Skip to content

Commit

Permalink
Add support TLS renegotiation (elastic#5353)
Browse files Browse the repository at this point in the history
This PR adds support for enabling TLS renegotiation. The setting is `ssl.renegotiation` and the options are `never` (default), `once`, and `freely`. This exposes the three options from https://golang.org/pkg/crypto/tls/#RenegotiationSupport.

Fixes elastic#4386

(cherry picked from commit 28cee61)
  • Loading branch information
andrewkroh committed Oct 9, 2017
1 parent c9f7258 commit 5b4371c
Show file tree
Hide file tree
Showing 11 changed files with 139 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ https://github.com/elastic/beats/compare/v5.6.2...5.6[Check the HEAD diff]

*Affecting all Beats*

- Add support for enabling TLS renegotiation. {issue}4386[4386]

*Filebeat*

*Heartbeat*
Expand Down
16 changes: 16 additions & 0 deletions filebeat/filebeat.full.yml
Original file line number Diff line number Diff line change
Expand Up @@ -563,6 +563,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -627,6 +631,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -762,6 +770,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -859,6 +871,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#------------------------------- File output -----------------------------------
#output.file:
Expand Down
16 changes: 16 additions & 0 deletions heartbeat/heartbeat.full.yml
Original file line number Diff line number Diff line change
Expand Up @@ -398,6 +398,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -462,6 +466,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -597,6 +605,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -694,6 +706,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#------------------------------- File output -----------------------------------
#output.file:
Expand Down
16 changes: 16 additions & 0 deletions libbeat/_meta/config.full.yml
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -264,6 +268,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -399,6 +407,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -496,6 +508,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#------------------------------- File output -----------------------------------
#output.file:
Expand Down
9 changes: 9 additions & 0 deletions libbeat/docs/outputconfig.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -1233,6 +1233,15 @@ The following elliptic curve types are available:
* P-384
* P-521

===== renegotiation

This configures what types of TLS renegotiation are supported. The valid options
are `never`, `once`, and `freely`. The default value is never.

* `never` - Disables renegotiation.
* `once` - Allows a remote server to request renegotiation once per connection.
* `freely` - Allows a remote server to repeatedly request renegotiation.

[[configuration-output-codec]]
=== Output Codec

Expand Down
20 changes: 20 additions & 0 deletions libbeat/outputs/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ type TLSConfig struct {
CAs []string `config:"certificate_authorities"`
Certificate CertificateConfig `config:",inline"`
CurveTypes []tlsCurveType `config:"curve_types"`
Renegotiation tlsRenegotiationSupport `config:"renegotiation"`
}

type CertificateConfig struct {
Expand All @@ -47,6 +48,8 @@ type tlsCipherSuite uint16

type tlsCurveType tls.CurveID

type tlsRenegotiationSupport tls.RenegotiationSupport

var tlsCipherSuites = map[string]tlsCipherSuite{
"ECDHE-ECDSA-AES-128-CBC-SHA": tlsCipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
"ECDHE-ECDSA-AES-128-GCM-SHA256": tlsCipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
Expand All @@ -73,6 +76,12 @@ var tlsCurveTypes = map[string]tlsCurveType{
"P-521": tlsCurveType(tls.CurveP521),
}

var tlsRenegotiationSupportTypes = map[string]tlsRenegotiationSupport{
"never": tlsRenegotiationSupport(tls.RenegotiateNever),
"once": tlsRenegotiationSupport(tls.RenegotiateOnceAsClient),
"freely": tlsRenegotiationSupport(tls.RenegotiateFreelyAsClient),
}

func (c *TLSConfig) Validate() error {
hasCertificate := c.Certificate.Certificate != ""
hasKey := c.Certificate.Key != ""
Expand Down Expand Up @@ -143,6 +152,7 @@ func LoadTLSConfig(config *TLSConfig) (*transport.TLSConfig, error) {
RootCAs: cas,
CipherSuites: cipherSuites,
CurvePreferences: curves,
Renegotiation: tls.RenegotiationSupport(config.Renegotiation),
}, nil
}

Expand Down Expand Up @@ -288,3 +298,13 @@ func (ct *tlsCurveType) Unpack(s string) error {
*ct = t
return nil
}

func (r *tlsRenegotiationSupport) Unpack(s string) error {
t, found := tlsRenegotiationSupportTypes[s]
if !found {
return fmt.Errorf("invalid tls renegotiation type '%v'", s)
}

*r = t
return nil
}
8 changes: 8 additions & 0 deletions libbeat/outputs/tls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ func TestValuesSet(t *testing.T) {
supported_protocols: [TLSv1.1, TLSv1.2]
curve_types:
- P-521
renegotiation: freely
`)

if err != nil {
Expand All @@ -99,6 +100,9 @@ func TestValuesSet(t *testing.T) {
[]transport.TLSVersion{transport.TLSVersion11, transport.TLSVersion12},
cfg.Versions)
assert.Len(t, cfg.CurveTypes, 1)
assert.Equal(t,
tls.RenegotiateFreelyAsClient,
tls.RenegotiationSupport(cfg.Renegotiation))
}

func TestApplyEmptyConfig(t *testing.T) {
Expand Down Expand Up @@ -168,6 +172,10 @@ func TestCertificateFails(t *testing.T) {
"unknown curve type",
"curve_types: ['unknown curve type']",
},
{
"unknown renegotiation type",
"renegotiation: always",
},
}

for i, test := range tests {
Expand Down
4 changes: 4 additions & 0 deletions libbeat/outputs/transport/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ type TLSConfig struct {
// Types of elliptic curves that will be used in an ECDHE handshake. If empty,
// the implementation will choose a default.
CurvePreferences []tls.CurveID

// Renegotiation controls what types of renegotiation are supported.
// The default, never, is correct for the vast majority of applications.
Renegotiation tls.RenegotiationSupport
}

type TLSVersion uint16
Expand Down
16 changes: 16 additions & 0 deletions metricbeat/metricbeat.full.yml
Original file line number Diff line number Diff line change
Expand Up @@ -511,6 +511,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -575,6 +579,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -710,6 +718,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -807,6 +819,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#------------------------------- File output -----------------------------------
#output.file:
Expand Down
16 changes: 16 additions & 0 deletions packetbeat/packetbeat.full.yml
Original file line number Diff line number Diff line change
Expand Up @@ -654,6 +654,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -718,6 +722,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -853,6 +861,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -950,6 +962,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#------------------------------- File output -----------------------------------
#output.file:
Expand Down
16 changes: 16 additions & 0 deletions winlogbeat/winlogbeat.full.yml
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -293,6 +297,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -428,6 +436,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -525,6 +537,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#------------------------------- File output -----------------------------------
#output.file:
Expand Down

0 comments on commit 5b4371c

Please sign in to comment.