logstash-input-beats 6.2.6-java → 6.4.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d37545b0bccc0905fa37d874a04058d85b49e5cbec4a7a466612fdb5ffc0432a
-  data.tar.gz: 79a86135a8c619d9bb09ac7ca2cadb0dd6a73a029769dcc27d20f47eb8a32dab
+  metadata.gz: 363dca7f2007725bb47f6c9b634d1a76436959c9692a7fa6f6b81edcf6721240
+  data.tar.gz: 0c7c2111ec1ecdc2e42fc38c38cef7ed12b9cfe15ed413925696c421a789e32e
 SHA512:
-  metadata.gz: 7f5b024e80a9948a64d8de39b3036df0638af338e6fca29286c21b580114717b24dd655afc13ae9ced1160c8d52a1819bd7fce7ba273253d0d0a0b5013417450
-  data.tar.gz: 25f56be14791b4a93d7e48b71ba7b17428cd16110428c51a1c0f19f3e0240cc3bf1cbfc124f8b725de152827c9709e62989c49d862a38cc17c75067538c5376d
+  metadata.gz: b55b9a7b8a419f80eca97a77a2327aa42c35e3e6f366b85c6c50e5e673ac69e183e62ccfae8688be45b04afeac3133949709137c12699b0034354d45bdd8004f
+  data.tar.gz: bdb31dcf6cf6f07e9b73e5fc3948f3ca930e3a9c9ffc8123cf465d217cdfd1cb35c4db2b724c951a584d99168bfe2a3b9e8781556de5d2bed519ad0770644dc6

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 6.4.0
+ - Feat: review and deprecate ssl protocol/cipher settings [#450](https://github.com/logstash-plugins/logstash-input-beats/pull/450)
+
+## 6.3.1
+ - Fix: Removed use of deprecated `import` of java classes in ruby [#449](https://github.com/logstash-plugins/logstash-input-beats/pull/449)
+
+## 6.3.0
+ - Added support for TLSv1.3. [#447](https://github.com/logstash-plugins/logstash-input-beats/pull/447)
+
 ## 6.2.6
   - Update guidance regarding the private key format and encoding [#445](https://github.com/logstash-plugins/logstash-input-beats/pull/445)
 

data/VERSION

@@ -1 +1 @@
-6.2.6
+6.4.0

data/docs/index.asciidoc

@@ -159,8 +159,8 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 [cols="<,<,<",options="header",]
 |=======================================================================
 |Setting |Input type|Required
-| <<plugins-{type}s-{plugin}-add_hostname>> |<<boolean,boolean>>|No
-| <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-add_hostname>> |<<boolean,boolean>>|__Deprecated__
+| <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-client_inactivity_timeout>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
 | <<plugins-{type}s-{plugin}-executor_threads>> |<<number,number>>|No
@@ -173,10 +173,11 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
-| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
 | <<plugins-{type}s-{plugin}-ssl_peer_metadata>> |<<boolean,boolean>>|No
-| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|No
-| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|No
+| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
+| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|__Deprecated__
+| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|__Deprecated__
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -194,14 +195,13 @@ input plugins.
 
 Flag to determine whether to add `host` field to event using the value supplied by the {plugin-singular} in the `hostname` field.
 
-
 [id="plugins-{type}s-{plugin}-cipher_suites"]
 ===== `cipher_suites`
+deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_cipher_suites>>]
 
   * Value type is <<array,array>>
-  * Default value is `java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca`
 
-The list of ciphers suite to use, listed by priorities.
+The list of cipher suites to use, listed by priorities.
 
 [id="plugins-{type}s-{plugin}-client_inactivity_timeout"]
 ===== `client_inactivity_timeout`
@@ -214,14 +214,14 @@ Close Idle clients after X seconds of inactivity.
 [id="plugins-{type}s-{plugin}-ecs_compatibility"]
 ===== `ecs_compatibility`
 
-* Value type is <<string,string>>
-* Supported values are:
-** `disabled`: unstructured connection metadata added at root level
-** `v1`: structured connection metadata added under ECS v1 compliant namespaces
-** `v8`: structured connection metadata added under ECS v8 compliant namespaces
-* Default value depends on which version of Logstash is running:
-** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
-** Otherwise, the default value is `disabled`.
+  * Value type is <<string,string>>
+  * Supported values are:
+    ** `disabled`: unstructured connection metadata added at root level
+    ** `v1`: structured connection metadata added under ECS v1 compliant namespaces
+    ** `v8`: structured connection metadata added under ECS v8 compliant namespaces
+  * Default value depends on which version of Logstash is running:
+    ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
+    ** Otherwise, the default value is `disabled`.
 
 Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed information.
 
@@ -297,6 +297,16 @@ You can define multiple files or paths. All the certificates will
 be read and added to the trust store. You need to configure the `ssl_verify_mode`
 to `peer` or `force_peer` to enable the verification.
 
+[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
+===== `ssl_cipher_suites`
+
+  * Value type is <<array,array>>
+  * Default value is `['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']`
+
+The list of cipher suites to use, listed by priorities.
+This default list applies for OpenJDK 11.0.14 and higher.
+For older JDK versions, the default list includes only suites supported by that version.
+For example, the ChaCha20 family of ciphers is not supported in older versions.
 
 [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
 ===== `ssl_handshake_timeout`
@@ -330,6 +340,33 @@ openssl pkcs8 -inform PEM -in path/to/logstash.key -topk8 -nocrypt -outform PEM
 
 SSL key passphrase to use.
 
+[id="plugins-{type}s-{plugin}-ssl_peer_metadata"]
+===== `ssl_peer_metadata`
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `false`
+
+Enables storing client certificate information in event's metadata.
+
+This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer`.
+
+[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
+===== `ssl_supported_protocols`
+
+  * Value type is <<array,array>>
+  * Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
+  * Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
+    `'TLSv1.1'` is not considered secure and is only provided for legacy applications.
+
+List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
+
+For Java 8 `'TLSv1.3'` is supported  only since **8u262** (AdoptOpenJDK), but requires that you set the
+`LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
+
+NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
+the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
+the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
+
 [id="plugins-{type}s-{plugin}-ssl_verify_mode"]
 ===== `ssl_verify_mode`
 
@@ -346,33 +383,23 @@ If the client doesn't provide a certificate, the connection will be closed.
 
 This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
 
-[id="plugins-{type}s-{plugin}-ssl_peer_metadata"]
-===== `ssl_peer_metadata`
-
-  * Value type is <<boolean,boolean>>
-  * Default value is `false`
-
-Enables storing client certificate information in event's metadata.
-
-This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer`.
-
 [id="plugins-{type}s-{plugin}-tls_max_version"]
 ===== `tls_max_version`
+deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_supported_protocols>>]
 
   * Value type is <<number,number>>
-  * Default value is `1.2`
 
-The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
-1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+The maximum TLS version allowed for the encrypted connections.
+The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
 
 [id="plugins-{type}s-{plugin}-tls_min_version"]
 ===== `tls_min_version`
+deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_supported_protocols>>]
 
   * Value type is <<number,number>>
-  * Default value is `1`
 
-The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
-1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+The minimum TLS version allowed for the encrypted connections.
+The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
 
 
 
@@ -380,4 +407,3 @@ The minimum TLS version allowed for the encrypted connections. The value must be
 include::{include_path}/{type}.asciidoc[]
 
 :default_codec!:
-

data/lib/logstash/inputs/beats/message_listener.rb

@@ -1,8 +1,8 @@
 # encoding: utf-8
 require "thread_safe"
 require "logstash-input-beats_jars"
-import "javax.net.ssl.SSLPeerUnverifiedException"
-import "org.logstash.beats.MessageListener"
+java_import "javax.net.ssl.SSLPeerUnverifiedException"
+java_import "org.logstash.beats.MessageListener"
 
 module LogStash module Inputs class Beats
   class MessageListener

data/lib/logstash/inputs/beats/tls.rb

@@ -18,7 +18,8 @@ module LogStash module Inputs class Beats
     TLS_PROTOCOL_OPTIONS = [
       TLSOption.new("TLSv1", 1),
       TLSOption.new("TLSv1.1", 1.1),
-      TLSOption.new("TLSv1.2", 1.2)
+      TLSOption.new("TLSv1.2", 1.2),
+      TLSOption.new("TLSv1.3", 1.3)
     ]
 
     def self.min

data/lib/logstash/inputs/beats.rb

@@ -51,6 +51,8 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   require "logstash/inputs/beats/message_listener"
   require "logstash/inputs/beats/tls"
 
+  java_import 'org.logstash.netty.SslContextBuilder'
+
   # adds ecs_compatibility config which could be :disabled or :v1
   include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled,:v1, :v8 => :v1)
 
@@ -89,9 +91,6 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   # 
   config :ssl_certificate_authorities, :validate => :array, :default => []
 
