnsnames { + if len(name) > 0 && len(hostname) > 0 && name == hostname { + return nil + } + } + return x509.HostnameError{Certificate: cert, Host: hostname} +} From e2f348b0dc77433d60643e9515f0a096516eac3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 19 Jan 2021 16:49:02 +0100 Subject: [PATCH 38/44] tmp --- CHANGELOG.next.asciidoc | 8 +- .../transport/tlscommon/server_config.go | 4 +- .../transport/tlscommon/testdata/cacert.crt | 24 +++ .../transport/tlscommon/testdata/cacert.key | 27 +++ .../transport/tlscommon/testdata/client1.crt | 48 ++++++ .../transport/tlscommon/testdata/client1.key | 27 +++ .../common/transport/tlscommon/tls_config.go | 11 +- .../transport/tlscommon/tls_config_test.go | 163 ++++++++++++++++++ .../transport/tlscommon/validhostname.go | 80 +++++++++ metricbeat/helper/server/http/http.go | 2 +- 10 files changed, 382 insertions(+), 12 deletions(-) create mode 100644 libbeat/common/transport/tlscommon/testdata/cacert.crt create mode 100644 libbeat/common/transport/tlscommon/testdata/cacert.key create mode 100644 libbeat/common/transport/tlscommon/testdata/client1.crt create mode 100644 libbeat/common/transport/tlscommon/testdata/client1.key create mode 100644 libbeat/common/transport/tlscommon/tls_config_test.go create mode 100644 libbeat/common/transport/tlscommon/validhostname.go diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 88cf16dd42e..6a780cd612c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -985,10 +985,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Affecting all Beats* -- Selecting `full` in `ssl.verification_mode` option no longer treats CommonName field in x509 certificates as - a hostname when no Subject Alternative Name is present. Please update your certificates so it contains at least - one DNSName instead of relying on CommonName. If it is not an option, use `common_name` verification mode. This - way, the Beat overwrites the DNSName field with CommonName and then does the usual `full` check of the certificate. +- Selecting `full` in `ssl.verification_mode` option will not treat CommonName field in x509 certificates as + a hostname when Subject Alternative Name is not present from v8.0. + Please update your certificates so it contains at least one DNSName instead of relying on CommonName in the new + major version of Beats. *Filebeat* diff --git a/libbeat/common/transport/tlscommon/server_config.go b/libbeat/common/transport/tlscommon/server_config.go index d41e419e9c4..e85a0c409c3 100644 --- a/libbeat/common/transport/tlscommon/server_config.go +++ b/libbeat/common/transport/tlscommon/server_config.go @@ -28,13 +28,14 @@ import ( // ServerConfig defines the user configurable tls options for any TCP based service. type ServerConfig struct { Enabled *bool `config:"enabled"` - VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full', 'strict' + VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full', 'strict', 'certificate' Versions []TLSVersion `config:"supported_protocols"` CipherSuites []tlsCipherSuite `config:"cipher_suites"` CAs []string `config:"certificate_authorities"` Certificate CertificateConfig `config:",inline"` CurveTypes []tlsCurveType `config:"curve_types"` ClientAuth tlsClientAuth `config:"client_authentication"` //`none`, `optional` or `required` + CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"` } // LoadTLSServerConfig tranforms a ServerConfig into a `tls.Config` to be used directly with golang @@ -88,6 +89,7 @@ func LoadTLSServerConfig(config *ServerConfig) (*TLSConfig, error) { CipherSuites: cipherSuites, CurvePreferences: curves, ClientAuth: tls.ClientAuthType(config.ClientAuth), + CASha256: config.CASha256, }, nil } diff --git a/libbeat/common/transport/tlscommon/testdata/cacert.crt b/libbeat/common/transport/tlscommon/testdata/cacert.crt new file mode 100644 index 00000000000..debdf7e246e --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/cacert.