SSL-enabled Beat ssl_verify_mode => "none" not working as expected

TL;DR

Using ssl_verify_mode => "none" in input.beats not functioning as expected; should allow unverified SSL connections, but doesn't.

The rest of the story...

I'm using SSL-enabled input.beat in my logstash.conf, which is written as follows:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/ssl/elk/cert.pem"
    ssl_certificate_authorities => [
      "/etc/ssl/elk/ca_root.pem",
      "/etc/ssl/elk/ca_int.pem"
    ]
    ssl_key => "/etc/ssl/elk/key-p8.pem"
    ssl_verify_mode => "none"
  }
}

When I configure a beat with the following, it connects:

output:
  logstash:
    index: metricbeat
    hosts:
      - logstash:5044
    ssl:
      enabled: true
      verification_mode: none
      certificate: /etc/ssl/elk/cert.pem
      certificate_authorities:
        - /etc/ssl/elk/ca_root.pem
        - /etc/ssl/elk/ca_int.pem
      key: /etc/ssl/elk/key-p8.pem

However, when I commment out the following lines:

output:
  logstash:
    index: metricbeat
    hosts:
      - logstash:5044
    ssl:
      enabled: true
      verification_mode: none
      # certificate: /etc/ssl/elk/cert.pem
      # certificate_authorities:
      #   - /etc/ssl/elk/ca_root.pem
      #   - /etc/ssl/elk/ca_int.pem
      # key: /etc/ssl/elk/key-p8.pem

I get the following error in the log:

2020-02-19T15:39:42.315Z    ERROR   pipeline/output.go:100  Failed to connect to backoff(async(tcp://logstash:5044)): remote error: tls: handshake failure

Based on my understanding, ssl_verify_mode => "none" means that there is no client verification; the input should accept all connection requests via SSL.

Yes, that's true.

1 Like

Thank you for the pointer. Since I wasn't able to locate that ticket while searching, I'm going to link to it here and summarize:

  • If you set ssl.certificate.authorities => [...], logstash will ignore ssl_verify_mode => "none" and do a force_peer verification.
  • In order to utilize ssl_verify_mode => "none", do not set ssl.certificate.authorities.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.