logstash-input-tcp 6.2.7-java → 6.3.1-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f83551a42283324a0f4f733c2f245b5fe3f2d71e482f15607257b2943f92e925
-  data.tar.gz: 30d47775fcdec83e4be7834c79b3cbf7c233a35284f60b7eb9f0431235c6442c
+  metadata.gz: 2fb789cdfaf2019169729724b4ab5f0f330d7a136594310a5f823f90d59b807c
+  data.tar.gz: f385f458414136970b159cc1f4e20ff053da79ac55c9358a30e35a741969de0b
 SHA512:
-  metadata.gz: d53bfe010749d42e0a7d7d288464b091678bb5f55da75008b0b2001f642ec36dde4d0c17050d981ec612c9a8b6fd263635473438b543e7ea7ecb7d5a00d8f530
-  data.tar.gz: 76180a9c1d8ad885e9ab5adb1ce4befade31cb9124ae2727035c26797b1498ff22d8bdbe91ee6e14b1b8c3840667a277e14460a9cc8adfacd85cee25324b690a
+  metadata.gz: 990b51998a4229fd5638083df9ab64daad5dc5a1cf98f6d78fbd3b2e53cce22a8c2ecc0ee61afce2577901b9d68ded2fd27fe34504d92c1f03ee7efef7e885b7
+  data.tar.gz: 8495257bef6b00b3fd06e7bd8d5981adf688d268c531c10f9ae8bf24126f1a367e030d2622dd3a0a0b707b066e822bbc31628bc4f22d184494ceeb78e2987de4

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 6.3.1
+  - Fixes a regression in which the ssl_subject was missing for SSL-secured connections in server mode [#199](https://github.com/logstash-plugins/logstash-input-tcp/pull/199)
+
+## 6.3.0
+  - Feat: ssl_supported_protocols (TLSv1.3) + ssl_cipher_suites [#198](https://github.com/logstash-plugins/logstash-input-tcp/pull/198)
+
 ## 6.2.7
   - Build: skip shadowing jar dependencies [#187](https://github.com/logstash-plugins/logstash-input-tcp/pull/187)
     * plugin no longer shadows dependencies into its *logstash-input-tcp.jar*

data/docs/index.asciidoc

@@ -132,10 +132,12 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-proxy_protocol>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_cert>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_enable>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_extra_chain_certs>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-tcp_keep_alive>> |<<boolean,boolean>>|No
 |=======================================================================
@@ -158,13 +160,13 @@ at the TCP layer and IPs will not be resolved to hostnames.
 [id="plugins-{type}s-{plugin}-ecs_compatibility"]
 ===== `ecs_compatibility`
 
-* Value type is <<string,string>>
-* Supported values are:
-** `disabled`: unstructured connection metadata added at root level
-** `v1`,`v8`: structured connection metadata added under `[@metadata][input][tcp]`
-* Default value depends on which version of Logstash is running:
-** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
-** Otherwise, the default value is `disabled`.
+  * Value type is <<string,string>>
+  * Supported values are:
+    ** `disabled`: unstructured connection metadata added at root level
+    ** `v1`,`v8`: structured connection metadata added under `[@metadata][input][tcp]`
+  * Default value depends on which version of Logstash is running:
+    ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
+    ** Otherwise, the default value is `disabled`.
 
 Controls this plugin's compatibility with the https://www.elastic.co/guide/en/ecs/current/index.html[Elastic Common Schema (ECS)].
 The value of this setting affects the <<plugins-{type}s-{plugin}-ecs_metadata,placement of a TCP connection's metadata>> on events.
@@ -224,6 +226,18 @@ to the connecting clients.
 Validate client certificate or certificate chain against these authorities.
 You can define multiple files or paths. All the certificates will be read and added to the trust store.
 