-  # Flag to determine whether to add host information (provided by the beat in the 'hostname' field) to the event
-  config :add_hostname, :validate => :boolean, :default => false, :deprecated => 'This option will be removed in the future as beats determine the event schema'
-
   # By default the server doesn't do any client verification.
   # 
   # `peer` will make the server ask the client to provide a certificate. 
@@ -112,22 +111,31 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
   # Time in milliseconds for an incomplete ssl handshake to timeout
   config :ssl_handshake_timeout, :validate => :number, :default => 10000
 
-  # The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
-  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
-  config :tls_min_version, :validate => :number, :default => TLS.min.version
+  config :ssl_cipher_suites, :validate => SslContextBuilder::SUPPORTED_CIPHERS.to_a,
+         :default => SslContextBuilder.getDefaultCiphers, :list => true
 
-  # The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
-  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
-  config :tls_max_version, :validate => :number, :default => TLS.max.version
+  config :ssl_supported_protocols, :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => ['TLSv1.2', 'TLSv1.3'], :list => true
 
-  # The list of ciphers suite to use, listed by priorities.
-  config :cipher_suites, :validate => :array, :default => org.logstash.netty.SslContextBuilder.getDefaultCiphers
   # Close Idle clients after X seconds of inactivity.
   config :client_inactivity_timeout, :validate => :number, :default => 60
 
   # Beats handler executor thread
   config :executor_threads, :validate => :number, :default => LogStash::Config::CpuCoreStrategy.maximum
 
+  # Flag to determine whether to add host information (provided by the beat in the 'hostname' field) to the event
+  config :add_hostname, :validate => :boolean, :default => false, :deprecated => 'This option will be removed in the future as beats determine the event schema'
+
+  # The list of ciphers suite to use, listed by priorities.
+  config :cipher_suites, :validate => :array, :default => [], :deprecated => "Set 'ssl_cipher_suites' instead."
+
+  # The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
+  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+  config :tls_min_version, :validate => :number, :default => TLS.min.version, :deprecated => "Set 'ssl_supported_protocols' instead."
+
+  # The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
+  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+  config :tls_max_version, :validate => :number, :default => TLS.max.version, :deprecated => "Set 'ssl_supported_protocols' instead."
+
   attr_reader :field_hostname, :field_hostip
   attr_reader :field_tls_protocol_version, :field_tls_peer_subject, :field_tls_cipher
 
@@ -156,6 +164,26 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
       if client_authentication_metadata? && !require_certificate_authorities?
         configuration_error "Configuring ssl_peer_metadata => true requires ssl_verify_mode => to be configured with 'peer' or 'force_peer'"
       end
+
+      if original_params.key?('cipher_suites') && original_params.key?('ssl_cipher_suites')
+        raise LogStash::ConfigurationError, "Both `ssl_cipher_suites` and (deprecated) `cipher_suites` were set. Use only `ssl_cipher_suites`."
+      elsif original_params.key?('cipher_suites')
+        @ssl_cipher_suites_final = @cipher_suites
+      else
+        @ssl_cipher_suites_final = @ssl_cipher_suites
+      end
+
+      if original_params.key?('tls_min_version') && original_params.key?('ssl_supported_protocols')
+        raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_min_ciphers` were set. Use only `ssl_supported_protocols`."
+      elsif original_params.key?('tls_max_version') && original_params.key?('ssl_supported_protocols')
+        raise LogStash::ConfigurationError, "Both `ssl_supported_protocols` and (deprecated) `tls_max_ciphers` were set. Use only `ssl_supported_protocols`."
+      else
+        if original_params.key?('tls_min_version') || original_params.key?('tls_max_version')
+          @ssl_supported_protocols_final = TLS.get_supported(tls_min_version..tls_max_version).map(&:name)
+        else
+          @ssl_supported_protocols_final = @ssl_supported_protocols
+        end
+      end
     else
       @logger.warn("configured ssl_certificate => #{@ssl_certificate.inspect} will not be used") if @ssl_certificate
       @logger.warn("configured ssl_key => #{@ssl_key.inspect} will not be used") if @ssl_key
@@ -184,9 +212,9 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
       ssl_context_builder = new_ssl_context_builder
       if client_authentification?
         if @ssl_verify_mode == "force_peer"
-          ssl_context_builder.setVerifyMode(org.logstash.netty.SslContextBuilder::SslClientVerifyMode::FORCE_PEER)
+          ssl_context_builder.setVerifyMode(SslContextBuilder::SslClientVerifyMode::FORCE_PEER)
         elsif @ssl_verify_mode == "peer"
-          ssl_context_builder.setVerifyMode(org.logstash.netty.SslContextBuilder::SslClientVerifyMode::VERIFY_PEER)
+          ssl_context_builder.setVerifyMode(SslContextBuilder::SslClientVerifyMode::VERIFY_PEER)
         end
         ssl_context_builder.setCertificateAuthorities(@ssl_certificate_authorities)
       end
@@ -247,20 +275,16 @@ class LogStash::Inputs::Beats < LogStash::Inputs::Base
     passphrase = @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value
     begin
       org.logstash.netty.SslContextBuilder.new(@ssl_certificate, @ssl_key, passphrase)
-          .setProtocols(convert_protocols)
-          .setCipherSuites(normalized_ciphers)
+          .setProtocols(@ssl_supported_protocols_final)
+          .setCipherSuites(normalized_cipher_suites)
     rescue java.lang.IllegalArgumentException => e
       @logger.error("SSL configuration invalid", error_details(e))
       raise LogStash::ConfigurationError, e
     end
   end
 
