logstash-input-tcp 6.3.4-java → 6.4.0-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +11 -0
- data/docs/index.asciidoc +64 -6
- data/lib/logstash/inputs/tcp/decoder_impl.rb +1 -1
- data/lib/logstash/inputs/tcp.rb +124 -19
- data/lib/logstash-input-tcp_jars.rb +8 -8
- data/logstash-input-tcp.gemspec +1 -0
- data/spec/inputs/tcp_spec.rb +199 -30
- data/vendor/jar-dependencies/commons-io/commons-io/2.13.0/commons-io-2.13.0.jar +0 -0
- data/vendor/jar-dependencies/io/netty/netty-buffer/{4.1.93.Final/netty-buffer-4.1.93.Final.jar → 4.1.94.Final/netty-buffer-4.1.94.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-codec/{4.1.93.Final/netty-codec-4.1.93.Final.jar → 4.1.94.Final/netty-codec-4.1.94.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-common/{4.1.93.Final/netty-common-4.1.93.Final.jar → 4.1.94.Final/netty-common-4.1.94.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-handler/{4.1.93.Final/netty-handler-4.1.93.Final.jar → 4.1.94.Final/netty-handler-4.1.94.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-transport/{4.1.93.Final/netty-transport-4.1.93.Final.jar → 4.1.94.Final/netty-transport-4.1.94.Final.jar} +0 -0
- data/vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/{4.1.93.Final/netty-transport-native-unix-common-4.1.93.Final.jar → 4.1.94.Final/netty-transport-native-unix-common-4.1.94.Final.jar} +0 -0
- data/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.4.0/logstash-input-tcp-6.4.0.jar +0 -0
- data/version +1 -1
- metadata +24 -10
- data/vendor/jar-dependencies/commons-io/commons-io/2.8.0/commons-io-2.8.0.jar +0 -0
- data/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.3.4/logstash-input-tcp-6.3.4.jar +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3a112bdd1b3844e11d4948abcb693e51b079746a2a1decd790f2cb7ee107ec60
|
4
|
+
data.tar.gz: bf9f795b4894c85009355afc24695d7c12202db5029fd314328912694f556d5a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: cea7c145bf773108a4800f6421b57a4c72e7df8b4ab1f7a4ea9a55310e34afc56a5f2a839663e11b32f9580d035cf1058f4cff495074e62ab710645187377065
|
7
|
+
data.tar.gz: 41b388723083feb40e7cfd83b893286ee4f1c64a1e63d7f1d9f58653b87c65689187edfd21aaa81fb6269b19655207f3959937039fac45b9a6c0120994b1eff5
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,14 @@
|
|
1
|
+
## 6.4.0
|
2
|
+
- Reviewed and deprecated SSL settings to comply with Logstash's naming convention [#213](https://github.com/logstash-plugins/logstash-input-tcp/pull/213)
|
3
|
+
- Deprecated `ssl_enable` in favor of `ssl_enabled`
|
4
|
+
- Deprecated `ssl_cert` in favor of `ssl_certificate`
|
5
|
+
- Deprecated `ssl_verify` in favor of `ssl_client_authentication` when mode is `server`
|
6
|
+
- Deprecated `ssl_verify` in favor of `ssl_verification_mode` when mode is `client`
|
7
|
+
- Added SSL configuration validations
|
8
|
+
|
9
|
+
## 6.3.5
|
10
|
+
- update netty to 4.1.94 and other dependencies [#216](https://github.com/logstash-plugins/logstash-input-tcp/pull/216)
|
11
|
+
|
1
12
|
## 6.3.4
|
2
13
|
- Fix: reduce error logging (to info level) on connection resets [#214](https://github.com/logstash-plugins/logstash-input-tcp/pull/214)
|
3
14
|
|
data/docs/index.asciidoc
CHANGED
@@ -95,8 +95,8 @@ Available when receiving events by proxy and
|
|
95
95
|
l|[@metadata][input][tcp][proxy][port] l|[proxy_port]
|
96
96
|
|
97
97
|
.1+|SSL Subject Metadata from a secured TCP
|
98
|
-
connection. Available when `
|
99
|
-
AND `
|
98
|
+
connection. Available when `ssl_enabled => true`
|
99
|
+
AND `ssl_client_authentication => 'optional' or 'required'` l|[@metadata][input][tcp][ssl][subject] l|[sslsubject]
|
100
100
|
|=======================================================================
|
101
101
|
|
102
102
|
For example, the Elastic Common Schema reserves the https://www.elastic.co/guide/en/ecs/current/ecs-host.html[top-level `host` field] for information about the host on which the event happened.
