Support for PKCS#5 v2.0 in LogStash

Hi all,

We are currently migrating our Elastic Stack from RHEL 7 to RHEL 8 which also upgrades openssl from 1.0.2k to 1.1.1g

At first we could not figure out why LogStash was not able to start our pipeline containing a beats input with pkcs8 certificate configured. Originally, we blamed it on the new certificate, then on the keystore for the keys password as we were able to start LogStash using the certificate from our current server.

As using the "old" certifcate worked we tried to do the test the other way round: We created the pkcs8 file for the new server on the old system and - suprise - it worked. After a bit of searching I think we found the source of this in the release notes of openssl(version 1.1.0):

Change default algorithms in pkcs8 utility to use PKCS#5 v2.0, 256 bit AES and HMAC with SHA256.

After that, I found the switches -v2 and -v1 in the openssl manpages:

Using the -v2 option PKCS#5 v2.0 algorithms are used which
can use any encryption algorithm such as 168 bit triple DES or 128 bit RC2 however not
many implementations support PKCS#5 v2.0 yet

When will LogStash support the new PKCS#5 v2.0 algorithms or am I missing a configuration to enable that?
Can you please update the documentation of LogStash if LogStash is not able to work with the new algorithms as there is only the mention of PKCS8 and no mention which algorithms are supported?

NOTE: This key need to be in the PKCS8 format, you can convert it with OpenSSL for more information.

/cc @christian.kordein

Best regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.