-  def normalized_ciphers
-    @cipher_suites.map(&:upcase)
-  end
-
-  def convert_protocols
-    TLS.get_supported(@tls_min_version..@tls_max_version).map(&:name)
+  def normalized_cipher_suites
+    @ssl_cipher_suites_final.map(&:upcase)
   end
 
   def configuration_error(message)

data/lib/logstash-input-beats_jars.rb

@@ -7,4 +7,4 @@ require_jar('com.fasterxml.jackson.core', 'jackson-core', '2.9.10')
 require_jar('com.fasterxml.jackson.core', 'jackson-annotations', '2.9.10')
 require_jar('com.fasterxml.jackson.core', 'jackson-databind', '2.9.10.8')
 require_jar('com.fasterxml.jackson.module', 'jackson-module-afterburner', '2.9.10')
-require_jar('org.logstash.beats', 'logstash-input-beats', '6.2.6')
+require_jar('org.logstash.beats', 'logstash-input-beats', '6.4.0')

data/lib/tasks/test.rake

@@ -4,9 +4,9 @@ VENDOR_PATH = File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "ve
 
 #TODO: Figure out better means to keep this version in sync
 if OS_PLATFORM == "linux"
-  FILEBEAT_URL = "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.4-linux-x86_64.tar.gz"
+  FILEBEAT_URL = "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.0-linux-x86_64.tar.gz"
 elsif OS_PLATFORM == "darwin"
-  FILEBEAT_URL = "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.4-darwin-x86_64.tar.gz"
+  FILEBEAT_URL = "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.0-darwin-x86_64.tar.gz"
 end
 
 LSF_URL = "https://download.elastic.co/logstash-forwarder/binaries/logstash-forwarder_#{OS_PLATFORM}_amd64"

data/spec/inputs/beats/tls_spec.rb

@@ -10,8 +10,8 @@ describe LogStash::Inputs::Beats::TLS do
   end
 
   it "returns the maximum supported tls" do
-    expect(subject.max.version).to eq(1.2)
-    expect(subject.max.name).to eq("TLSv1.2")
+    expect(subject.max.version).to eq(1.3)
+    expect(subject.max.name).to eq("TLSv1.3")
   end
 
   describe ".get_supported" do

data/spec/inputs/beats_spec.rb

@@ -47,6 +47,9 @@ describe LogStash::Inputs::Beats do
     end
 
     context "with ssl enabled" do
+
+      let(:config) { { "ssl" => true, "port" => port, "ssl_key" => certificate.ssl_key, "ssl_certificate" => certificate.ssl_cert } }
+
       context "without certificate configuration" do
         let(:config) { { "port" => 0, "ssl" => true, "ssl_key" => certificate.ssl_key, "type" => "example" } }
 