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL +BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u +dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 +MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG +UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV +BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW +ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo +yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu +5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP +7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI +p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a +tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB +nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP +BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU +XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P +dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg +blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn +in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug +B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq +A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/cacert.key b/libbeat/common/transport/tlscommon/testdata/cacert.key new file mode 100644 index 00000000000..e864b93ed66 --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/cacert.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArV7J/lQq1om7raAcjORHiCtvV2H3wcDe/BHjYw3WmWajBeMB +mWes9sUFx+phcfptYI53+UdqqMn3p7WB+VUWc+QBLQRj7DqjH31fbuT5B0qP9opQ +l+NHgVaebt6oemhT2eQyqnsVruY1DGKJU16bwLTC+WGzB/V71uqZ+VgKsBzyzXvn +1bj4OLSTdLv339MCqklASIVTj+xD4c98i35QAknII/iz18/+YLVF3vUUeUQfM8lh +nzS/dXqFVWgKXHaeJCFPgx5oCKfk+AqYHWFrGLjlh+PRe0Sci6aHFFOB/oXnguPs +x9CyFHBC2vp/zNg1A1t0RNdPWrb/ThCSkfP2BwIDAQABAoIBAQCQmLJYENL5xD5n +/VZSnEKc670dYHRHgRl5m2HPR8doghYN3tuCmtnDp2e+6VkEux1mnuypWEs5I9oO +YnBZCAKF/fCNH1BHwlAy/1oNH6Qj1Khls86sH7+PvDK/va0/CqyE2rL3RVk8Wnx8 +K+LlSc8V1q2XWUj8pl33TgvFzwx6/QpmGa1ofK84GaeWNskRt8xyf2HECiRl6ZFm +zZr2Ror3nRbgZK9FYWpcp6HUgxAH/8GQ3+8vMvftfTsDGD5TmmEq6CFgAFCVj92L +d7AZmNWR1483NzZF0HWOQ6ew9qrWkqVpER7kKKp/kkfoh2qXgvtQBTrw4IcCRwwa +szaSsIEBAoGBANiqXhBzPQJszm1Ajln07ZeyvgRB8PgzZXcAHS9AfGqh/mGQw5/X +3vqHdGiEynphoYtNqK1YT7RH7pkjkpqDzdunZGz1xog7i4ys8kVtivkDGlhn6cXI +4wmFcmyCaf76VPPr1RX8PNjsEKDK3jq1d86lBjSLPgcHT7J16WZgOcJnAoGBAMzY +QVNpjk1WNT7gid3MUXciIIZAovej4AiVyn97XxxLSyByXmNds65f3dM8NOJkJUvT +iV7pAjKl9pd1lE+WTNQSjCgSxw7G+4u9cQfNE7p6klAh/Rek76Mani9rAmQ2PdJl +EFaEgLom3wbR5eOkYURjw2jfqzFYQ8T1YZkWBithAoGAa3EYkknDIFe6ifzwWnWV ++Jr/lXbpuvspvrhEwLDWwb4xOkqiZ7qR7WSMemQXUFbn1/+bvNJFPB5LmI9GXO8t +f1Zj+5BpchctHYaJ4Znvx4odX2ewSo9S3t7ZHiwRygpzZD43fd6Ggf+WQ1Y2m6Bv +l/7Hs/i0uqGKiPHl2wmuutMCgYABZN9c7/T19cY6/VAy4DcVtne+MiZpxQW7STmt +kGtfR+vk9qJJztNwNlrOGzTI7aGLWI8wxCktqw94jGZL/FvdfZrSkv4jzZrcopdo +VC70L+1a+kA8rvSqiX3WGMZVZEEbc3CfBhvSKH2QEFGeMPowevVTe2Iw3cboSjs1 +zX6RQQKBgFV7gOstMfvixCSUCD2s5j/skhNJsB3Wd/tVYRbl/vgA6hHW8UOy2oWv +UTE45vJNVzRv030G5katjOYhlxHf9rpeSAbeIyty54I3X9/vDJZLXwe8WilQjUr7 +Dw8yNwH44j/0s8xcQXG8yE0h1Aa9GxHHtJtYrRYdx7sSwNHtwpnp +-----END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/testdata/client1.crt b/libbeat/common/transport/tlscommon/testdata/client1.crt new file mode 100644 index 00000000000..c3139a72a77 --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/client1.crt @@ -0,0 +1,48 @@ +-----BEGIN CERTIFICATE----- +MIIEFzCCAv+gAwIBAgIUeaB7uk2DjAM2cuRl0kaE9ly7Lj4wDQYJKoZIhvcNAQEL +BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u +dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 +MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBmMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG +UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDzANBgNV +BAsMBnNlcnZlcjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6 +hdpzNpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n +26nDMY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL5 +5qTPRJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Z +zd0W3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjU +mt+N/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABo4HQMIHNMAwGA1Ud +EwEB/wQCMAAwHQYDVR0OBBYEFAuDdHxE9/Zr7iVwfnUJ/lRtJnZkMIGNBgNVHSME +gYUwgYKAFH8hDdUHuxZVmvtkQZ5fFXeGQhZCoVSkUjBQMQswCQYDVQQGEwJDQTEP +MA0GA1UECAwGUXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVh +dHMxDTALBgNVBAsMBHJvb3SCFF8Gy28Bo1lpUDazFLHQ6Ss3hosRMA4GA1UdDwEB +/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAQEACzuX6AiVHk5Igs/LdOW2sJ9lm95N +Su1PQCobM0Jo8wX3pDAEQlLmaWTDcr4bfrQPfI8pih1F89DQU9z0nzNCRfxiQaA7 +myF8ftvf8v5j3LpaPWlkdWgCRieCl58fgy5vtcKx73eTY4a6SRB4zbWpl0rX9H6w +En1kQbpCJDzh8W+xmr8AKvY77CSC1vt7TaKan6F+fGwbt8kIng6P6C7dvMGsDKQN +2Tiq/wtH16DB8mOeO+zfxJfa84TPWL4UcSbZJ8w5Fyz4GJormaymxJGtKv58RO7J +u63WF9vlEnKGyqY1FckTsp3P9ivGEb/Y75+NyRwmNq5VO5BPrRBMOF3VAg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL +BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u +dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 +MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG +UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV +BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW +ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo +yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu +5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP +7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI +p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a +tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB +nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP +BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU +XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P +dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg +blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn +in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug +B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq +A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/client1.key b/libbeat/common/transport/tlscommon/testdata/client1.key new file mode 100644 index 00000000000..ce5274b758f --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/client1.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6hdpz +NpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n26nD +MY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL55qTP +RJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Zzd0W +3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjUmt+N +/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABAoIBABdTza7JKHZCT9ck +04vBX2KVIVrA50VScNOkNVuIYVmihEJJDI9N5asZhRtykHkmeqKlzGCBE63asf85 +1vrjAVhQ+KoCGLpUWxXgPbbzcS3wqKaGy9cIJT65957Z5Rz8zAvjMb0rkXHryOvR +iMaTGkM1KRcntZ3L5zr06HSk6J7K8QCEexKHl7Q7Ki1498tvBWdJGeGWRiUtI89j +wOUdcf3pVSVqI7J8gmmqVwNrVMbVxhlen7nkckXofWAackYVQDBD+hU1n3doNKLa +NP6mZkI02BOB29WLDXLuHtKDZtgnXex4JUz6zw53uV42FCDoQf3DUiVsMEL8xRCJ +27H6bwECgYEA/w53zS00mNdYdXO7dGhAw3UYPc3PDyg6Z823BQzfdOzsn5Yw0BIw +nPgstzwzOL0kw2p/PgwkG/7LOsF5CWs2xvU3LhUdOhgmw4B5IbMOYvbkVoYGz+22 +HJf4qyexAr7tKCITB+LCzUwoAgXp8uju1XdLVpk6xmJ3u+kIhMYTxkUCgYEA3wgx +71/uIUsoW6bVL5K00yXPWTTFtTBWM768VJ8Y++k2igPgcvKaBVaElr4AbvX5iCGz +1Ycc9xsGAYAo7+q4D+4cuOki/m0PMKD3DgXWpTtN0kJ+npWUBdE98NyDlTJYsa/w +xjeMQoDvC8tE2bAiwtVIOPQL2C/3emqkJcsVcDMCgYB8NeOJ/DXdKSJfMJldu1eu +2FuR3aS00PaAjuJOh1JbcvZZUZ879V/PUd0U7zBStWot8LM+2FLNf2whlQ8I0zm9 +8rWIr6eoHxLhqrNTAgxDjdDtgh/XKwDBNBFZ6N5/Y9PC87Uo5fnQWQIy2gZw0Zde +RdZeugixjEqbLIWFg6ElsQKBgHRy6O+c3M6RWU8ROnoOVU9xjGN9REUoKbn2uopM +T1UoHQvOnmAl/vkOhUfXiI5m65SCVE0GsL7sYyRhb/5kRRo8Ls71GwpQkv/G63ds +4PeAkU9Y3JecbZ7j8z1RRXqewOR1gndcBWWrwCQeS6KFboDfr0fdVFnaIZLPH0mE +UXs1AoGBAM3zpcyl5o99dO6x9N/8SSnyLT9TzzbJ6pU6d0F0ELn3OxTUBH1oA1dy +q1fADcRgN5vNuJljY4es/scK2BMeX1isFitXoIzk01F4R61xoXr8T33731eXFG6L +ehoECH2Yj9H4qNbVW531iYKheuSyaMaxCxaDoK9jBzcKaxMGbTlc +-----END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 107fc5b2cc9..c87da74db85 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -20,6 +20,7 @@ package tlscommon import ( "crypto/tls" "crypto/x509" + "fmt" "net" "time" @@ -91,10 +92,6 @@ func (c *TLSConfig) ToConfig() *tls.Config { minVersion, maxVersion := extractMinMaxVersion(c.Versions) - // When we are using the CAsha256 pin to validate the CA used to validate the chain, - // or when we are using 'certificate' TLS verification mode, we add a custom callback - verifyConnectionFn := makeVerifyConnection(c) - insecure := c.Verification != VerifyStrict if c.Verification == VerifyNone { logp.NewLogger("tls").Warn("SSL/TLS verifications disabled.") @@ -111,7 +108,6 @@ func (c *TLSConfig) ToConfig() *tls.Config { Renegotiation: c.Renegotiation, ClientAuth: c.ClientAuth, Time: c.time, - VerifyConnection: verifyConnectionFn, } } @@ -165,6 +161,7 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { } opts := x509.VerifyOptions{ + DNSName: cs.ServerName, Roots: cfg.RootCAs, Intermediates: x509.NewCertPool(), } @@ -235,7 +232,6 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error } opts := x509.VerifyOptions{ - DNSName: cs.ServerName, Roots: cfg.ClientCAs, Intermediates: x509.NewCertPool(), KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, @@ -298,6 +294,9 @@ func verifyHostname(cert *x509.Certificate, hostname string) error { for _, name := range dnsnames { if len(name) > 0 && len(hostname) > 0 && name == hostname { + if !validHostname(name, true) { + return fmt.Errorf("invalid hostname in cert") + } return nil } } diff --git a/libbeat/common/transport/tlscommon/tls_config_test.go b/libbeat/common/transport/tlscommon/tls_config_test.go new file mode 100644 index 