Update TLS configuration options

rename tls to SSL + adapt some fields:

- `insecure` has become `verification_mode`. `insecure: false` is replaced by
  mode `full` and `insecure: true` by mode `none`.
- renamed `certificate_key` to `key`
- introduced `key_passphrase`
- replaced `min_version` and `max_version` with `supported_protocols` using an
  array of ok versions. New versions strings: `SSLv3`, `SSLV3.0`, `TLSv1` (use
  TLSv1.0), `TLSv1.0`, `TLSv1.1` and `TLSv1.2`

Changes:
- rewrite TLS dialer and TLS configuration
- add support for encrypted key files
- use TLS dialer with elasticsearch output (some more manual tests with and
  without system certificates required)
- update unit/integration tests to use new settings
- update default configuration files to use new ssl settings
- update documentation (docs URL did also change from `tls` to `ssl`)
- update migration script

CHANGELOG.asciidoc

@@ -17,6 +17,10 @@ https://github.com/elastic/beats/compare/v5.0.0-alpha5...master[Check the HEAD d
 - Replace `output.kafka.use_type` by `output.kafka.topic` accepting a format string. {pull}2188[2188]
 - If the path specified by the `-c` flag is not absolute and `-path.config` is not specified, it
   is considered relative to the current working directory. {pull}2245[2245]
+- rename `tls` configurations section to `ssl`. {pull}2330[2330]
+- rename `certificate_key` configuration to `key`. {pull}2330[2330]
+- replace `tls.insecure` with `ssl.verification_mode` setting. {pull}2330[2330]
+- replace `tls.min/max_version` with `ssl.supported_protocols` setting requiring full protocol name. {pull}2330[2330]
 
 *Metricbeat*
 - Change field type system.process.cpu.start_time from keyword to date. {issue}1565[1565]
@@ -77,6 +81,7 @@ https://github.com/elastic/beats/compare/v5.0.0-alpha5...master[Check the HEAD d
 - Re-write import_dashboards.sh in Golang. {pull}2155[2155]
 - Update to Go 1.7. {pull}2306[2306]
 - Log total non-zero internal metrics on shutdown. {pull}2349[2349]
+- Add support for encrypted private key files by introducing `ssl.key_passphrase` setting. {pull}2330[2330]
 
 *Metricbeat*
 

filebeat/docs/migration.asciidoc

@@ -208,25 +208,25 @@ output.logstash:
   # Network timeout in seconds.
   timeout: 15
 
-  # Optional TLS settings <2>
+  # Optional SSL settings <2>
   # List of root certificates for HTTPS server verifications
-  tls.certificate_authorities:
+  ssl.certificate_authorities:
     - ./logstash-forwarder.crt
 
-  # Certificate for TLS client authentication
-  tls.certificate: ./logstash-forwarder.crt
+  # Certificate for SSL client authentication
+  ssl.certificate: ./logstash-forwarder.crt
 
   # Client Certificate Key
-  tls.certificate_key: ./logstash-forwarder.key
+  ssl.key: ./logstash-forwarder.key
 -------------------------------------------------------------------------------------
 
 <1> When multiple hosts are defined, the default behavior in Filebeat is to
     pick a random host for new connections, similar to the Logstash Forwarder
     behavior. Filebeat can optionally do load balancing. For more details, see the
     <<loadbalance>> configuration option.
-<2> Note that if the `tls` settings are missing, then TLS is disabled. TLS is
-    automatically enabled when you add any of the `tls` options. For more information about
-    specific configuration options, see <<configuration-output-tls>>.
+<2> Note that if the `ssl` settings are missing, then SSL is disabled. SSL is
+    automatically enabled when you add any of the `ssl` options. For more information about
+    specific configuration options, see <<configuration-output-ssl>>.
 
 
 [[changed-configuration-options]]
@@ -442,10 +442,10 @@ Behind the scenes, Filebeat uses a sightly improved protocol for communicating
 with Logstash.
 
 [float]
-=== TLS Is Off by Default
+=== SSL Is Off by Default
 
-If you follow the section on migrating the configuration, you will have TLS
-enabled. However, you must be aware that if the `tls` section is missing from the
+If you follow the section on migrating the configuration, you will have SSL
+enabled. However, you must be aware that if the `ssl` section is missing from the
 configuration file, Filebeat uses an unencrypted connection to talk to Logstash.
 
