Heartbeat TLS servername set incorrectly #17123
Assignees
Labels
bug
Heartbeat
Team:obs-ds-hosted-services
Label for the Observability Hosted Services team
test-plan
Add this PR to be manual test plan
test-plan-ok
This PR passed manual testing
v7.8.0
Comments
andrewvc
added
bug
Heartbeat
[zube]: Ready
Team:obs-ds-hosted-services
|
Pinging @elastic/uptime (:uptime) |
andrewvc
added a commit
that referenced
this issue
Apr 20, 2020
Refactors the TCP monitor to make the code easier to follow, more testable, and fixes #17123 where TLS server name was not correctly sent. This is important because the code had accrued a lot of cruft and become very hard to follow. There were many wrappers and intermediate variable names that often subtly changed names as they crossed various functions. When debugging #17123 I frequently found myself lost tracing the execution. This new code should be simpler to understand for a few reasons: Less code (almost a 2x reduction) and fewer, simpler, better organized functions Less variable passing/renaming due to use of struct for key config variables More consistent and descriptive variable names Creation of the dialer as late as possible, to remove the confusing partial states, and clarity as to when which dialer layers are used. Adds (frustratingly tricky) integration tests for #17123 using mismatched TLS certs, and also against a real SOCKS5 proxy Adds, for testing only, the ability to override the real network resolver for TCP checks which is invaluable in debugging TLS checks that depend on setting hostnames correctly. In the future if we decide to let users use a custom DNS resolver this will be nice. Reorganized giant TCP test file into multiple files
andrewvc
added a commit
to andrewvc/beats
that referenced
this issue
Apr 20, 2020
Refactors the TCP monitor to make the code easier to follow, more testable, and fixes elastic#17123 where TLS server name was not correctly sent. This is important because the code had accrued a lot of cruft and become very hard to follow. There were many wrappers and intermediate variable names that often subtly changed names as they crossed various functions. When debugging elastic#17123 I frequently found myself lost tracing the execution. This new code should be simpler to understand for a few reasons: Less code (almost a 2x reduction) and fewer, simpler, better organized functions Less variable passing/renaming due to use of struct for key config variables More consistent and descriptive variable names Creation of the dialer as late as possible, to remove the confusing partial states, and clarity as to when which dialer layers are used. Adds (frustratingly tricky) integration tests for elastic#17123 using mismatched TLS certs, and also against a real SOCKS5 proxy Adds, for testing only, the ability to override the real network resolver for TCP checks which is invaluable in debugging TLS checks that depend on setting hostnames correctly. In the future if we decide to let users use a custom DNS resolver this will be nice. Reorganized giant TCP test file into multiple files (cherry picked from commit dfe8c4b)
4 tasks
andrewvc
added a commit
that referenced
this issue
Apr 21, 2020
Refactors the TCP monitor to make the code easier to follow, more testable, and fixes #17123 where TLS server name was not correctly sent. This is important because the code had accrued a lot of cruft and become very hard to follow. There were many wrappers and intermediate variable names that often subtly changed names as they crossed various functions. When debugging #17123 I frequently found myself lost tracing the execution. This new code should be simpler to understand for a few reasons: Less code (almost a 2x reduction) and fewer, simpler, better organized functions Less variable passing/renaming due to use of struct for key config variables More consistent and descriptive variable names Creation of the dialer as late as possible, to remove the confusing partial states, and clarity as to when which dialer layers are used. Adds (frustratingly tricky) integration tests for #17123 using mismatched TLS certs, and also against a real SOCKS5 proxy Adds, for testing only, the ability to override the real network resolver for TCP checks which is invaluable in debugging TLS checks that depend on setting hostnames correctly. In the future if we decide to let users use a custom DNS resolver this will be nice. Reorganized giant TCP test file into multiple files (cherry picked from commit dfe8c4b)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From: https://discuss.elastic.co/t/heartbeat-tls-servername-not-being-set-correctly/224280
When trying to monitor an SSL enabled endpoint it seems like Heartbeat is setting the ServerName to the IP address instead of the hostname. For setups where the certificate is only signed with the domain (and not all IP addresses) this causes verification to fail. For setups where different certificates are served depending on hostname (Kubernetes nginx-ingress being a popular example) it means that Heartbeat tries to verify the invalid fake certificate that is returned when no matching domains are found.
Looking through the code and docs I can't find a way to have the verified ServerName be the domain instead of the resolved IP address.
Example configuration:
Error message:
Here is the section which is setting the ServerName
beats/libbeat/common/transport/tlscommon/tls_config.go
Lines 109 to 118 in 4f5d1a1
The
hoststring which gets passed in actually ends up being the resolved IP address.To confirm that this was the issue I hard coded it to "elastic.co" allows the certificate to be verified properly.
I have reproduced this with the latest releases version (running from official Docker images) and also with the latest builds from the master branch.
The text was updated successfully, but these errors were encountered: