[Meta] Logstash - Plugins - SSL/TLS Settings Standardisation #14905
Assignees
Labels
Comments
This was referenced Mar 8, 2023
Logstash - Plugins - SSL Settings Standardization - Standardize Elasticsearch FILTER settings
#14923
Closed
Logstash - Plugins - SSL Settings Standardization - Standardize Elasticsearch OUTPUT settings
#14924
Closed
Closed
Closed
Open
edmocosta
added a commit
to logstash-plugins/logstash-input-elasticsearch
that referenced
this issue
Mar 10, 2023
This commit made the plugin SSL settings consistent with the naming convention defined in the meta issue: elastic/logstash#14905. It added the following SSL settings: ssl_enabled: Enable/disable the SSL settings. Infer the value from the hosts' scheme if neither the deprecated `:ssl` nor the new `:ssl_enabled` configs were set ssl_certificate: OpenSSL-style X.509 certificate file to authenticate the client ssl_key: OpenSSL-style RSA private key that corresponds to the ssl_certificate ssl_truststore_path: The JKS truststore to validate the server's certificate ssl_truststore_type: The format of the truststore file ssl_truststore_password: The truststore password ssl_keystore_path: The keystore used to present a certificate to the server ssl_keystore_type: The format of the keystore file ssl_keystore_password: The keystore password ssl_cipher_suites: The list of cipher suites to use ssl_supported_protocols: Supported protocols with versions And deprecated: ssl in favor of ssl_enabled: ca_file in favor of ssl_certificate_authorities ssl_certificate_verification in favor of ssl_verification_mode
edmocosta
added a commit
to logstash-plugins/logstash-output-elasticsearch
that referenced
this issue
Mar 10, 2023
This commit made the plugin SSL settings consistent with the naming convention defined in the meta issue: elastic/logstash#14905. It added the following SSL settings: ssl_truststore_type: The format of the truststore file ssl_keystore_type: The format of the keystore file ssl_certificate: OpenSSL-style X.509 certificate file to authenticate the client ssl_key: OpenSSL-style RSA private key that corresponds to the ssl_certificate ssl_cipher_suites: The list of cipher suites And deprecated: ssl in favor of ssl_enabled cacert in favor of ssl_certificate_authorities keystore in favor of ssl_keystore_path keystore_password in favor of ssl_keystore_password truststore in favor of ssl_truststore_path truststore_password in favor of ssl_truststore_password ssl_certificate_verification in favor of ssl_verification_mode
edmocosta
added a commit
to logstash-plugins/logstash-filter-elasticsearch
that referenced
this issue
Mar 10, 2023
This commit made the plugin SSL settings consistent with the naming convention defined in the meta issue: elastic/logstash#14905. It added the following SSL settings: ssl_enabled: Enable/disable the SSL settings. If not provided, the value is inferred from the hosts' scheme ssl_certificate: OpenSSL-style X.509 certificate file to authenticate the client ssl_key: OpenSSL-style RSA private key that corresponds to the ssl_certificate ssl_truststore_path: The JKS truststore to validate the server's certificate ssl_truststore_type: The format of the truststore file ssl_truststore_password: The truststore password ssl_keystore_path: The keystore used to present a certificate to the server ssl_keystore_type: The format of the keystore file ssl_keystore_password: The keystore password ssl_cipher_suites: The list of cipher suites to use ssl_supported_protocols: Supported protocols with versions ssl_verification_mode: Defines how to verify the certificates presented by another party in the TLS connection And deprecated: ssl in favor of ssl_enabled ca_file in favor of ssl_certificate_authorities keystore in favor of ssl_keystore_path keystore_password in favor of ssl_keystore_password
This was referenced Mar 30, 2023
This was referenced Jun 22, 2023
This was referenced Sep 13, 2023
This was referenced Jun 5, 2024
This was referenced Jun 17, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Overview
Over the years, the Logstash plugins have evolved without keeping consistency in mind, both for user experience and feature supported. This is especially evident for plugins that support SSL/TLS, there is a lack of naming convention and functionality across all the plugins, making it difficult for users to understand and properly configure SSL/TLS on those plugins. The goals of this project are to to standardize SSL settings names and funcionality across supported Logstash's plugins.
SSL/TLS Settings Naming Convention
Not all the plugins will support all these options, It will depend on a few aspects such as the plugin’s network client, language/libraries's support to settings, if it’s acting as a client or server, etc.
For all cases, if the plugin decides to support a new SSL setting that is defined in this naming convention, they should do it following this specifications:
fullserver:
certificatefull: Validates that the provided certificate:- has an issue date that’s within the not_before and not_after dates;
- chains to a trusted Certificate Authority (CA); has a hostname or IP address that matches the names within the certificate.
certificate: Validates the provided certificate and verifies that it’s signed by a trusted authority (CA), but doesn’t check the certificate hostname.none: Performs no certificate validation.The rules are much the same for client and server mode, but for server, this option is secondary to ssl_client_authentication
optional: Requests a client certificate but the client is not required to present one.required: Forces a client to present a certificate.none: No client authenticationImplementation Plan
Phase 0 - Technical Specification
Phase 1 - Standardizing settings names and add supported missing configs
This phase consists of making plugin's SSL settings consistent with the naming convention defined in this issue. Missing settings already supported by the plugin's HTTP/TCP client, which only requires a small coding change on the plugin source, should also be added during this phase.
Taks (sorted by priority)
General
Elasticsearch
Beats/Agent
TCP
HTTP
App/Workspace Search
Elastic Serverless Forwarder
Redis
Rabbitmq
Others
Phase 2 - Standardize functionality (TBD)
In terms of SSL settings, all the plugins should - as much as possible - behave consistently, using the same allowed and default values for settings and providing the same set of functionality across them.
General functionality
ssl_enable: There are different behavior implemented for this flag, from disabling the settings to prefixing hosts.ssl_verification_mode: Some plugins havenoneandfull, others havetrue/falseCertificate formats
Plugins are not consistent in terms of certificate format, there are plugins accepting PEM files/PKCS8, PKCS12 files, and the actual X.509 certificate content in a base64-encoded string. To improve the user experience, plugins should accept the same set of certificate types.
Tasks (to be planned)
Phase 3 - Add missing/additional functionality (TBD)
Add missing/additional functionality that was too complex/big to fit into phases 1 & 2.
Discussion Items
Related issues
ssl_key_passphrasedoes not work logstash-plugins/logstash-input-beats#364ssl => trueleads to exception "URI::InvalidURIError: bad URI(is not URI?)" logstash-plugins/logstash-filter-elasticsearch#102The text was updated successfully, but these errors were encountered: