As per Filebeat 7.8, https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html
ssl.verification_mode has 3 options: "full", "certificate" and "none".
For Filebeat 5.6, I do not see the option "certificate". However, is there any other option using which we can verify that the provided certificate is signed by a trusted authority (CA), but not perform any hostname verification?
Thanks,
Alarka.
Filebeat 5.6 is relatively old. I strongly advise you consider to update your setup.
I just realized that earlier I was looking at Elasticsearch 7.8 version and not Filebeat.
Here is the link for Filebeat latest v7.8
https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#_verification_mode
And this one also says only "none" and "full" are the 2 options.
verification_mode
This option controls whether the client verifies server certificates and host names. Valid values are `none` and `full` . If `verification_mode` is set to `none` , all server host names and certificates are accepted. In this mode, TLS-based connections are susceptible to man-in-the-middle attacks. Use this option for testing only.
The default is `full` .
Does anyone know how we can bypass the hostname verification then even with the latest version? Thanks
Hi @alarka
Why do you want to bypass hostname verification?
In a production system you should always use the verification mode full as suggested by the documentation. However, if you control the infrastructure a wildcard certificate may be an option for your use case
Hi @fgjensen, this is connecting to internal teams and currently the supporting team does not intend to make any changes. They only suggested we figure out a way to bypass the hostname verification, so now I am looking at how I can do that.
Elasticsearch Security settings provides this option "certificate" like I mentioned earlier. I wonder even though it is not mentioned under Filebeat SSL settings, whether it will work or not.
Then I think you are left with the verification mode none. The connections are still protected with TLS but basically unsecure for man-in-the-middle attacks, since its for internal use this may not be a problem.
Oh ! @fgjensen can you explain what you mean by protected with TLS when I set the verification to none?
The verification mode controls how the client controls the server certificates. If you have configured the verification mode to none all server names and (TLS) certificates are accepted and the TLS connection established.
You can test the different verification modes with the curl or openssl s_client tools in debug mode and observe how a TLS connection is established or rejected. It is quite instructive.
Thank you !
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
