Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.0](backport #29229) Support self-signed certificate on outputs #29301

Merged
merged 2 commits into from
Dec 7, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -299,6 +299,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Update to ECS 8.0 fields. {pull}28620[28620]
- Add http.pprof.enabled option to libbeat to allow http/pprof endpoints on the socket that libbeat creates for metrics. {issue}21965[21965]
- Support custom analyzers in fields.yml. {issue}28540[28540] {pull}28926[28926]
- Support self signed certificates on outputs {pull}29229[29229]

*Auditbeat*

Expand Down
42 changes: 42 additions & 0 deletions auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -513,6 +513,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -645,6 +652,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
# Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
Expand Down Expand Up @@ -846,6 +860,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -1010,6 +1031,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# -------------------------------- File Output ---------------------------------
#output.file:
Expand Down Expand Up @@ -1297,6 +1325,13 @@ setup.kibana:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# ================================== Logging ===================================

Expand Down Expand Up @@ -1495,6 +1530,13 @@ logging.files:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down
42 changes: 42 additions & 0 deletions filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1446,6 +1446,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -1578,6 +1585,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
# Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
Expand Down Expand Up @@ -1779,6 +1793,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -1943,6 +1964,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# -------------------------------- File Output ---------------------------------
#output.file:
Expand Down Expand Up @@ -2230,6 +2258,13 @@ setup.kibana:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# ================================== Logging ===================================

Expand Down Expand Up @@ -2428,6 +2463,13 @@ logging.files:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down
42 changes: 42 additions & 0 deletions heartbeat/heartbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -659,6 +659,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -791,6 +798,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
# Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
Expand Down Expand Up @@ -992,6 +1006,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down Expand Up @@ -1156,6 +1177,13 @@ output.elasticsearch:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# -------------------------------- File Output ---------------------------------
#output.file:
Expand Down Expand Up @@ -1443,6 +1471,13 @@ setup.kibana:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""


# ================================== Logging ===================================

Expand Down Expand Up @@ -1641,6 +1676,13 @@ logging.files:
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true

Expand Down
7 changes: 7 additions & 0 deletions libbeat/_meta/config/ssl.reference.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,10 @@
#
# The pin is a base64 encoded string of the SHA-256 fingerprint.
#ssl.ca_sha256: ""

# A root CA HEX encoded fingerprint. During the SSL handshake if the
# fingerprint matches the root CA certificate, it will be added to
# the provided list of root CAs (`certificate_authorities`), if the
# list is empty or not defined, the matching certificate will be the
# only one in the list. Then the normal SSL validation happens.
#ssl.ca_trusted_fingerprint: ""
36 changes: 19 additions & 17 deletions libbeat/common/transport/tlscommon/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,16 @@ var warnOnce sync.Once

// Config defines the user configurable options in the yaml file.
type Config struct {
Enabled *bool `config:"enabled" yaml:"enabled,omitempty"`
VerificationMode TLSVerificationMode `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
Versions []TLSVersion `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
CipherSuites []CipherSuite `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
CAs []string `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
Certificate CertificateConfig `config:",inline" yaml:",inline"`
CurveTypes []tlsCurveType `config:"curve_types" yaml:"curve_types,omitempty"`
Renegotiation TlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
Enabled *bool `config:"enabled" yaml:"enabled,omitempty"`
VerificationMode TLSVerificationMode `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
Versions []TLSVersion `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
CipherSuites []CipherSuite `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
CAs []string `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
Certificate CertificateConfig `config:",inline" yaml:",inline"`
CurveTypes []tlsCurveType `config:"curve_types" yaml:"curve_types,omitempty"`
Renegotiation TlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
CATrustedFingerprint string `config:"ca_trusted_fingerprint" yaml:"ca_trusted_fingerprint,omitempty"`
}

// LoadTLSConfig will load a certificate from config with all TLS based keys
Expand Down Expand Up @@ -82,14 +83,15 @@ func LoadTLSConfig(config *Config) (*TLSConfig, error) {

// return config if no error occurred
return &TLSConfig{
Versions: config.Versions,
Verification: config.VerificationMode,
Certificates: certs,
RootCAs: cas,
CipherSuites: config.CipherSuites,
CurvePreferences: curves,
Renegotiation: tls.RenegotiationSupport(config.Renegotiation),
CASha256: config.CASha256,
Versions: config.Versions,
Verification: config.VerificationMode,
Certificates: certs,
RootCAs: cas,
CipherSuites: config.CipherSuites,
CurvePreferences: curves,
Renegotiation: tls.RenegotiationSupport(config.Renegotiation),
CASha256: config.CASha256,
CATrustedFingerprint: config.CATrustedFingerprint,
}, nil
}

Expand Down
Loading