diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c581c15598c4..e20aa14bbc28 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -106,6 +106,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix goroutine leak caused on initialization failures of log input. {pull}12125[12125] - Fix goroutine leak on non-explicit finalization of log input. {pull}12164[12164] - Skipping unparsable log entries from docker json reader {pull}12268[12268] +- Require client_auth by default when ssl is enabled for tcp input {pull}12333[12333] *Heartbeat* @@ -134,6 +135,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Validate that kibana/status metricset cannot be used when xpack is enabled. {pull}12264[12264] - Ignore prometheus metrics when their values are NaN or Inf. {pull}12084[12084] {issue}10849[10849] - In the kibana/stats metricset, only log error (don't also index it) if xpack is enabled. {pull}12265[12265] +- Require client_auth by default when ssl is enabled for module http metricset server{pull}12333[12333] *Packetbeat* diff --git a/filebeat/tests/system/test_tcp_tls.py b/filebeat/tests/system/test_tcp_tls.py index 7f0f10333e89..2e9048501b85 100644 --- a/filebeat/tests/system/test_tcp_tls.py +++ b/filebeat/tests/system/test_tcp_tls.py @@ -127,7 +127,7 @@ def test_tcp_over_tls_and_verify_invalid_server_without_mutual_auth(self): @raises(ssl.SSLError) def test_tcp_over_tls_mutual_auth_fails(self): """ - Test filebeat TCP with TLS when enforcing client auth with bad client certificates. + Test filebeat TCP with TLS with default setting to enforce client auth, with bad client certificates """ input_raw = """ - type: tcp @@ -136,7 +136,6 @@ def test_tcp_over_tls_mutual_auth_fails(self): ssl.certificate_authorities: {cacert} ssl.certificate: {certificate} ssl.key: {key} - ssl.client_authentication: required """ config = { "host": "127.0.0.1", diff --git a/libbeat/common/transport/tlscommon/server_config.go b/libbeat/common/transport/tlscommon/server_config.go index 11766be75be7..79d4722049f4 100644 --- a/libbeat/common/transport/tlscommon/server_config.go +++ b/libbeat/common/transport/tlscommon/server_config.go @@ -21,6 +21,8 @@ import ( "crypto/tls" "github.com/joeshaw/multierror" + + "github.com/elastic/beats/libbeat/common" ) // ServerConfig defines the user configurable tls options for any TCP based service. @@ -89,6 +91,20 @@ func LoadTLSServerConfig(config *ServerConfig) (*TLSConfig, error) { }, nil } +func (c *ServerConfig) Unpack(cfg common.Config) error { + clientAuthKey := "client_authentication" + if !cfg.HasField(clientAuthKey) { + cfg.SetString(clientAuthKey, -1, "required") + } + type serverCfg ServerConfig + var sCfg serverCfg + if err := cfg.Unpack(&sCfg); err != nil { + return err + } + *c = ServerConfig(sCfg) + return nil +} + // Validate values the TLSConfig struct making sure certificate sure we have both a certificate and // a key. func (c *ServerConfig) Validate() error { diff --git a/libbeat/common/transport/tlscommon/tls_test.go b/libbeat/common/transport/tlscommon/tls_test.go index c9abfcde5777..b4b1f1dd093a 100644 --- a/libbeat/common/transport/tlscommon/tls_test.go +++ b/libbeat/common/transport/tlscommon/tls_test.go @@ -25,6 +25,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/elastic/beats/libbeat/common" ) @@ -165,6 +166,29 @@ func TestApplyWithConfig(t *testing.T) { assert.Len(t, cfg.CurvePreferences, 1) } +func TestServerConfigDefaults(t *testing.T) { + var c ServerConfig + config := common.MustNewConfigFrom([]byte(``)) + err := config.Unpack(&c) + require.NoError(t, err) + tmp, err := LoadTLSServerConfig(&c) + require.NoError(t, err) + + cfg := tmp.BuildModuleConfig("") + + assert.NotNil(t, cfg) + // values not set by default + assert.Len(t, cfg.Certificates, 0) + assert.Nil(t, cfg.ClientCAs) + assert.Len(t, cfg.CipherSuites, 0) + assert.Len(t, cfg.CurvePreferences, 0) + // values set by default + assert.Equal(t, false, cfg.InsecureSkipVerify) + assert.Equal(t, int(tls.VersionTLS11), int(cfg.MinVersion)) + assert.Equal(t, int(tls.VersionTLS12), int(cfg.MaxVersion)) + assert.Equal(t, tls.RequireAndVerifyClientCert, cfg.ClientAuth) +} + func TestApplyWithServerConfig(t *testing.T) { yamlStr := ` certificate: ca_test.pem