As I understand it, if
verification_mode is set to
full, then the beats client will error if the hostname of the server doesn't match the CN or SAN on the certificate presented by the logstash server.
So if I connect to 127.0.0.1:10002 I get an error from the beat like the following:
Failed to connect to backoff(async(tcp://127.0.0.1:10002)): x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs
I interpret this to mean that the client refuses to connect because verification is set to full and I am connecting to 127.0.0.1 and 127.0.0.1 is not listed as CN or SAN on server certificate?
The docs warn that if I do
verification_mode=none then I am open to MITM attacks. There are only the two options.
rsyslog client lets me set
$ActionSendStreamDriverPermittedPeer syslog-server and then it validates that the server certificate is signed by the configured CA and that the CN/SAN in the server certificate matches
syslog-server. I can connect by any ip or hostname I want and it doesn't impact whether the server certificate validates.
It would be great if there was a similar option for beats: way to do server certificate verification without tying that verification to the hostname/ip used to connect. For web browsers, hostname/ip makes sense. In a server-to-server environment people may have many different hostname/ip/service-discovery approaches. The important things for client verification in my opinion are:
- server certificate is signed by a recognized CA (in my case, my private ca)
- optionally server can be further verified by matching against CN/SAN in server certificate...which shouldn't be required to match the hostname/ip of the server (unless there is some good reason for that I am missing)
Question 1: If I am specifying my own CA via
ssl.certificate_authorities...I would assume there is at least some level of verification happening...the server cert needs to be signed by the CA configured on the client? Right? If so, I can just turn verification to none and not worry about MITM.
Question 2: Did I miss something, other ideas?