@@ -78,7 +81,7 @@ describe LogStash::Inputs::Beats do
       end
 
       context "with invalid ciphers" do
-        let(:config) { super().merge("ssl" => true, "cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
+        let(:config) { super().merge("cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
 
         it "should raise a configuration error" do
           plugin = LogStash::Inputs::Beats.new(config)
@@ -92,7 +95,7 @@ describe LogStash::Inputs::Beats do
 
       context "verify_mode" do
         context "verify_mode configured to PEER" do
-          let(:config) { super().merge("ssl" => true, "ssl_verify_mode" => "peer") }
+          let(:config) { super().merge("ssl_verify_mode" => "peer") }
 
           it "raise a ConfigurationError when certificate_authorities is not set" do
             plugin = LogStash::Inputs::Beats.new(config)
@@ -107,7 +110,7 @@ describe LogStash::Inputs::Beats do
         end
 
         context "verify_mode configured to FORCE_PEER" do
-          let(:config) { super().merge("ssl" => true, "ssl_verify_mode" => "force_peer") }
+          let(:config) { super().merge("ssl_verify_mode" => "force_peer") }
 
           it "raise a ConfigurationError when certificate_authorities is not set" do
             plugin = LogStash::Inputs::Beats.new(config)
@@ -120,6 +123,40 @@ describe LogStash::Inputs::Beats do
             expect {plugin.register}.not_to raise_error
           end
         end
+
+        context "with ssl_cipher_suites and cipher_suites set" do
+          let(:config) do
+            super().merge('ssl_cipher_suites' => ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'],
+                          'cipher_suites' => ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'])
+          end
+
+          it "should raise a configuration error" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_cipher_suites.?/i
+          end
+        end
+
+        context "with ssl_supported_protocols and tls_min_version set" do
+          let(:config) do
+            super().merge('ssl_supported_protocols' => ['TLSv1.2'], 'tls_min_version' => 1.2)
+          end
+
+          it "should raise a configuration error" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
+          end
+        end
+
+        context "with ssl_supported_protocols and tls_max_version set" do
+          let(:config) do
+            super().merge('ssl_supported_protocols' => ['TLSv1.2'], 'tls_max_version' => 1.2)
+          end
+
+          it "should raise a configuration error" do
+            plugin = LogStash::Inputs::Beats.new(config)
+            expect { plugin.register }.to raise_error LogStash::ConfigurationError, /Use only .?ssl_supported_protocols.?/i
+          end
+        end
       end
     end
 

data/spec/integration/filebeat_spec.rb

@@ -37,7 +37,7 @@ describe "Filebeat", :integration => true do
   let(:filebeat_config) do
     {
       "filebeat" => {
-        "prospectors" => [{ "paths" => [log_file],  "type" => "log" }],
+        "inputs" => [{ "paths" => [log_file],  "type" => "log" }],
         "scan_frequency" => "1s"
       },
       "output" => {
@@ -174,6 +174,34 @@ describe "Filebeat", :integration => true do
           end
         end
 
+        context "with TLSv1.3 client" do
+          let(:filebeat_config) do
+            super().merge({
+              "output" => {
+                "logstash" => {
+                  "hosts" => ["#{host}:#{port}"],
+                  "ssl" => {
+                    "certificate_authorities" => certificate_authorities,
+                    "versions" => ["TLSv1.3"],
+                  }
+                }
+              },
+              "logging" => { "level" => "debug" }
+              })
+          end
+          include_examples "send events"
+
+          context "when TLSv1.3 enforced in plugin" do
+            let(:input_config) {
+              super().merge({
+                "tls_min_version" => "1.3"
+              })
+            }
+
+            include_examples "send events"
+          end
+        end
+
         # Refactor this to use Flores's PKI instead of openssl command line
         # see: https://github.com/jordansissel/ruby-flores/issues/7
         context "with a passphrase" do

data/spec/support/file_helpers.rb

@@ -19,7 +19,7 @@ module FileHelpers
   end
 
   def write_to_tmp_file(content)
-    file = Stud::Temporary.file
+    file = Stud::Temporary.file("test-logstash-input-beats", "w+", 0600)
     file.write(content.to_s)
     file.close
     file.path

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-beats
 version: !ruby/object:Gem::Version
-  version: 6.2.6
+  version: 6.4.0
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-01-28 00:00:00.000000000 Z
+date: 2022-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -298,7 +298,7 @@ files:
 - vendor/jar-dependencies/com/fasterxml/jackson/module/jackson-module-afterburner/2.9.10/jackson-module-afterburner-2.9.10.jar
 - vendor/jar-dependencies/io/netty/netty-all/4.1.65.Final/netty-all-4.1.65.Final.jar
 - vendor/jar-dependencies/org/javassist/javassist/3.24.0-GA/javassist-3.24.0-GA.jar
-- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.2.6/logstash-input-beats-6.2.6.jar
+- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.4.0/logstash-input-beats-6.4.0.jar
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses:
 - Apache License (2.0)