 [float]

filebeat/docs/reference/configuration.asciidoc

@@ -19,7 +19,7 @@ configuration settings, you need to restart {beatname_uc} to pick up the changes
 * <<redis-output>>
 * <<file-output>>
 * <<console-output>>
-* <<configuration-output-tls>>
+* <<configuration-output-ssl>>
 * <<configuration-path>>
 * <<configuration-logging>>
 

filebeat/docs/securing-filebeat.asciidoc

@@ -7,14 +7,14 @@
 The following topics describe how to secure communication between Filebeat and other products in the Elastic stack:
 
 * <<securing-communication-elasticsearch>>
-* <<configuring-tls-logstash>>
+* <<configuring-ssl-logstash>>
 
 --
 
 [[securing-communication-elasticsearch]]
 == Securing Communication With Elasticsearch
 include::../../libbeat/docs/https.asciidoc[]
 
-[[configuring-tls-logstash]]
-== Securing Communication With Logstash by Using TLS
-include::../../libbeat/docs/shared-tls-logstash-config.asciidoc[]
+[[configuring-ssl-logstash]]
+== Securing Communication With Logstash by Using SSL
+include::../../libbeat/docs/shared-ssl-logstash-config.asciidoc[]

filebeat/filebeat.full.yml

@@ -373,34 +373,37 @@ output.elasticsearch:
   # Path to the Elasticsearch 2.x version of the template file.
   #template.versions.2x.path: "${path.config}/filebeat.template-es2x.json"
 
+  # Use SSL settings for HTTPS. Default is true.
+  #ssl.enabled: true
 
-  # TLS configuration. By default is off.
+  # Configure SSL verification mode. If `none` is configured, all server hosts
+  # and certificates will be accepted. In this mode, SSL based connections are
+  # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+  # `full`.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+  # 1.2 are enabled.
+  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+  # SSL configuration. By default is off.
   # List of root certificates for HTTPS server verifications
-  #tls.certificate_authorities: ["/etc/pki/root/ca.pem"]
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
 
-  # Certificate for TLS client authentication
-  #tls.certificate: "/etc/pki/client/cert.pem"
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
 
   # Client Certificate Key
-  #tls.certificate_key: "/etc/pki/client/cert.key"
+  #ssl.key: "/etc/pki/client/cert.key"
 
-  # Controls whether the client verifies server certificates and host name.
-  # If insecure is set to true, all server host names and certificates will be
-  # accepted. In this mode TLS based connections are susceptible to
-  # man-in-the-middle attacks. Use only for testing.
-  #tls.insecure: true
+  # Optional passphrase for decrypting the Certificate Key.
+  #ssl.key_passphrase: ''
 
-  # Configure cipher suites to be used for TLS connections
-  #tls.cipher_suites: []
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
 
   # Configure curve types for ECDHE based cipher suites
-  #tls.curve_types: []
-
-  # Configure minimum TLS version allowed for connection to logstash
-  #tls.min_version: 1.0
-
-  # Configure maximum TLS version allowed for connection to logstash
-  #tls.max_version: 1.2
+  #ssl.curve_types: []
 
 
 #----------------------------- Logstash output --------------------------------
@@ -434,27 +437,37 @@ output.elasticsearch:
   # Resolve names locally when using a proxy server. Defaults to false.
   #proxy_use_local_resolver: false
 
-  # Optional TLS configuration options. TLS is off by default.
+  # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
+  #ssl.enabled: true
+
+  # Configure SSL verification mode. If `none` is configured, all server hosts
+  # and certificates will be accepted. In this mode, SSL based connections are
+  # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+  # `full`.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+  # 1.2 are enabled.
+  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+  # Optional SSL configuration options. SSL is off by default.
   # List of root certificates for HTTPS server verifications
-  #tls.certificate_authorities: ["/etc/pki/root/ca.pem"]
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
 
-  # Certificate for TLS client authentication
-  #tls.certificate: "/etc/pki/client/cert.pem"
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
 
   # Client Certificate Key
-  #tls.certificate_key: "/etc/pki/client/cert.key"
+  #ssl.key: "/etc/pki/client/cert.key"
 
-  # Controls whether the client verifies server certificates and host name.
-  # If insecure is set to true, all server host names and certificates will be
-  # accepted. In this mode TLS based connections are susceptible to
-  # man-in-the-middle attacks. Use only for testing.
-  #tls.insecure: true
+  # Optional passphrase for decrypting the Certificate Key.
+  #ssl.key_passphrase: ''
 
