Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: TLS support for TCP input #7023

Closed
wants to merge 6 commits into from
Closed

Feature: TLS support for TCP input #7023

wants to merge 6 commits into from

Commits on May 4, 2018

  1. Reorganization and Addition: Move TLS types and config out of the out… 

    …puts and support server options.

When working on the TLS tcp it was a bit strange to actually import a
package coming from the outputs, this commit addresses a few things:

- Move the `outputs/tls.go` and `transport/tls.go` into the tlscommon
under the transport folder.
- Add shims to make sure we keep backward compatibility on anything that
could be using theses classes.
- Extract common logic code to be reusable.
- Add inverse mapper for TLSVersion and tlsCiphersuite, to give a uint
and get the human string.
- Add a new `ServerConfig` config struct used for any tcl class and the
appropriate helper to get a new `tls.Config`.

*This is a light refactoring, mostly moving code and adding a few
tests.

Fixes: elastic#6079
    @ph
    ph committed May 4, 2018
    Configuration menu
    Copy the full SHA
    208902b View commit details
    Browse the repository at this point in the history

  2. Features: Allow the TCP Input to receive events over a TLS connection 

    We can now receive events on the TCP input with a TLS connection, the
input uses existing type to make sure we have the same naming convention
and code used by outputs that support TLS communication (Elasticsearch
and Logstash).

The configuration will look like this:

```
  host: "localhost:9000"
  ssl.enabled: true
  ssl.verification_mode: full # default
  ssl.supported_protocols: [TLSv1.1]
  ssl.cipher_suites: []
  ssl.certificate_authorities: ["/etc/cacert"]
  ssl.certificate: /etc/mycert.crt
  ssl.key: /etc/mycert.key
  ssl.client_authentification: required

```

One added configuration is `client_authentification`, this option is
only used in the context of server and define how we will force the
authentification, it support the three following options:

- `required`: Assume that the client will provide a certificate and we
will verify it. (default)
- `optional`: If a certificate is given by the client.
- `none`: We don't validate client certificate.

*Note: This commit contains a script to generate certs from a self
signed CA.

Fixes: elastic#6873
    @ph
    ph committed May 4, 2018
    Configuration menu
    Copy the full SHA
    9c9fced View commit details
    Browse the repository at this point in the history

  3. DOCS: update libbeat and filebeat docs with the SSL options.

    @ph
    ph committed May 4, 2018
    Configuration menu
    Copy the full SHA
    62f04a0 View commit details
    Browse the repository at this point in the history

  4. Refactor: Move existing class to tlscommon

    @ph
    ph committed May 4, 2018
    Configuration menu
    Copy the full SHA
    5dad679 View commit details
    Browse the repository at this point in the history

  5. Adding: Developer changelog

    @ph
    ph committed May 4, 2018
    Configuration menu
    Copy the full SHA
    cebd3d6 View commit details
    Browse the repository at this point in the history

  6. Adding: changelog

    @ph
    ph committed May 4, 2018
    Configuration menu
    Copy the full SHA
    8b16191 View commit details
    Browse the repository at this point in the history