+[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
+===== `ssl_cipher_suites`
+
+  * Value type is <<string,string>>
+  * Default value includes _all_ cipher suites enabled by the JDK and depends on JDK configuration
+
+Supported cipher suites vary depending on Java version used, and entries look like `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`.
+For more information, see Oracle’s https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[JDK SunJSSE provider documentation] and
+the table of supported https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names[Java cipher suite names].
+
+NOTE: To check the supported cipher suites locally run the following script: `$LS_HOME/bin/ruby -e 'p javax.net.ssl.SSLServerSocketFactory.getDefault.getSupportedCipherSuites'`.
+
 [id="plugins-{type}s-{plugin}-ssl_enable"]
 ===== `ssl_enable` 
 
@@ -258,6 +272,20 @@ The path to the private key corresponding to the specified certificate (PEM form
 
 SSL key passphrase for the private key.
 
+[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
+===== `ssl_supported_protocols`
+
+  * Value type is <<string,string>>
+  * Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
+  * Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
+    `'TLSv1.1'` is not considered secure and is only provided for legacy applications.
+
+List of allowed SSL/TLS versions to use when establishing a secure connection.
+
+NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
+the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
+the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
+
 [id="plugins-{type}s-{plugin}-ssl_verify"]
 ===== `ssl_verify` 
 

data/lib/logstash/inputs/tcp/decoder_impl.rb

@@ -11,16 +11,17 @@ class LogStash::Inputs::Tcp::DecoderImpl
     @first_read = true
   end
 
-  def decode(channel_addr, data)
+  def decode(ctx, data)
+    channel = ctx.channel()
     bytes = Java::byte[data.readableBytes].new
     data.getBytes(0, bytes)
     data.release
     tbuf = String.from_java_bytes bytes, "ASCII-8BIT"
     if @first_read
-      tbuf = init_first_read(channel_addr, tbuf)
+      tbuf = init_first_read(channel, tbuf)
     end
     @tcp.decode_buffer(@ip_address, @address, @port, @codec,
-                       @proxy_address, @proxy_port, tbuf, nil)
+                         @proxy_address, @proxy_port, tbuf, @sslsubject)
   end
 
   def copy
@@ -28,11 +29,12 @@ class LogStash::Inputs::Tcp::DecoderImpl
   end
 
   def flush
-    @tcp.flush_codec(@codec, @ip_address, @address, @port, nil)
+    @tcp.flush_codec(@codec, @ip_address, @address, @port, @sslsubject)
   end
 
   private
-  def init_first_read(channel_addr, received)
+  def init_first_read(channel, received)
+    channel_addr = channel.remoteAddress()
     if @tcp.proxy_protocol
       pp_hdr, filtered = received.split("\r\n", 2)
       pp_info = pp_hdr.split(/\s/)
@@ -53,10 +55,20 @@ class LogStash::Inputs::Tcp::DecoderImpl
       @address = extract_host_name(channel_addr) # name _or_ address of sender
       @port = channel_addr.get_port # outgoing port of sender (probably random)
     end
+    @sslsubject = extract_sslsubject(channel)
     @first_read = false
     filtered
   end
 
+  private
+  def extract_sslsubject(channel)
+    return nil unless @tcp.ssl_enable && @tcp.ssl_verify
+
+    channel.pipeline().get("ssl-handler").engine().getSession().getPeerPrincipal().getName()
+  rescue Exception => e
+    nil
+  end
+
   private
   def extract_host_name(channel_addr)
     channel_addr = java.net.InetSocketAddress.new(channel_addr, 0) if channel_addr.kind_of?(String)

data/lib/logstash/inputs/tcp.rb

@@ -112,6 +112,13 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   # All the certificates will be read and added to the trust store.
   config :ssl_certificate_authorities, :validate => :array, :default => []
 
+  # NOTE: the default setting [] uses Java SSL engine defaults.
+  config :ssl_supported_protocols, :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => [], :list => true
+
+  # The list of ciphers suite to use, listed by priorities.
+  # NOTE: the default setting [] uses Java SSL defaults.
+  config :ssl_cipher_suites, :validate => SslContextBuilder.getSupportedCipherSuites.to_a, :default => [], :list => true
+
   # Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
   config :tcp_keep_alive, :validate => :boolean, :default => false
 
