Apparent bug in logstash-input-beats in SslSimpleBuilder.java

nick-george · February 7, 2017, 10:36am

Hi,

If the user has set verify_mode to NONE in the logstash beats input configuration, it is overridden default value set by the code in SslSimpleBuilder.java, see below:

SslClientVerifyMode verifyMode = SslClientVerifyMode.FORCE_PEER;

The Java code has no concept of NONE as the ClientVerifyMode.

Due to various other limitations in Logstash, I am having to pass in a non-empty array of certificate authorities. Because of this, requireClientAuth() will always return true; which in turn, actually sets the verify mode to FORCE_PEER - even though I set it to NONE in the filter configuration.

The code I'm referring to is located here:

github.com

logstash-plugins/logstash-input-beats/blob/master/src/main/java/org/logstash/netty/SslSimpleBuilder.java

package org.logstash.netty;

import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.logstash.beats.Server;

import javax.net.ssl.SSLEngine;
import java.io.*;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;

This file has been truncated. show original

Are you happy for me to create a Github issue to have this fixed?

Regards,
Nick

system · March 7, 2017, 10:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.