Skip to content

Commit

Permalink
renaming config and adding more documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
belimawr committed Dec 6, 2021
1 parent c247f6f commit 3f62b2f
Show file tree
Hide file tree
Showing 18 changed files with 121 additions and 112 deletions.
12 changes: 6 additions & 6 deletions auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -516,7 +516,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down Expand Up @@ -653,7 +653,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
Expand Down Expand Up @@ -859,7 +859,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down Expand Up @@ -1028,7 +1028,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""


# -------------------------------- File Output ---------------------------------
Expand Down Expand Up @@ -1320,7 +1320,7 @@ setup.kibana:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""


# ================================== Logging ===================================
Expand Down Expand Up @@ -1523,7 +1523,7 @@ logging.files:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down
12 changes: 6 additions & 6 deletions filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1449,7 +1449,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down Expand Up @@ -1586,7 +1586,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
Expand Down Expand Up @@ -1792,7 +1792,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down Expand Up @@ -1961,7 +1961,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""


# -------------------------------- File Output ---------------------------------
Expand Down Expand Up @@ -2253,7 +2253,7 @@ setup.kibana:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""


# ================================== Logging ===================================
Expand Down Expand Up @@ -2456,7 +2456,7 @@ logging.files:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down
12 changes: 6 additions & 6 deletions heartbeat/heartbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -662,7 +662,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down Expand Up @@ -799,7 +799,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
Expand Down Expand Up @@ -1005,7 +1005,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down Expand Up @@ -1174,7 +1174,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""


# -------------------------------- File Output ---------------------------------
Expand Down Expand Up @@ -1466,7 +1466,7 @@ setup.kibana:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""


# ================================== Logging ===================================
Expand Down Expand Up @@ -1669,7 +1669,7 @@ logging.files:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down
2 changes: 1 addition & 1 deletion libbeat/_meta/config/ssl.reference.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -54,4 +54,4 @@
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""
38 changes: 19 additions & 19 deletions libbeat/common/transport/tlscommon/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,16 +30,16 @@ var warnOnce sync.Once

// Config defines the user configurable options in the yaml file.
type Config struct {
Enabled *bool `config:"enabled" yaml:"enabled,omitempty"`
VerificationMode TLSVerificationMode `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
Versions []TLSVersion `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
CipherSuites []CipherSuite `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
CAs []string `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
Certificate CertificateConfig `config:",inline" yaml:",inline"`
CurveTypes []tlsCurveType `config:"curve_types" yaml:"curve_types,omitempty"`
Renegotiation TlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
ESCAFingerprint string `config:"es_ca_fingerprint" yaml:"es_ca_fingerprint,omitempty"`
Enabled *bool `config:"enabled" yaml:"enabled,omitempty"`
VerificationMode TLSVerificationMode `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
Versions []TLSVersion `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
CipherSuites []CipherSuite `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
CAs []string `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
Certificate CertificateConfig `config:",inline" yaml:",inline"`
CurveTypes []tlsCurveType `config:"curve_types" yaml:"curve_types,omitempty"`
Renegotiation TlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
CASha256 []string `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
CATrustedFingerprint string `config:"ca_trusted_fingerprint" yaml:"ca_trusted_fingerprint,omitempty"`
}

// LoadTLSConfig will load a certificate from config with all TLS based keys
Expand Down Expand Up @@ -83,15 +83,15 @@ func LoadTLSConfig(config *Config) (*TLSConfig, error) {

// return config if no error occurred
return &TLSConfig{
Versions: config.Versions,
Verification: config.VerificationMode,
Certificates: certs,
RootCAs: cas,
CipherSuites: config.CipherSuites,
CurvePreferences: curves,
Renegotiation: tls.RenegotiationSupport(config.Renegotiation),
CASha256: config.CASha256,
ESCAFingerprint: config.ESCAFingerprint,
Versions: config.Versions,
Verification: config.VerificationMode,
Certificates: certs,
RootCAs: cas,
CipherSuites: config.CipherSuites,
CurvePreferences: curves,
Renegotiation: tls.RenegotiationSupport(config.Renegotiation),
CASha256: config.CASha256,
CATrustedFingerprint: config.CATrustedFingerprint,
}, nil
}

Expand Down
23 changes: 11 additions & 12 deletions libbeat/common/transport/tlscommon/tls_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,9 @@ type TLSConfig struct {
// the server certificate.
CASha256 []string

// ESCAFingerprint is the CA certificate pin, in HEX form, from Elasticsearch self
// generated CA cartificate. We use that to trust self-signed certificates generated
// by Elasticsearch
ESCAFingerprint string `config:"es_ca_fingerprint" yaml:"es_ca_fingerprint,omitempty"`
// CATrustedFingerprint is the CA certificate pin, in HEX form, from a self
// generated CA cartificate.
CATrustedFingerprint string `config:"ca_trusted_fingerprint" yaml:"ca_trusted_fingerprint,omitempty"`

// time returns the current time as the number of seconds since the epoch.
// If time is nil, TLS uses time.Now.
Expand Down Expand Up @@ -159,8 +158,8 @@ func (c *TLSConfig) BuildServerConfig(host string) *tls.Config {
return config
}

func trustESRootCA(cfg *TLSConfig, peerCerts []*x509.Certificate) error {
fingerprint, err := hex.DecodeString(cfg.ESCAFingerprint)
func trustRootCA(cfg *TLSConfig, peerCerts []*x509.Certificate) error {
fingerprint, err := hex.DecodeString(cfg.CATrustedFingerprint)
if err != nil {
return fmt.Errorf("decode fingerprint: %w", err)
}
Expand Down Expand Up @@ -190,8 +189,8 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error {
switch cfg.Verification {
case VerifyFull:
return func(cs tls.ConnectionState) error {
if cfg.ESCAFingerprint != "" {
if err := trustESRootCA(cfg, cs.PeerCertificates); err != nil {
if cfg.CATrustedFingerprint != "" {
if err := trustRootCA(cfg, cs.PeerCertificates); err != nil {
return err
}
}
Expand All @@ -212,8 +211,8 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error {
}
case VerifyCertificate:
return func(cs tls.ConnectionState) error {
if cfg.ESCAFingerprint != "" {
if err := trustESRootCA(cfg, cs.PeerCertificates); err != nil {
if cfg.CATrustedFingerprint != "" {
if err := trustRootCA(cfg, cs.PeerCertificates); err != nil {
return err
}
}
Expand All @@ -231,8 +230,8 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error {
case VerifyStrict:
if len(cfg.CASha256) > 0 {
return func(cs tls.ConnectionState) error {
if cfg.ESCAFingerprint != "" {
if err := trustESRootCA(cfg, cs.PeerCertificates); err != nil {
if cfg.CATrustedFingerprint != "" {
if err := trustRootCA(cfg, cs.PeerCertificates); err != nil {
return err
}
}
Expand Down
10 changes: 10 additions & 0 deletions libbeat/docs/shared-ssl-config.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,16 @@ NOTE: This check is not a replacement for the normal SSL validation, but it adds
If this option is used with `verification_mode` set to `none`, the check will always fail because
it will not receive any verified chains.

[float]
[[_ca_trusted_fingerprint]]
==== `ca_trusted_fingerprint`
This configures a certificate pin that you can use to trust and pin a
root CA without providing the certificate under
`certificate_authorities`

The pin is the HEX encoded SHA-256 of the certificate.


[discrete]
[[ssl-client-config]]
=== Client configuration options
Expand Down
12 changes: 6 additions & 6 deletions metricbeat/metricbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1359,7 +1359,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down Expand Up @@ -1496,7 +1496,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# The number of times to retry publishing an event after a publishing failure.
# After the specified number of retries, the events are typically dropped.
Expand Down Expand Up @@ -1702,7 +1702,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down Expand Up @@ -1871,7 +1871,7 @@ output.elasticsearch:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""


# -------------------------------- File Output ---------------------------------
Expand Down Expand Up @@ -2163,7 +2163,7 @@ setup.kibana:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""


# ================================== Logging ===================================
Expand Down Expand Up @@ -2366,7 +2366,7 @@ logging.files:
# A root CA HEX encoded fingerprint used to trust and pin this certificate.
# This enables compatibility with Elasticserach self signed certificates as well as trusting
# and pinning any other self-signed certificate.
#ssl.es_ca_fingerprint: ""
#ssl.ca_trusted_fingerprint: ""

# Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
#kerberos.enabled: true
Expand Down
Loading

0 comments on commit 3f62b2f

Please sign in to comment.