@@ -183,19 +190,19 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   end
 
   def decode_buffer(client_ip_address, client_address, client_port, codec, proxy_address,
-                    proxy_port, tbuf, socket)
+                    proxy_port, tbuf, ssl_subject)
     codec.decode(tbuf) do |event|
       if @proxy_protocol
         event.set(@field_proxy_host, proxy_address) unless event.get(@field_proxy_host)
         event.set(@field_proxy_port, proxy_port) unless event.get(@field_proxy_port)
       end
-      enqueue_decorated(event, client_ip_address, client_address, client_port, socket)
+      enqueue_decorated(event, client_ip_address, client_address, client_port, ssl_subject)
     end
   end
 
-  def flush_codec(codec, client_ip_address, client_address, client_port, socket)
+  def flush_codec(codec, client_ip_address, client_address, client_port, ssl_subject)
     codec.flush do |event|
-      enqueue_decorated(event, client_ip_address, client_address, client_port, socket)
+      enqueue_decorated(event, client_ip_address, client_address, client_port, ssl_subject)
     end
   end
 
@@ -215,10 +222,14 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     client_socket.close rescue nil
   end
 
+  # only called in client mode
   def handle_socket(socket)
     client_address = socket.peeraddr[3]
     client_ip_address = socket.peeraddr[2]
     client_port = socket.peeraddr[1]
+
+    # Client mode sslsubject extraction, server mode happens in DecoderImpl#decode
+    ssl_subject = socket.peer_cert.subject.to_s if @ssl_enable && @ssl_verify
     peer = "#{client_address}:#{client_port}"
     first_read = true
     codec = @codec.clone
@@ -242,7 +253,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
         end
       end
       decode_buffer(client_ip_address, client_address, client_port, codec, proxy_address,
-                    proxy_port, tbuf, socket)
+                    proxy_port, tbuf, ssl_subject)
     end
   rescue EOFError
     @logger.debug? && @logger.debug("Connection closed", :client => peer)
@@ -256,14 +267,14 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   ensure
     # catch all rescue nil on close to discard any close errors or invalid socket
     socket.close rescue nil
-    flush_codec(codec, client_ip_address, client_address, client_port, socket)
+    flush_codec(codec, client_ip_address, client_address, client_port, ssl_subject)
   end
 
-  def enqueue_decorated(event, client_ip_address, client_address, client_port, socket)
+  def enqueue_decorated(event, client_ip_address, client_address, client_port, ssl_subject)
     event.set(@field_host, client_address) unless event.get(@field_host)
     event.set(@field_host_ip, client_ip_address) unless event.get(@field_host_ip)
     event.set(@field_port, client_port) unless event.get(@field_port)
-    event.set(@field_sslsubject, socket.peer_cert.subject.to_s) if socket && @ssl_enable && @ssl_verify && event.get(@field_sslsubject).nil?
+    event.set(@field_sslsubject, ssl_subject) unless ssl_subject.nil? || event.get(@field_sslsubject)
     decorate(event)
     @output_queue << event
   end
@@ -286,7 +297,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     return @ssl_context if @ssl_context
 
     begin
-      @ssl_context = OpenSSL::SSL::SSLContext.new
+      @ssl_context = new_ssl_context
       @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
       @ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase.value)
       if @ssl_extra_chain_certs.any?
@@ -297,6 +308,21 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
         @ssl_context.cert_store  = load_cert_store
         @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
       end
+
+      @ssl_context.min_version = :TLS1_1 # not strictly required - JVM should have disabled TLSv1
+      if ssl_supported_protocols.any?
+        disabled_protocols = ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'] - ssl_supported_protocols
+        unless OpenSSL::SSL.const_defined? :OP_NO_TLSv1_3 # work-around JRuby-OpenSSL bug - missing constant
+          @ssl_context.max_version = :TLS1_2 if disabled_protocols.delete('TLSv1.3')
+        end
+        # mapping 'TLSv1.2' -> OpenSSL::SSL::OP_NO_TLSv1_2
+        disabled_protocols.map! { |v| OpenSSL::SSL.const_get "OP_NO_#{v.sub('.', '_')}" }
+        @ssl_context.options = disabled_protocols.reduce(@ssl_context.options, :|)
+      end
+
+      if ssl_cipher_suites.any?
+        @ssl_context.ciphers = ssl_cipher_suites # Java cipher names work with JOSSL >= 0.12.2
+      end
     rescue => e
       @logger.error("Could not inititalize SSL context", :message => e.message, :exception => e.class, :backtrace => e.backtrace)
       raise e
@@ -305,6 +331,11 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     @ssl_context
   end
 