00000000000..6f971aeb489 --- /dev/null +++ b/libbeat/common/transport/tlscommon/tls_config_test.go @@ -0,0 +1,163 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package tlscommon + +import ( + "crypto/tls" + "crypto/x509" + "encoding/pem" + "io/ioutil" + "path/filepath" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestMakeVerifyServerConnection(t *testing.T) { + testCerts, err := openTestCerts() + if err != nil { + t.Fatalf("failed to open test certs: %+v", err) + } + + testCA, errs := LoadCertificateAuthorities([]string{filepath.Join("testdata", "cacert.crt")}) + if len(errs) > 0 { + t.Fatalf("failed to load test certificate authorities: %+v", errs) + } + + testcases := map[string]struct { + verificationMode TLSVerificationMode + clientAuth tls.ClientAuthType + certAuthorities *x509.CertPool + peerCerts []*x509.Certificate + serverName string + expectedCallback bool + expectedError error + }{ + "default verification without certificates when required": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + peerCerts: nil, + serverName: "", + expectedCallback: true, + expectedError: MissingPeerCertificate, + }, + "default verification with certificates when required with expired cert": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["expired"]}, + serverName: "", + expectedCallback: true, + expectedError: x509.CertificateInvalidError{Cert: testCerts["expired"], Reason: x509.Expired}, + }, + "default verification with certificates when required with incorrect server name in cert": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "bad.example.com", + expectedCallback: true, + expectedError: x509.HostnameError{Certificate: testCerts["correct"], Host: "bad.example.com"}, + }, + "default verification with certificates when required with correct cert": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "localhost", + expectedCallback: true, + expectedError: nil, + }, + "default verification with certificates when required with cert signed by unkown authority": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["unknown authority"]}, + serverName: "", + expectedCallback: true, + expectedError: x509.UnknownAuthorityError{Cert: testCerts["unknown authority"]}, + }, + "default verification without certificates not required": { + verificationMode: VerifyFull, + clientAuth: tls.NoClientCert, + peerCerts: nil, + serverName: "", + expectedCallback: true, + expectedError: nil, + }, + "no verification without certificates not required": { + verificationMode: VerifyNone, + clientAuth: tls.NoClientCert, + peerCerts: nil, + serverName: "", + expectedError: nil, + }, + } + + for name, test := range testcases { + t.Run(name, func(t *testing.T) { + test := test + cfg := &TLSConfig{ + Verification: test.verificationMode, + ClientAuth: test.clientAuth, + ClientCAs: test.certAuthorities, + } + + verifier := makeVerifyServerConnection(cfg) + if !test.expectedCallback { + assert.Nil(t, verifier) + return + } + + err := verifier(tls.ConnectionState{ + PeerCertificates: test.peerCerts, + ServerName: test.serverName, + }) + if test.expectedError == nil { + assert.Nil(t, err) + } else { + assert.Error(t, test.expectedError, err) + } + }) + } + +} + +func openTestCerts() (map[string]*x509.Certificate, error) { + certs := make(map[string]*x509.Certificate, 0) + + for testcase, certname := range map[string]string{ + "expired": "tls.crt", + "unknown authority": "unsigned_tls.crt", + "correct": "client1.crt", + } { + + certBytes, err := ioutil.ReadFile(filepath.Join("testdata", certname)) + if err != nil { + return nil, err + } + block, _ := pem.Decode(certBytes) + testCert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return nil, err + } + certs[testcase] = testCert + } + + return certs, nil +} diff --git a/libbeat/common/transport/tlscommon/validhostname.go b/libbeat/common/transport/tlscommon/validhostname.go new file mode 100644 index 00000000000..30f58c0f1b1 --- /dev/null +++ b/libbeat/common/transport/tlscommon/validhostname.go @@ -0,0 +1,80 @@ +// Copyright (c) 2009 The Go Authors. All rights reserved. + +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: + +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. + +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// This file contains code adapted from golang's crypto/x509/verify.go + +package tlscommon + +import "strings" + +// validHostname reports whether host is a valid hostname that can be matched or +// matched against