Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Golang to 1.15.7 #22495

Merged
merged 44 commits into from
Jan 21, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
505c20a
Update Golang to 1.15.4
kvch Nov 2, 2020
ddde797
add changelog entry
kvch Nov 9, 2020
ddf4bd1
add new new cert
kvch Nov 10, 2020
7c8f1b1
update to go 1.15.5
kvch Dec 3, 2020
be86140
turn off deprecating CNs
kvch Dec 3, 2020
a807ca6
add warning if tls is configured
kvch Dec 3, 2020
e96ea8f
update again
kvch Jan 7, 2021
837f609
adjust winlogbeat tests
kvch Jan 13, 2021
e5e2c2f
update changelog entry
kvch Jan 13, 2021
97137e4
add missing GODEBUG adjustments
kvch Jan 13, 2021
d5acc51
minor mishaps
kvch Jan 14, 2021
07375dc
add deprecation message
kvch Jan 14, 2021
1c4327c
add more context
kvch Jan 14, 2021
396a610
remove godebug hack and add tls overwrite hack isntead
kvch Jan 14, 2021
5c54a5e
add to docs && minor test adjustment
kvch Jan 14, 2021
76426ca
add test && update configuration
kvch Jan 15, 2021
6123e02
more follow up
kvch Jan 15, 2021
3fe103d
add legacy overwrite to ca pinning
kvch Jan 15, 2021
d0f9e53
more adjustment
kvch Jan 15, 2021
415f4b3
update setting name
kvch Jan 15, 2021
8114654
hack again
kvch Jan 15, 2021
0b16bb6
rm func
kvch Jan 15, 2021
178c91a
tmp
kvch Jan 17, 2021
cf646f7
tmp
kvch Jan 17, 2021
555f1cc
minor adjustments
kvch Jan 17, 2021
8a61ad8
tmp rm
kvch Jan 18, 2021
9a4faa7
only check if not emtpy
kvch Jan 18, 2021
5ad938c
return more golang like error
kvch Jan 18, 2021
82dd6be
fix ca pinning
kvch Jan 18, 2021
fe14068
more fixes to tls
kvch Jan 18, 2021
0bce7d4
adjust server callback
kvch Jan 18, 2021
b427bb7
more fixes
kvch Jan 18, 2021
8ff9011
not yet expired certs
kvch Jan 18, 2021
eaadf6d
one more fixes
kvch Jan 18, 2021
b217316
address review notes
kvch Jan 18, 2021
ab511c3
add more test cases for CA pinning
kvch Jan 18, 2021
137f549
tmp
kvch Jan 19, 2021
e2f348b
tmp
kvch Jan 19, 2021
357534f
probably
kvch Jan 19, 2021
8ced863
more minor refactoring
kvch Jan 19, 2021
17dde91
add more test cases
kvch Jan 19, 2021
60fb059
adjust order of tests
kvch Jan 20, 2021
c8b1747
update to golang 1.15.7
kvch Jan 20, 2021
b437395
comment out windows7-32 for metricbeat
kvch Jan 21, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .go-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.14.12
1.15.7
1 change: 1 addition & 0 deletions CHANGELOG-developer.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -106,3 +106,4 @@ The list below covers the major changes between 7.0.0-rc2 and master only.
- Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827]
- Update ecszap to v0.3.0 for using ECS 1.6.0 in logs {pull}22267[22267]
- Add support for customized monitoring API. {pull}22605[22605]
- Update Go version to 1.15.7. {pull}22495[22495]
5 changes: 5 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -985,6 +985,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Affecting all Beats*

- Selecting `full` in `ssl.verification_mode` option will not treat CommonName field in x509 certificates as
a hostname when Subject Alternative Name is not present from v8.0.
Please update your certificates so it contains at least one DNSName instead of relying on CommonName in the new
major version of Beats.