+  # @note to be able to hook up into #ssl_context from tests
+  def new_ssl_context
+    OpenSSL::SSL::SSLContext.new
+  end
+
   def load_cert_store
     cert_store = OpenSSL::X509::Store.new
     cert_store.set_default_paths
@@ -379,6 +410,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
       .set_ssl_key_password(@ssl_key_passphrase.value)
       .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
       .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
+      .set_ssl_supported_protocols(ssl_supported_protocols.to_java(:string))
+      .set_ssl_cipher_suites(ssl_cipher_suites.to_java(:string))
       .build_context
   rescue java.lang.IllegalArgumentException => e
     @logger.error("SSL configuration invalid", error_details(e))

data/lib/logstash-input-tcp_jars.rb

@@ -4,4 +4,4 @@ require 'jar_dependencies'
 require_jar('io.netty', 'netty-all', '4.1.65.Final')
 require_jar('commons-io', 'commons-io', '2.8.0')
 
-require_jar('org.logstash.inputs', 'logstash-input-tcp', '6.2.7')
+require_jar('org.logstash.inputs', 'logstash-input-tcp', '6.3.1')

data/logstash-input-tcp.gemspec

@@ -23,10 +23,10 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.2'
 
-  s.add_runtime_dependency 'logstash-core', '>= 6.7.0'
+  s.add_runtime_dependency 'logstash-core', '>= 8.1.0'
 
   # we depend on bouncycastle's bcpkix-jdk15on being on the class-path
-  s.add_runtime_dependency 'jruby-openssl', '>= 0.10.2'
+  s.add_runtime_dependency 'jruby-openssl', '>= 0.12.2' # 0.12 supports TLSv1.3 
 
   # line vs streaming codecs required for fix_streaming_codecs
   # TODO: fix_streaming_codecs should be refactored to not

data/spec/inputs/tcp_spec.rb

@@ -541,7 +541,7 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
       end
     end
 
-    describe "#receive" do
+    describe "#receive", :ecs_compatibility_support do
       shared_examples "receiving events" do
         # TODO(sissel): Implement normal event-receipt tests as as a shared example
       end
@@ -549,7 +549,10 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
       context "when ssl_enable is true" do
         let(:input) { subject }
         let(:queue) { Queue.new }
-        before(:each) { subject.register }
+        before(:each) do
+          allow_any_instance_of(described_class).to receive(:ecs_compatibility).and_return(ecs_compatibility) if defined?(ecs_compatibility)
+          subject.register
+        end
 
         context "when using a certificate chain" do
           chain_of_certificates = TcpHelpers.new.chain_of_certificates
@@ -568,18 +571,21 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
           let(:sslsocket) { OpenSSL::SSL::SSLSocket.new(tcp, sslcontext) }
           let(:message) { "message to #{port}" }
 
