Skip to content

Feat: add ssl_verification_mode => 'full' / 'none' #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jan 25, 2022
Merged

Feat: add ssl_verification_mode => 'full' / 'none' #39

merged 7 commits into from
Jan 25, 2022

Conversation

@kares
Copy link
Contributor

@kares kares commented Jan 25, 2022
edited
Loading

Adds ssl_verification_mode configuration option, with the default being 'full'.
Manticore wise, due backwards compatibility, the 'full' option translates to verify: :strict.
This could be relaxed in the future (verify: :browser) but would need more investigation/implementation whether we could force SAN to be present in the server certificate (same way as ES/Beats implement strict verification).

closing #31 (alternate impl)
closing #34 (alternate impl)

@kares kares linked an issue Jan 25, 2022 that may be closed by this pull request
Add flag to disable strict SSL hostname verifification #35
Closed
@kares kares self-assigned this Jan 25, 2022
@kares kares marked this pull request as ready for review January 25, 2022 07:38
@kares kares mentioned this pull request Jan 25, 2022
Merged
jsvd
jsvd approved these changes Jan 25, 2022
View reviewed changes
Copy link
Member

@jsvd jsvd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor nit picks to improve reading comprehension when tests fail, otherwise LGTM
next step is going to plugins that use this and adding documentation snippet for this new setting.
The direction we want to go is to group this mixin and the plugins that use it (http output, http poller) into an integration, to avoid this finicky weak link between plugins and mixins.

lib/logstash/plugin_mixins/http_client.rb

case @ssl_verification_mode
when 'full'
# NOTE: would make sense to have :browser here but historically we've used the (:strict) default
Copy link
Member

@jsvd jsvd Jan 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll also want to have something like "certificate" for a mode that verifies the cert chain but doesn't perform hostname verification. Totally out of scope for this PR though.

@kares kares merged commit 6cb2fb0 into logstash-plugins:main Jan 25, 2022
This was referenced Jan 25, 2022
Closed
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsvd jsvd jsvd approved these changes

Assignees

@kares kares

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add flag to disable strict SSL hostname verifification

2 participants

@kares @jsvd