*Filebeat*

- The experimental modules for Citrix Netscaler and Symantec Endpoint Protection have been removed.
Expand Down
2 changes: 1 addition & 1 deletion auditbeat/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.14.12
FROM golang:1.15.7

RUN \
apt-get update \
Expand Down
36 changes: 36 additions & 0 deletions auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -529,6 +529,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -656,6 +662,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -853,6 +865,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -1009,6 +1027,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -1305,6 +1329,12 @@ setup.kibana:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -1502,6 +1532,12 @@ logging.files:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down
2 changes: 1 addition & 1 deletion filebeat/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.14.12
FROM golang:1.15.7

RUN \
apt-get update \
Expand Down
36 changes: 36 additions & 0 deletions filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1409,6 +1409,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -1536,6 +1542,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -1733,6 +1745,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -1889,6 +1907,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -2185,6 +2209,12 @@ setup.kibana:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -2382,6 +2412,12 @@ logging.files:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down
2 changes: 1 addition & 1 deletion filebeat/input/kafka/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ func newSaramaConfig(config kafkaInputConfig) (*sarama.Config, error) {
}
if tls != nil {
k.Net.TLS.Enable = true
k.Net.TLS.Config = tls.BuildModuleConfig("")
k.Net.TLS.Config = tls.BuildModuleClientConfig("")
}

if config.Kerberos.IsEnabled() {
Expand Down
2 changes: 1 addition & 1 deletion filebeat/input/mqtt/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ func createClientOptions(config mqttInputConfig, onConnectHandler func(client li
if err != nil {
return nil, err
}
clientOptions.SetTLSConfig(tlsConfig.BuildModuleConfig(""))
clientOptions.SetTLSConfig(tlsConfig.BuildModuleClientConfig(""))
}
return clientOptions, nil
}
Expand Down
2 changes: 1 addition & 1 deletion filebeat/inputsource/tcp/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ func (s *Server) createServer() (net.Listener, error) {
var l net.Listener
var err error
if s.tlsConfig != nil {
t := s.tlsConfig.BuildModuleConfig(s.config.Host)
t := s.tlsConfig.BuildServerConfig(s.config.Host)
l, err = tls.Listen("tcp", s.config.Host, t)
if err != nil {
return nil, err
Expand Down
6 changes: 6 additions & 0 deletions filebeat/tests/system/test_tcp_tls.py
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,8 @@ def test_tcp_over_tls_and_verify_invalid_server_without_mutual_auth(self):
with pytest.raises(ssl.SSLError):
tls.connect((config.get('host'), config.get('port')))

sock.close()

def test_tcp_over_tls_mutual_auth_fails(self):
"""
Test filebeat TCP with TLS with default setting to enforce client auth, with bad client certificates
Expand Down Expand Up @@ -171,6 +173,8 @@ def test_tcp_over_tls_mutual_auth_fails(self):
# so that the failure can be reported as an exception when it arrives.
tls.recv(1)

sock.close()

def test_tcp_over_tls_mutual_auth_succeed(self):
"""
Test filebeat TCP with TLS when enforcing client auth with good client certificates.
Expand Down Expand Up @@ -275,6 +279,8 @@ def test_tcp_tls_with_a_plain_text_socket(self):

assert path.isfile(path.join(self.working_dir, "output/" + self.beat_name)) is False

sock.close()

def assert_output(self, output):
assert len(output) == 2
assert output[0]["input.type"] == "tcp"
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/elastic/beats/v7

go 1.14
go 1.15

require (
4d63.com/tz v1.1.1-0.20191124060701-6d37baae851b
Expand Down
2 changes: 1 addition & 1 deletion heartbeat/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.14.12
FROM golang:1.15.7

RUN \
apt-get update \
Expand Down
36 changes: 36 additions & 0 deletions heartbeat/heartbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -707,6 +707,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -834,6 +840,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -1031,6 +1043,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -1187,6 +1205,12 @@ output.elasticsearch:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -1483,6 +1507,12 @@ setup.kibana:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down Expand Up @@ -1680,6 +1710,12 @@ logging.files:
# matches the names identified within the certificate.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * strict, which verifies that the provided certificate is signed by a trusted
# authority (CA) and also verifies that the server's hostname (or IP address)
# matches the names identified within the certificate. If the Subject Alternative
# Name is empty, it returns an error.
# * certificate, which verifies that the provided certificate is signed by a
# trusted authority (CA), but does not perform any hostname verification.
# * none, which performs no verification of the server's certificate. This
# mode disables many of the security benefits of SSL/TLS and should only be used
# after very careful consideration. It is primarily intended as a temporary
Expand Down
Loading