[Heartbeat] Handle TLS certs missing notBefore/notAfter #9566
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ruflin
approved these changes
Dec 17, 2018
|
|
||
| return conn, nil | ||
| }), nil | ||
| } | ||
| } | ||
|
|
||
| func addCertMetdata(event common.MapStr, chains [][]*x509.Certificate) { | ||
| // The behavior here might seem strange. We *always* set a notBefore, but only optionally set a notAfter. |
There was a problem hiding this comment.
Thanks for all the details here in case someone wants to change this in the future.
andrewvc
force-pushed
the
handle-missing-cert-not-before
branch
from
73421eb to
5e2d922
Compare
|
@ruflin thanks for the review. Changelog pushed. Am I good to merge? |
ruflin
reviewed
Dec 18, 2018
CHANGELOG.asciidoc
Outdated
| @@ -68,6 +68,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha1...master[Check the HEAD d | |||
|
|
|||
| *Heartbeat* | |||
|
|
|||
| - Fixed rare issue where TLS connections to endpoints with x509 certificates missing either notBefore or notAfter would cause the check to fail with a stacktrace. | |||
There was a problem hiding this comment.
Suggested change
| - Fixed rare issue where TLS connections to endpoints with x509 certificates missing either notBefore or notAfter would cause the check to fail with a stacktrace. | |
| - Fixed rare issue where TLS connections to endpoints with x509 certificates missing either notBefore or notAfter would cause the check to fail with a stacktrace. {issue}9556[9556] {pull}9566[9566] |
ruflin
approved these changes
Dec 18, 2018
andrewvc
force-pushed
the
handle-missing-cert-not-before
branch
2 times, most recently
from
8e5ce5c to
cb6bf93
Compare
|
@ruflin I just pushed the change myself. Your edit adds extra whitespace which it should not. |
ruflin
approved these changes
Dec 19, 2018
|
jenkins, retest this please |
Some certs in the wild don't set these standard fields and can cause an NPE Fixes elastic#9556
andrewvc
force-pushed
the
handle-missing-cert-not-before
branch
from
cb6bf93 to
a14916b
Compare
andrewvc
added
needs_backport
andrewvc
added
v6.7.0
and removed
needs_backport
andrewvc
added a commit
to andrewvc/beats
that referenced
this pull request
Dec 21, 2018
* [Heartbeat] Handle TLS certs missing notBefore/notAfter Some certs in the wild don't set these standard fields and can cause an NPE Fixes elastic#9556 * Add changelog entry
andrewvc
added a commit
that referenced
this pull request
Dec 30, 2018
…ore/notAfter (#9759) * Add heartbeat test for TLS client cert auth (#8984) (#9676) * Add heartbeat test for TLS client cert auth We were missing a test for this specific case. I wrote this hoping to confirm #8979, but actually wound up disproving it. That said, this is still a good test to have, so we should merge it. * [Heartbeat] Handle TLS certs missing notBefore/notAfter (#9566) Some certs in the wild don't set these standard fields and can cause an NPE Fixes #9556
andrewvc
added a commit
to andrewvc/beats
that referenced
this pull request
Dec 31, 2018
* [Heartbeat] Handle TLS certs missing notBefore/notAfter Some certs in the wild don't set these standard fields and can cause an NPE Fixes elastic#9556 * Add changelog entry (cherry picked from commit 337113e)
andrewvc
added a commit
that referenced
this pull request
Jan 2, 2019
leweafan
pushed a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
… notBefore/notAfter (elastic#9759) * Add heartbeat test for TLS client cert auth (elastic#8984) (elastic#9676) * Add heartbeat test for TLS client cert auth We were missing a test for this specific case. I wrote this hoping to confirm elastic#8979, but actually wound up disproving it. That said, this is still a good test to have, so we should merge it. * [Heartbeat] Handle TLS certs missing notBefore/notAfter (elastic#9566) Some certs in the wild don't set these standard fields and can cause an NPE Fixes elastic#9556
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some certs in the wild don't set these standard fields and can cause an NPE. I left a long comment in the code, this is sort of a bizarre situation.
Fixes #9556