-          context "with a non encrypted private key" do
-            let(:config) do
-              {
+          let(:base_config) do
+            {
                 "host" => "127.0.0.1",
                 "port" => port,
                 "ssl_enable" => true,
                 "ssl_cert" => chain_of_certificates[:b_cert].path,
                 "ssl_key" => chain_of_certificates[:b_key].path,
                 "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
-                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
-                "ssl_verify" => true
-              }
+                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ]
+            }
+          end
+
+          context "with a non encrypted private key" do
+            let(:config) do
+              base_config.merge "ssl_verify" => true
             end
             it "should be able to connect and write data" do
               result = TcpHelpers.pipelineless_input(subject, 1) do
@@ -620,6 +626,7 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
               expect(result.first.get("message")).to eq(message)
             end
           end
+
           context "when using an encrypted private pkcs8 key" do
             let(:config) do
               {
@@ -646,6 +653,141 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
               expect(result.first.get("message")).to eq(message)
             end
           end
+
+          context "with a regular TLS setup" do
+            let(:config) do
+              {
+                "host" => "127.0.0.1",
+                "port" => port,
+                "ssl_enable" => true,
+                "ssl_cert" => chain_of_certificates[:b_cert].path,
+                "ssl_key" => chain_of_certificates[:b_key].path,
+                "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
+                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
+                "ssl_verify" => true
+              }
+            end
+
+            ecs_compatibility_matrix(:disabled,:v1, :v8 => :v1) do |ecs_select|
+              it "extracts the TLS subject from connections" do
+                result = TcpHelpers.pipelineless_input(subject, 1) do
+                  sslsocket.connect
+                  sslsocket.write("#{message}\n")
+                  tcp.flush
+                  sslsocket.close
+                  tcp.close
+                end
+                expect(result.size).to eq(1)
+                event = result.first
+
+                ssl_subject_field = ecs_select[disabled: 'sslsubject', v1:'[@metadata][input][tcp][tls][client][subject]']
+                expect(event.get(ssl_subject_field)).to eq("CN=RubyAA_Cert,DC=ruby-lang,DC=org")
+              end
+            end
+          end
+
+          context "with enforced protocol version" do
+            let(:config) do
+              base_config.merge 'ssl_supported_protocols' => [ tls_version ]
+            end
+
+            let(:tls_version) { 'TLSv1.3' }
+
+            it "should be able to connect and write data" do
+              used_tls_protocol = nil
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                used_tls_protocol = sslsocket.session.to_java(javax.net.ssl.SSLSession).getProtocol
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(used_tls_protocol).to eql tls_version
+            end
+          end
+
+          context "with enforced protocol range" do
+            let(:config) do
+              base_config.merge 'ssl_supported_protocols' => [ 'TLSv1.3', 'TLSv1.2' ]
+            end
+            let(:sslcontext) do
+              super().tap { |ctx| ctx.ssl_version = 'TLSv1.2' }
+            end
+
+            it "should be able to connect and write data" do
+              used_tls_protocol = nil
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                used_tls_protocol = sslsocket.session.to_java(javax.net.ssl.SSLSession).getProtocol
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(used_tls_protocol).to eql 'TLSv1.2'
+            end
+          end if TcpHelpers.tls13_available_by_default? # till CI testing against 6.x
+
+          context "with unsupported client protocol" do
+            let(:config) do
+              base_config.merge 'ssl_supported_protocols' => [ 'TLSv1.2' ]
+            end
+            let(:sslcontext) do
+              super().tap { |ctx| ctx.ssl_version = 'TLSv1.1' }
+            end
+
+            it "should not be able to connect" do
+              TcpHelpers.pipelineless_input(subject, 0) do
+                expect { sslsocket.connect }.to raise_error(OpenSSL::SSL::SSLError, /No appropriate protocol|protocol_version/i)
+                sslsocket.close
+                tcp.close
+              end
+            end
+          end
+
+          context "with specified cipher suites" do
+            let(:config) do
+              base_config.merge 'ssl_cipher_suites' => [ cipher_suite ]
+            end
+
+            let(:cipher_suite) { 'TLS_RSA_WITH_AES_128_GCM_SHA256' }
+
+            it "should be able to connect and write data" do
+              used_cipher_suite = nil
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                used_cipher_suite = sslsocket.session.to_java(javax.net.ssl.SSLSession).getCipherSuite
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(used_cipher_suite).to eql cipher_suite
+            end
+          end
+
+          context "with unsupported client cipher" do
+            let(:config) do
+              base_config.merge 'ssl_cipher_suites' => [ 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' ]
+            end
+
+            let(:sslcontext) do
+              super().tap { |ctx| ctx.ciphers = [ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' ] }
+            end
+
+            it "should not be able to connect" do
+              TcpHelpers.pipelineless_input(subject, 0) do
+                expect { sslsocket.connect }.to raise_error(OpenSSL::SSL::SSLError, /handshake_failure|no cipher match/i)
+                sslsocket.close
+                tcp.close
+              end
+            end
+          end
+
         end
 
