Ssl.verification_mode options for Filebeat 5.6

As per Filebeat 7.8,
ssl.verification_mode has 3 options: "full", "certificate" and "none".

For Filebeat 5.6, I do not see the option "certificate". However, is there any other option using which we can verify that the provided certificate is signed by a trusted authority (CA), but not perform any hostname verification?


Filebeat 5.6 is relatively old. I strongly advise you consider to update your setup.

1 Like

I just realized that earlier I was looking at Elasticsearch 7.8 version and not Filebeat.
Here is the link for Filebeat latest v7.8

And this one also says only "none" and "full" are the 2 options.

This option controls whether the client verifies server certificates and host names. Valid values are  `none`  and  `full` . If  `verification_mode`  is set to  `none` , all server host names and certificates are accepted. In this mode, TLS-based connections are susceptible to man-in-the-middle attacks. Use this option for testing only.
The default is  `full` .

Does anyone know how we can bypass the hostname verification then even with the latest version? Thanks

Hi @alarka

Why do you want to bypass hostname verification?

In a production system you should always use the verification mode full as suggested by the documentation. However, if you control the infrastructure a wildcard certificate may be an option for your use case

Hi @fgjensen, this is connecting to internal teams and currently the supporting team does not intend to make any changes. They only suggested we figure out a way to bypass the hostname verification, so now I am looking at how I can do that.

Elasticsearch Security settings provides this option "certificate" like I mentioned earlier. I wonder even though it is not mentioned under Filebeat SSL settings, whether it will work or not.

Then I think you are left with the verification mode none. The connections are still protected with TLS but basically unsecure for man-in-the-middle attacks, since its for internal use this may not be a problem.

Oh ! @fgjensen can you explain what you mean by protected with TLS when I set the verification to none?

The verification mode controls how the client controls the server certificates. If you have configured the verification mode to none all server names and (TLS) certificates are accepted and the TLS connection established.

You can test the different verification modes with the curl or openssl s_client tools in debug mode and observe how a TLS connection is established or rejected. It is quite instructive.

Thank you !

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.