Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BREAKING: ssl_certificate_verification => true uses deprecated verifier since v11.14.0 #1138

Closed
yaauie opened this issue May 30, 2023 · 0 comments · Fixed by #1139
Closed

BREAKING: ssl_certificate_verification => true uses deprecated verifier since v11.14.0 #1138

yaauie opened this issue May 30, 2023 · 0 comments · Fixed by #1139
Assignees
@yaauie
Labels
bug

Comments

@yaauie
Copy link
Contributor

yaauie commented May 30, 2023
edited
Loading

Logstash information:

Please include the following information:

  1. Logstash version (e.g. bin/logstash --version): 8.8

Description of the problem including expected versus actual behavior:

Before the SSL standardization, when this plugin was initialized with the now-deprecated ssl_certificate_verification => true, it provided no :verify ssl option to manticore, resulting in Manticore using DefaultHostnameVerifier.

With the SSL standardization in #1118 ssl_certificate_verification => true results in manticore getting :verify => :strict, which causes it to use a StrictHostnameVerifier.

  ssl_certificate_verification => false -> ssl_options[:verify]=`:disable` -> `NoopHostnameVerifier`
- ssl_certificate_verification => true -> ssl_options[:verify] unset -> `DefaultHostnameVerifier`
+ ssl_certificate_verification => true -> ssl_options[:verify]=`:strict` -> `StrictHostnameVerifier`

The StrictHostnameVerifier in the Apache Client lib is deprecated with guidance to use DefaultHostNameVerifier (which is the modern rfc2818-aware implementation):

/**
 * The Strict HostnameVerifier works the same way as Sun Java 1.4, Sun
[...]
 *
 * @deprecated (4.4) Use {@link org.apache.http.conn.ssl.DefaultHostnameVerifier}
 */
@Contract(threading = ThreadingBehavior.IMMUTABLE)
@Deprecated
public class StrictHostnameVerifier extends AbstractVerifier {

-- StrictHostnameVerifier@4.5.x

Relevant portion of the diff is here.
@yaauie yaauie mentioned this issue May 31, 2023
Merged
@yaauie yaauie changed the title BREAKING: ssl_certificate_verification => true uses deprecated and stricter verifier since v11.14.0 BREAKING: ssl_certificate_verification => true uses deprecated verifier since v11.14.0 May 31, 2023
@btmndkh btmndkh mentioned this issue Jun 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yaauie yaauie

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: restore use of poorly-named DefaultHostnameVerifier yaauie/logstash-output-elasticsearch
2 participants
@yaauie @roaksoax