Hi there,
I'm trying to force mutual authentication between Beats and Logstash.
However, while beats correctly check logstash hostname before sending data, looking at subject or at dns list, the same doesn't happen on logstash when validating beats certificates.
Logstash verifies the correctness of the certificate (expiration date, CA issuer), but doesn't check correspondence between agent hostname and subject or dns certificate info.
So, for example, a client certificate issued to foo.beat.com is considered valid when used by hostname foo.beat.com (correct) or by hostname bar.logstash.co.uk (wrong).
I set all ssl values at "maximum", these are the relevant section of configuration files (version 7.6.2):
Beat config
output.logstash:
hosts: ["logstash.example.com:5044"]
ssl.certificate_authorities: ["/path/cert/ca.pem"]
ssl.verification_mode: full
protocol: "https"
ssl.certificate: "/usr/share/metricbeat/cert/cert1.pem"
ssl.key: "/usr/share/metricbeat/cert/cert1.key"
Logstash config
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/logstash/cert/logstash.crt"
ssl_certificate_authorities => ["/etc/logstash/cert/ca.pem"]
ssl_key => "/etc/logstash/cert/logstash_pkcs8.key"
ssl_verify_mode => "force_peer"
ssl_peer_metadata => true
}
}
Is there any way to force this additional check?