Skip to content

Commit

Permalink
Add support TLS renegotiation
Browse files Browse the repository at this point in the history 
This PR adds support for enabling TLS renegotiation. The setting is `ssl.renegotiation` and the options are `never` (default), `once`, and `freely`. This exposes the three options from https://golang.org/pkg/crypto/tls/#RenegotiationSupport.

Fixes elastic#4386
  • Loading branch information
@andrewkroh
andrewkroh committed Oct 6, 2017
1 parent 4778c51 commit c76570f
Show file tree
Hide file tree
Showing 12 changed files with 147 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di
- Changed the hashbang used in the beat helper script from `/bin/bash` to `/usr/bin/env bash`. {pull}5051[5051]
- Changed beat helper script to use `exec` when running the beat. {pull}5051[5051]
- Fix reloader error message to only print on actual error {pull}5066[5066]
- Add support for enabling TLS renegotiation. {issue}4386[4386]

*Auditbeat*

Expand Down
15 changes: 15 additions & 0 deletions auditbeat/auditbeat.reference.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -357,6 +361,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -489,6 +497,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -586,6 +598,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
15 changes: 15 additions & 0 deletions filebeat/filebeat.reference.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -701,6 +701,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -777,6 +781,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -909,6 +917,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -1006,6 +1018,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
15 changes: 15 additions & 0 deletions heartbeat/heartbeat.reference.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -430,6 +430,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -506,6 +510,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -638,6 +646,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -735,6 +747,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
15 changes: 15 additions & 0 deletions libbeat/_meta/config.reference.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -292,6 +296,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -424,6 +432,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -521,6 +533,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
9 changes: 9 additions & 0 deletions libbeat/docs/shared-ssl-config.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,3 +157,12 @@ The following elliptic curve types are available:
* P-384
* P-521

[float]
==== `renegotiation`

This configures what types of TLS renegotiation are supported. The valid options
are `never`, `once`, and `freely`. The default value is never.

* `never` - Disables renegotiation.
* `once` - Allows a remote server to request renegotiation once per connection.
* `freely` - Allows a remote server to repeatedly request renegotiation.
20 changes: 20 additions & 0 deletions libbeat/outputs/tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ type TLSConfig struct {
CAs []string `config:"certificate_authorities"`
Certificate CertificateConfig `config:",inline"`
CurveTypes []tlsCurveType `config:"curve_types"`
Renegotiation tlsRenegotiationSupport `config:"renegotiation"`
}

type CertificateConfig struct {
Expand All @@ -48,6 +49,8 @@ type tlsCipherSuite uint16

type tlsCurveType tls.CurveID

type tlsRenegotiationSupport tls.RenegotiationSupport

var tlsCipherSuites = map[string]tlsCipherSuite{
"ECDHE-ECDSA-AES-128-CBC-SHA": tlsCipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
"ECDHE-ECDSA-AES-128-GCM-SHA256": tlsCipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
Expand All @@ -74,6 +77,12 @@ var tlsCurveTypes = map[string]tlsCurveType{
"P-521": tlsCurveType(tls.CurveP521),
}

var tlsRenegotiationSupportTypes = map[string]tlsRenegotiationSupport{
"never": tlsRenegotiationSupport(tls.RenegotiateNever),
"once": tlsRenegotiationSupport(tls.RenegotiateOnceAsClient),
"freely": tlsRenegotiationSupport(tls.RenegotiateFreelyAsClient),
}

func (c *TLSConfig) Validate() error {
hasCertificate := c.Certificate.Certificate != ""
hasKey := c.Certificate.Key != ""
Expand Down Expand Up @@ -144,6 +153,7 @@ func LoadTLSConfig(config *TLSConfig) (*transport.TLSConfig, error) {
RootCAs: cas,
CipherSuites: cipherSuites,
CurvePreferences: curves,
Renegotiation: tls.RenegotiationSupport(config.Renegotiation),
}, nil
}

Expand Down Expand Up @@ -289,3 +299,13 @@ func (ct *tlsCurveType) Unpack(s string) error {
*ct = t
return nil
}

func (r *tlsRenegotiationSupport) Unpack(s string) error {
t, found := tlsRenegotiationSupportTypes[s]
if !found {
return fmt.Errorf("invalid tls renegotiation type '%v'", s)
}

*r = t
return nil
}
8 changes: 8 additions & 0 deletions libbeat/outputs/tls_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ func TestValuesSet(t *testing.T) {
supported_protocols: [TLSv1.1, TLSv1.2]
curve_types:
- P-521
renegotiation: freely
`)

if err != nil {
Expand All @@ -100,6 +101,9 @@ func TestValuesSet(t *testing.T) {
[]transport.TLSVersion{transport.TLSVersion11, transport.TLSVersion12},
cfg.Versions)
assert.Len(t, cfg.CurveTypes, 1)
assert.Equal(t,
tls.RenegotiateFreelyAsClient,
tls.RenegotiationSupport(cfg.Renegotiation))
}

func TestApplyEmptyConfig(t *testing.T) {
Expand Down Expand Up @@ -169,6 +173,10 @@ func TestCertificateFails(t *testing.T) {
"unknown curve type",
"curve_types: ['unknown curve type']",
},
{
"unknown renegotiation type",
"renegotiation: always",
},
}

for i, test := range tests {
Expand Down
4 changes: 4 additions & 0 deletions libbeat/outputs/transport/tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ type TLSConfig struct {
// Types of elliptic curves that will be used in an ECDHE handshake. If empty,
// the implementation will choose a default.
CurvePreferences []tls.CurveID

// Renegotiation controls what types of renegotiation are supported.
// The default, never, is correct for the vast majority of applications.
Renegotiation tls.RenegotiationSupport
}

type TLSVersion uint16
Expand Down
15 changes: 15 additions & 0 deletions metricbeat/metricbeat.reference.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -660,6 +660,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -736,6 +740,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -868,6 +876,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -965,6 +977,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
15 changes: 15 additions & 0 deletions packetbeat/packetbeat.reference.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -668,6 +668,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never


#----------------------------- Logstash output ---------------------------------
#output.logstash:
Expand Down Expand Up @@ -744,6 +748,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Kafka output ----------------------------------
#output.kafka:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -876,6 +884,10 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- Redis output ----------------------------------
#output.redis:
# Boolean flag to enable or disable the output module.
Expand Down Expand Up @@ -973,6 +985,9 @@ output.elasticsearch:
# Configure curve types for ECDHE based cipher suites
#ssl.curve_types: []

# Configure what types of renegotiation are supported. Valid options are
# never, once, and freely. Default is never.
#ssl.renegotiation: never

#------------------------------- File output -----------------------------------
#output.file:
Expand Down
Loading

0 comments on commit c76570f

Please sign in to comment.