according to RFC 6125 2.2, with some leniency to accommodate +// legacy values. +func validHostname(host string, isPattern bool) bool { + if !isPattern { + host = strings.TrimSuffix(host, ".") + } + if len(host) == 0 { + return false + } + + for i, part := range strings.Split(host, ".") { + if part == "" { + // Empty label. + return false + } + if isPattern && i == 0 && part == "*" { + // Only allow full left-most wildcards, as those are the only ones + // we match, and matching literal '*' characters is probably never + // the expected behavior. + continue + } + for j, c := range part { + if 'a' <= c && c <= 'z' { + continue + } + if '0' <= c && c <= '9' { + continue + } + if 'A' <= c && c <= 'Z' { + continue + } + if c == '-' && j != 0 { + continue + } + if c == '_' { + // Not a valid character in hostnames, but commonly + // found in deployments outside the WebPKI. + continue + } + return false + } + } + + return true +} diff --git a/metricbeat/helper/server/http/http.go b/metricbeat/helper/server/http/http.go index 98b292dbcce..3fe02001d7a 100644 --- a/metricbeat/helper/server/http/http.go +++ b/metricbeat/helper/server/http/http.go @@ -76,7 +76,7 @@ func getDefaultHttpServer(mb mb.BaseMetricSet) (*HttpServer, error) { Addr: net.JoinHostPort(config.Host, strconv.Itoa(int(config.Port))), } if tlsConfig != nil { - httpServer.TLSConfig = tlsConfig.BuildModuleServerConfig(config.Host) + httpServer.TLSConfig = tlsConfig.BuildModuleClientConfig(config.Host) } h.server = httpServer return h, nil From 357534f4f1e5eed52c7abde0923634d26da37730 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 19 Jan 2021 16:56:15 +0100 Subject: [PATCH 39/44] probably --- filebeat/inputsource/tcp/server.go | 2 +- .../common/transport/tlscommon/tls_config.go | 65 ++++++++----------- .../transport/tlscommon/validhostname.go | 17 +++++ .../common/transport/transptest/testing.go | 2 +- 4 files changed, 46 insertions(+), 40 deletions(-) diff --git a/filebeat/inputsource/tcp/server.go b/filebeat/inputsource/tcp/server.go index 96b39d038a8..42c88693879 100644 --- a/filebeat/inputsource/tcp/server.go +++ b/filebeat/inputsource/tcp/server.go @@ -68,7 +68,7 @@ func (s *Server) createServer() (net.Listener, error) { var l net.Listener var err error if s.tlsConfig != nil { - t := s.tlsConfig.BuildModuleServerConfig(s.config.Host) + t := s.tlsConfig.BuildServerConfig(s.config.Host) l, err = tls.Listen("tcp", s.config.Host, t) if err != nil { return nil, err diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index c87da74db85..f1afd4a764c 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -130,8 +130,8 @@ func (c *TLSConfig) BuildModuleClientConfig(host string) *tls.Config { return config } -// BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`. -func (c *TLSConfig) BuildModuleServerConfig(host string) *tls.Config { +// BuildServerConfig takes the TLSConfig and transform it into a `tls.Config` for server side objects. +func (c *TLSConfig) BuildServerConfig(host string) *tls.Config { if c == nil { // use default TLS settings, if config is empty. return &tls.Config{ @@ -150,8 +150,6 @@ func (c *TLSConfig) BuildModuleServerConfig(host string) *tls.Config { } func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { - pin := len(cfg.CASha256) > 0 - switch cfg.Verification { case VerifyFull: return func(cs tls.ConnectionState) error { @@ -165,18 +163,7 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { Roots: cfg.RootCAs, Intermediates: x509.NewCertPool(), } - for _, cert := range cs.PeerCertificates[1:] { - opts.Intermediates.AddCert(cert) - } - verifiedChains, err := cs.PeerCertificates[0].Verify(opts) - if err != nil { - return err - } - - if pin { - return verifyCAPin(cfg.CASha256, verifiedChains) - } - return nil + return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) } case VerifyCertificate: return func(cs tls.ConnectionState) error { @@ -189,21 +176,10 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { Roots: cfg.RootCAs, Intermediates: x509.NewCertPool(), } - for _, cert := range cs.PeerCertificates[1:] { - opts.Intermediates.AddCert(cert) - } - verifiedChains, err := cs.PeerCertificates[0].Verify(opts) - if err != nil { - return err - } - - if pin { - return verifyCAPin(cfg.CASha256, verifiedChains) - } - return nil + return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) } case VerifyStrict: - if pin { + if len(cfg.CASha256) > 0 { return func(cs tls.ConnectionState) error { return verifyCAPin(cfg.CASha256, cs.VerifiedChains) } @@ -236,11 +212,7 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error Intermediates: x509.NewCertPool(), KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, } - for _, cert := range cs.PeerCertificates[1:] { - opts.Intermediates.AddCert(cert) - } - _, err = cs.PeerCertificates[0].Verify(opts) - return err + return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) } case VerifyCertificate: return func(cs tls.ConnectionState) error { @@ -256,11 +228,13 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error Intermediates: x509.NewCertPool(), KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, } - for _, cert := range cs.PeerCertificates[1:] { - opts.Intermediates.AddCert(cert) + return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) + } + case VerifyStrict: + if len(cfg.CASha256) > 0 { + return func(cs tls.ConnectionState) error { + return verifyCAPin(cfg.CASha256, cs.VerifiedChains) } - _, err := cs.PeerCertificates[0].Verify(opts) - return err } default: } @@ -302,3 +276,18 @@ func verifyHostname(cert *x509.Certificate, hostname string) error { } return x509.HostnameError{Certificate: cert, Host: hostname} } + +func verifyCertsWithOpts(certs []*x509.Certificate, casha256 []string, opts x509.VerifyOptions) error { + for _, cert := range certs[1:] { + opts.Intermediates.AddCert(cert) + } + verifiedChains, err := certs[0].Verify(opts) + if err != nil { + return err + } + + if len(casha256) > 0 { + return verifyCAPin(casha256, verifiedChains) + } + return nil +} diff --git a/libbeat/common/transport/tlscommon/validhostname.go b/libbeat/common/transport/tlscommon/validhostname.go index 30f58c0f1b1..15370b4d4f9 100644 --- a/libbeat/common/transport/tlscommon/validhostname.go +++ b/libbeat/common/transport/tlscommon/validhostname.go @@ -1,3 +1,20 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + // Copyright (c) 2009 The Go Authors. All rights reserved. // Redistribution and use in source and binary forms, with or without diff --git a/libbeat/common/transport/transptest/testing.go b/libbeat/common/transport/transptest/testing.go index 81cfad6cbdf..1649957c624 100644 --- a/libbeat/common/transport/transptest/testing.go +++ b/libbeat/common/transport/transptest/testing.go @@ -135,7 +135,7 @@ func NewMockServerTLS(t *testing.T, to time.Duration, cert string, proxy *transp t.Fatalf("failed to load certificate") } - listener := tls.NewListener(tcpListener, tlsConfig.BuildModuleServerConfig("")) + listener := tls.NewListener(tcpListener, tlsConfig.BuildServerConfig("")) server := &MockServer{Listener: listener, Timeout: to} server.Handshake = func(client net.Conn) { From 8ced8634e272747240a6071336cce58e97cbc493 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 19 Jan 2021 17:24:05 +0100 Subject: [PATCH 40/44] more minor refactoring --- libbeat/common/transport/tlscommon/tls_config.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index f1afd4a764c..cc19528d090 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -83,8 +83,9 @@ var ( MissingPeerCertificate = errors.New("missing peer certificates") ) -// ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with +// ToConfig generates a tls.Config object. Note, you must use BuildModuleClientConfig to generate a config with // ServerName set, use that method for servers with SNI. +// By default VerifyConnection is set to client mode. func (c *TLSConfig) ToConfig() *tls.Config { if c == nil { return &tls.Config{} @@ -108,6 +109,7 @@ func (c *TLSConfig) ToConfig() *tls.Config { Renegotiation: c.Renegotiation, ClientAuth: c.ClientAuth, Time: c.time, + VerifyConnection: makeVerifyConnection(c), } } @@ -126,7 +128,6 @@ func (c *TLSConfig) BuildModuleClientConfig(host string) *tls.Config { config := c.ToConfig() config.ServerName = host - config.VerifyConnection = makeVerifyConnection(c) return config } From 17dde915f152b15d42d066ec7a568c20466d4c98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 19 Jan 2021 18:01:20 +0100 Subject: [PATCH 41/44] add more test cases --- .../transport/tlscommon/tls_config_test.go | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/libbeat/common/transport/tlscommon/tls_config_test.go b/libbeat/common/transport/tlscommon/tls_config_test.go index 6f971aeb489..1490664d3d3 100644 --- a/libbeat/common/transport/tlscommon/tls_config_test.go +++ b/libbeat/common/transport/tlscommon/tls_config_test.go @@ -83,6 +83,42 @@ func TestMakeVerifyServerConnection(t *testing.T) { expectedCallback: true, expectedError: nil, }, + "certificate verification with certificates when required with correct cert": { + verificationMode: VerifyCertificate, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "localhost", + expectedCallback: true, + expectedError: nil, + }, + "certificate verification with certificates when required with expired cert": { + verificationMode: VerifyCertificate, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["expired"]}, + serverName: "localhost", + expectedCallback: true, + expectedError: x509.CertificateInvalidError{Cert: testCerts["expired"], Reason: x509.Expired}, + }, + "certificate verification with certificates when required with incorrect server name in cert": { + verificationMode: VerifyCertificate, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "bad.example.com", + expectedCallback: true, + expectedError: nil, + }, + "strict verification with certificates when required with correct cert": { + verificationMode: VerifyStrict, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["correct"]}, + serverName: "localhost", + expectedCallback: false, + expectedError: nil, + }, "default verification with certificates when required with cert signed by unkown authority": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, From 60fb059e850101776642a90cbc14bf211ebaf267 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Wed, 20 Jan 2021 09:47:31 +0100 Subject: [PATCH 42/44] adjust order of tests --- .../common/transport/tlscommon/tls_config.go | 51 ++++++++++--------- 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index cc19528d090..9e7eb4548db 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -160,11 +160,14 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error { } opts := x509.VerifyOptions{ - DNSName: cs.ServerName, Roots: cfg.RootCAs, Intermediates: x509.NewCertPool(), } - return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) + err := verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) + if err != nil { + return err + } + return verifyHostname(cs.PeerCertificates[0], cs.ServerName) } case VerifyCertificate: return func(cs tls.ConnectionState) error { @@ -203,17 +206,16 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error return nil } - err := verifyHostname(cs.PeerCertificates[0], cs.ServerName) - if err != nil { - return err - } - opts := x509.VerifyOptions{ Roots: cfg.ClientCAs, Intermediates: x509.NewCertPool(), KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, } - return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) + err := verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts) + if err != nil { + return err + } + return verifyHostname(cs.PeerCertificates[0], cs.ServerName) } case VerifyCertificate: return func(cs tls.ConnectionState) error { @@ -244,7 +246,25 @@ func makeVerifyServerConnection(cfg *TLSConfig) func(tls.ConnectionState) error } +func verifyCertsWithOpts(certs []*x509.Certificate, casha256 []string, opts x509.VerifyOptions) error { + for _, cert := range certs[1:] { + opts.Intermediates.AddCert(cert) + } + verifiedChains, err := certs[0].Verify(opts) + if err != nil { + return err + } + + if len(casha256) > 0 { + return verifyCAPin(casha256, verifiedChains) + } + return nil +} + func verifyHostname(cert *x509.Certificate, hostname string) error { + if hostname == "" { + return nil + } // check if the server name is an IP ip := hostname if len(ip) >= 3 && ip[0] == '[' && ip[len(ip)-1] == ']' { @@ -277,18 +297,3 @@ func verifyHostname(cert *x509.Certificate, hostname string) error { } return x509.HostnameError{Certificate: cert, Host: hostname} } - -func verifyCertsWithOpts(certs []*x509.Certificate, casha256 []string, opts x509.VerifyOptions) error { - for _, cert := range certs[1:] { - opts.Intermediates.AddCert(cert) - } - verifiedChains, err := certs[0].Verify(opts) - if err != nil { - return err - } - - if len(casha256) > 0 { - return verifyCAPin(casha256, verifiedChains) - } - return nil -} From c8b174769d1ee1b25b98b17fc9ca96ac46ec9e02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Wed, 20 Jan 2021 11:34:08 +0100 Subject: [PATCH 43/44] update to golang 1.15.7 --- .go-version | 2 +- CHANGELOG-developer.next.asciidoc | 2 +- auditbeat/Dockerfile | 2 +- filebeat/Dockerfile | 2 +- heartbeat/Dockerfile | 2 +- journalbeat/Dockerfile | 2 +- libbeat/Dockerfile | 2 +- libbeat/docs/version.asciidoc | 2 +- metricbeat/Dockerfile | 2 +- metricbeat/module/http/_meta/Dockerfile | 2 +- packetbeat/Dockerfile | 2 +- x-pack/functionbeat/Dockerfile | 2 +- x-pack/libbeat/Dockerfile | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.go-version b/.go-version index 04cc99945d2..545fd574d35 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.15.6 +1.15.7 diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 9c64fac3e52..51a4565e4ff 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -106,4 +106,4 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827] - Update ecszap to v0.3.0 for using ECS 1.6.0 in logs {pull}22267[22267] - Add support for customized monitoring API. {pull}22605[22605] -- Update Go version to 1.15.6. {pull}22495[22495] +- Update Go version to 1.15.7. {pull}22495[22495] diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index 1673f0f71c3..e5767ab1167 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.6 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/filebeat/Dockerfile b/filebeat/Dockerfile index 0ae63494d68..8b3983fa8da 100644 --- a/filebeat/Dockerfile +++ b/filebeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.6 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index 91f0e85e869..51c2b06d485 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.6 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/journalbeat/Dockerfile b/journalbeat/Dockerfile index 0f3e74033cb..36af746307c 100644 --- a/journalbeat/Dockerfile +++ b/journalbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.6 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/libbeat/Dockerfile b/libbeat/Dockerfile index 5273d22b8df..cc9829656ed 100644 --- a/libbeat/Dockerfile +++ b/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.6 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index 7ec90e4d54e..89578a6f7a2 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,6 +1,6 @@ :stack-version: 8.0.0 :doc-branch: master -:go-version: 1.15.6 +:go-version: 1.15.7 :release-state: unreleased :python: 3.7 :docker: 1.12 diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index c11fa3da2e2..4b76f73bafb 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.6 +FROM golang:1.15.7 RUN \ apt update \ diff --git a/metricbeat/module/http/_meta/Dockerfile b/metricbeat/module/http/_meta/Dockerfile index 9ec48348bea..9d104c32a7e 100644 --- a/metricbeat/module/http/_meta/Dockerfile +++ b/metricbeat/module/http/_meta/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.6 +FROM golang:1.15.7 COPY test/main.go main.go diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index d276dedc41c..6c5abe6309a 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.6 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/x-pack/functionbeat/Dockerfile b/x-pack/functionbeat/Dockerfile index af331286546..77daddd7a86 100644 --- a/x-pack/functionbeat/Dockerfile +++ b/x-pack/functionbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.6 +FROM golang:1.15.7 RUN \ apt-get update \ diff --git a/x-pack/libbeat/Dockerfile b/x-pack/libbeat/Dockerfile index e3b9092dcc6..1a0c44db398 100644 --- a/x-pack/libbeat/Dockerfile +++ b/x-pack/libbeat/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.15.6 +FROM golang:1.15.7 RUN \ apt-get update \ From b4373950a5b25cefd920d3117b88fa2dad4a3afb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Thu, 21 Jan 2021 09:22:56 +0100 Subject: [PATCH 44/44] comment out windows7-32 for metricbeat --- x-pack/metricbeat/Jenkinsfile.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/x-pack/metricbeat/Jenkinsfile.yml b/x-pack/metricbeat/Jenkinsfile.yml index 8406f20f5ac..19f9941ee47 100644 --- a/x-pack/metricbeat/Jenkinsfile.yml +++ b/x-pack/metricbeat/Jenkinsfile.yml @@ -115,14 +115,14 @@ stages: - "windows-7" branches: true ## for all the branches tags: true ## for all the tags - windows-7-32: - mage: "mage build unitTest" - platforms: ## override default labels in this specific stage. - - "windows-7-32-bit" - when: ## Override the top-level when. - comments: - - "/test x-pack/metricbeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags +# windows-7-32: +# mage: "mage build unitTest" +# platforms: ## override default labels in this specific stage. +# - "windows-7-32-bit" +# when: ## Override the top-level when. +# comments: +# - "/test x-pack/metricbeat for windows-7-32" +# labels: +# - "windows-7-32" +# branches: true ## for all the branches +# tags: true ## for all the tags