SSL client certs allowed, but lumberjack-input doesn't seem to validate them?


(Finn) #1

First off, not sure if this would fit better in the main logstash forum, as it's about the input plugin which doesn't seem to technically be part of logstash-forwarder.


So, logstash-forwarder allows me to specify SSL client certificates, but the jumberjack input plugin doesn't appear to do any validation of them, and in fact doesn't allow me to specify a CA or list of CAs to validate them against. What's going on here? Is this just not fully implemented yet? If I implement it and make a pull request would there be interest?


(Finn) #2

Well, just noticed that there is a TODO in the code for exactly this, so I guess that clears that up.


(Tanya Bragin) #3

The current security model is Logstash Forwarder (client) will validate that the Logstash (server) it connects to is valid. The guarantee is that Logstash Forwarder will validate who it ships data to, so you won't leak sensitive data to malicious third parties.

We are tracking an issue to add SSL validation the other way, so that the server also validates who the client is and a malicious client cannot send data to a server it shouldn't be communicating with: https://github.com/logstash-plugins/logstash-input-lumberjack/issues/31


(system) #4