-  # Configure cipher suites to be used for TLS connections
-  #tls.cipher_suites: []
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
 
   # Configure curve types for ECDHE based cipher suites
-  #tls.curve_types: []
+  #ssl.curve_types: []
 
 #------------------------------- Kafka output ---------------------------------
 #output.kafka:
@@ -559,27 +572,37 @@ output.elasticsearch:
   # purposes.  The default is "beats".
   #client_id: beats
 
-  # Optional TLS configuration options. TLS is off by default.
+  # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
+  #ssl.enabled: true
+
+  # Optional SSL configuration options. SSL is off by default.
   # List of root certificates for HTTPS server verifications
-  #tls.certificate_authorities: ["/etc/pki/root/ca.pem"]
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Configure SSL verification mode. If `none` is configured, all server hosts
+  # and certificates will be accepted. In this mode, SSL based connections are
+  # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+  # `full`.
+  #ssl.verification_mode: full
 
-  # Certificate for TLS client authentication
-  #tls.certificate: "/etc/pki/client/cert.pem"
+  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+  # 1.2 are enabled.
+  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
 
   # Client Certificate Key
-  #tls.certificate_key: "/etc/pki/client/cert.key"
+  #ssl.key: "/etc/pki/client/cert.key"
 
-  # Controls whether the client verifies server certificates and host name.
-  # If insecure is set to true, all server host names and certificates will be
-  # accepted. In this mode TLS based connections are susceptible to
-  # man-in-the-middle attacks. Use only for testing.
-  #tls.insecure: true
+  # Optional passphrase for decrypting the Certificate Key.
+  #ssl.key_passphrase: ''
 
-  # Configure cipher suites to be used for TLS connections
-  #tls.cipher_suites: []
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
 
   # Configure curve types for ECDHE based cipher suites
-  #tls.curve_types: []
+  #ssl.curve_types: []
 
 #------------------------------- Redis output ---------------------------------
 #output.redis:
@@ -646,27 +669,38 @@ output.elasticsearch:
   # occurs on the proxy server.
   #proxy_use_local_resolver: false
 
-  # Optional TLS configuration options. TLS is off by default.
+  # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
+  #ssl.enabled: true
+
+  # Configure SSL verification mode. If `none` is configured, all server hosts
+  # and certificates will be accepted. In this mode, SSL based connections are
+  # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+  # `full`.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+  # 1.2 are enabled.
+  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+  # Optional SSL configuration options. SSL is off by default.
   # List of root certificates for HTTPS server verifications
-  #tls.certificate_authorities: ["/etc/pki/root/ca.pem"]
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
 
-  # Certificate for TLS client authentication
-  #tls.certificate: "/etc/pki/client/cert.pem"
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
 
   # Client Certificate Key
-  #tls.certificate_key: "/etc/pki/client/cert.key"
+  #ssl.key: "/etc/pki/client/cert.key"
 
-  # Controls whether the client verifies server certificates and host name.
-  # If insecure is set to true, all server host names and certificates will be
-  # accepted. In this mode TLS based connections are susceptible to
-  # man-in-the-middle attacks. Use only for testing.
-  #tls.insecure: true
+  # Optional passphrase for decrypting the Certificate Key.
+  #ssl.key_passphrase: ''
 
-  # Configure cipher suites to be used for TLS connections
-  #tls.cipher_suites: []
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
 
   # Configure curve types for ECDHE based cipher suites
-  #tls.curve_types: []
+  #ssl.curve_types: []
+
 
 #------------------------------- File output ----------------------------------
 #output.file:

filebeat/filebeat.yml

@@ -92,15 +92,15 @@ output.elasticsearch:
   # The Logstash hosts
   #hosts: ["localhost:5044"]
 
-  # Optional TLS. By default is off.
+  # Optional SSL. By default is off.
   # List of root certificates for HTTPS server verifications
-  #tls.certificate_authorities: ["/etc/pki/root/ca.pem"]
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
 
-  # Certificate for TLS client authentication
-  #tls.certificate: "/etc/pki/client/cert.pem"
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
 
   # Client Certificate Key
-  #tls.certificate_key: "/etc/pki/client/cert.key"
+  #ssl.key: "/etc/pki/client/cert.key"
 
 #================================ Logging =====================================