         context "with a poorly-behaving client" do
@@ -717,4 +859,83 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
       let(:config) { { "port" => port } }
     end
   end
+
+  context 'ssl context (client mode)' do
+
+    let(:chain_of_certificates) do
+      TcpHelpers.new.chain_of_certificates
+    end
+
+    let(:config) do
+      {
+          "host" => "127.0.0.1",
+          "port" => port,
+          "mode" => 'client',
+          "ssl_enable" => true,
+          "ssl_cert" => chain_of_certificates[:b_cert].path,
+          "ssl_key" => chain_of_certificates[:b_key].path,
+          "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
+          "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ]
+      }
+    end
+
+    subject(:plugin) { LogStash::Inputs::Tcp.new(config) }
+
+    let(:ssl_context) { plugin.send :ssl_context }
+
+    context "with cipher suites" do
+      let(:config) do
+        super().merge 'ssl_cipher_suites' => [ cipher_suite ]
+      end
+
+      let(:cipher_suite) { 'TLS_RSA_WITH_AES_128_GCM_SHA256' }
+
+      it "sets ciphers" do
+        cipher_ary = ssl_context.ciphers.first
+        expect( cipher_ary[0] ).to eql 'AES128-GCM-SHA256'
+      end
+
+    end
+
+    context "with forced protocol" do
+      let(:config) do
+        super().merge 'ssl_supported_protocols' => [ 'TLSv1.1' ]
+      end
+
+      it "limits protocol selection" do
+        if OpenSSL::SSL.const_defined? :OP_NO_TLSv1_3
+          ssl_context = subject.send :ssl_context
+          expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_3).to_not eql 0
+          expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_2).to_not eql 0
+          expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_1).to eql 0
+        else
+          ssl_context = OpenSSL::SSL::SSLContext.new
+          allow(subject).to receive(:new_ssl_context).and_return(ssl_context)
+          expect(ssl_context).to receive(:max_version=).with(:'TLS1_2').and_call_original
+          ssl_context = subject.send :ssl_context
+          expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_2).to_not eql 0
+          expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_1).to eql 0
+        end
+      end
+
+    end
+
+    context "with protocol range" do
+      let(:config) do
+        super().merge 'ssl_supported_protocols' => [ 'TLSv1.3', 'TLSv1.1', 'TLSv1.2' ]
+      end
+
+      it "does not limit protocol selection (except min_version)" do
+        ssl_context = OpenSSL::SSL::SSLContext.new
+        allow(subject).to receive(:new_ssl_context).and_return(ssl_context)
+        expect(ssl_context).to receive(:min_version=).with(:'TLS1_1').and_call_original
+        ssl_context = subject.send :ssl_context
+        expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_3).to eql 0 if OpenSSL::SSL.const_defined? :OP_NO_TLSv1_3
+        expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_2).to eql 0
+        expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_1).to eql 0
+      end
+    end
+
+  end
+
 end

data/spec/spec_helper.rb

@@ -7,6 +7,17 @@ require "stud/temporary"
 
 class TcpHelpers
 
+  def self.tls13_available_by_default?
+    begin
+      context = javax.net.ssl.SSLContext.getInstance('TLS')
+      context.init nil, nil, nil
+      context.getDefaultSSLParameters.getProtocols.include? 'TLSv1.3'
+    rescue => e
+      warn "failed to detect TLSv1.3 support: #{e.inspect}"
+      nil
+    end
+  end
+
   java_import 'org.bouncycastle.openssl.PEMParser'
   java_import 'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder'
   java_import 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter'

data/version

@@ -1 +1 @@
-6.2.7
+6.3.1

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 6.2.7
+  version: 6.3.1
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-01 00:00:00.000000000 Z
+date: 2022-10-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -49,7 +49,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.7.0
+        version: 8.1.0
   name: logstash-core
   prerelease: false
   type: :runtime
@@ -57,13 +57,13 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.7.0
+        version: 8.1.0
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.10.2
+        version: 0.12.2
   name: jruby-openssl
   prerelease: false
   type: :runtime
@@ -71,7 +71,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.10.2
+        version: 0.12.2
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -233,7 +233,7 @@ files:
 - spec/spec_helper.rb
 - vendor/jar-dependencies/commons-io/commons-io/2.8.0/commons-io-2.8.0.jar
 - vendor/jar-dependencies/io/netty/netty-all/4.1.65.Final/netty-all-4.1.65.Final.jar
-- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.2.7/logstash-input-tcp-6.2.7.jar
+- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.3.1/logstash-input-tcp-6.3.1.jar
 - version
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses: