Logstash beat force_peer authentication doesn't check hostname info

Hi there,
I'm trying to force mutual authentication between Beats and Logstash.
However, while beats correctly check logstash hostname before sending data, looking at subject or at dns list, the same doesn't happen on logstash when validating beats certificates.
Logstash verifies the correctness of the certificate (expiration date, CA issuer), but doesn't check correspondence between agent hostname and subject or dns certificate info.
So, for example, a client certificate issued to foo.beat.com is considered valid when used by hostname foo.beat.com (correct) or by hostname bar.logstash.co.uk (wrong).

I set all ssl values at "maximum", these are the relevant section of configuration files (version 7.6.2):

Beat config

output.logstash:
  hosts: ["logstash.example.com:5044"]
  ssl.certificate_authorities: ["/path/cert/ca.pem"]
  ssl.verification_mode: full
  protocol: "https"

  ssl.certificate: "/usr/share/metricbeat/cert/cert1.pem"
  ssl.key: "/usr/share/metricbeat/cert/cert1.key"

Logstash config

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/logstash/cert/logstash.crt"
    ssl_certificate_authorities => ["/etc/logstash/cert/ca.pem"]
    ssl_key => "/etc/logstash/cert/logstash_pkcs8.key"
    ssl_verify_mode => "force_peer"
    ssl_peer_metadata => true
  }
}

Is there any way to force this additional check?

I have never seen any system that does name matching on client certificates. I do not believe logstash will do it.

Hi Badger, thank you for the reply.
I'd like to have an additional ssl_verify_mode to add this behaviour (strong_peer), even if I agree with you it is not common to check for client hostname.
As an alternative, it would be also good to add DNS info in ssl_peer_metadata, to perform the check directly in Logstash pipeline.
Do you think is it possible?
Regards,
Dario

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.