|
@@ -130,15 +130,19 @@ This plugin supports the following configuration options plus the <<plugins-{typ
|
|
130
130
|
| <<plugins-{type}s-{plugin}-mode>> |<<string,string>>, one of `["server", "client"]`|No
|
131
131
|
| <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
|
132
132
|
| <<plugins-{type}s-{plugin}-proxy_protocol>> |<<boolean,boolean>>|No
|
133
|
-
| <<plugins-{type}s-{plugin}-ssl_cert>> |a valid filesystem path|
|
133
|
+
| <<plugins-{type}s-{plugin}-ssl_cert>> |a valid filesystem path|__Deprecated__
|
134
|
+
| <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
|
134
135
|
| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
|
135
136
|
| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<string,string>>|No
|
136
|
-
| <<plugins-{type}s-{plugin}-
|
137
|
+
| <<plugins-{type}s-{plugin}-ssl_client_authentication>> |<<string,string>>, one of `["none", "optional", "required"]`|No
|
138
|
+
| <<plugins-{type}s-{plugin}-ssl_enable>> |<<boolean,boolean>>|__Deprecated__
|
139
|
+
| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
|
137
140
|
| <<plugins-{type}s-{plugin}-ssl_extra_chain_certs>> |<<array,array>>|No
|
138
141
|
| <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
|
139
142
|
| <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
|
140
143
|
| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
|
141
|
-
| <<plugins-{type}s-{plugin}-
|
144
|
+
| <<plugins-{type}s-{plugin}-ssl_verification_mode>> |<<string,string>>, one of `["full", "none"]`|No
|
145
|
+
| <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|__Deprecated__
|
142
146
|
| <<plugins-{type}s-{plugin}-tcp_keep_alive>> |<<boolean,boolean>>|No
|
143
147
|
|=======================================================================
|
144
148
|
|
@@ -210,6 +214,7 @@ http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
|
|
210
214
|
|
211
215
|
[id="plugins-{type}s-{plugin}-ssl_cert"]
|
212
216
|
===== `ssl_cert`
|
217
|
+
deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_certificate>>]
|
213
218
|
|
214
219
|
* Value type is <<path,path>>
|
215
220
|
* There is no default value for this setting.
|
@@ -217,6 +222,15 @@ http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
|
|
217
222
|
Path to certificate in PEM format. This certificate will be presented
|
218
223
|
to the connecting clients.
|
219
224
|
|
225
|
+
[id="plugins-{type}s-{plugin}-ssl_certificate"]
|
226
|
+
===== `ssl_certificate`
|
227
|
+
|
228
|
+
* Value type is <<path,path>>
|
229
|
+
* There is no default value for this setting.
|
230
|
+
|
231
|
+
Path to certificate in PEM format. This certificate will be presented
|
232
|
+
to the other part of the TLS connection.
|
233
|
+
|
220
234
|
[id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
|
221
235
|
===== `ssl_certificate_authorities`
|
222
236
|
|
@@ -238,8 +252,33 @@ the table of supported https://docs.oracle.com/en/java/javase/11/docs/specs/secu
|
|
238
252
|
|
239
253
|
NOTE: To check the supported cipher suites locally run the following script: `$LS_HOME/bin/ruby -e 'p javax.net.ssl.SSLServerSocketFactory.getDefault.getSupportedCipherSuites'`.
|
240
254
|
|
255
|
+
[id="plugins-{type}s-{plugin}-ssl_client_authentication"]
|
256
|
+
===== `ssl_client_authentication`
|
257
|
+
|
258
|
+
* Value can be any of: `none`, `optional`, `required`
|
259
|
+
* Default value is `required`
|
260
|
+
|
261
|
+
Controls the server's behavior in regard to requesting a certificate from client connections:
|
262
|
+
`none` disables the client authentication. `required` forces a client to present a certificate, while `optional` requests a client certificate
|
263
|
+
but the client is not required to present one.
|
264
|
+
|
265
|
+
When mutual TLS is enabled (`optional` or `required`), the certificate presented by the client must be signed by trusted
|
266
|
+
<<plugins-{type}s-{plugin}-ssl_certificate_authorities>> (CAs).
|
267
|
+
Please note that the server does not validate the client certificate CN (Common Name) or SAN (Subject Alternative Name).
|
268
|
+
|
269
|
+
NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-mode>> is `server` and <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> is set.
|
270
|
+
|
241
271
|
[id="plugins-{type}s-{plugin}-ssl_enable"]
|
242
272
|
===== `ssl_enable`
|
273
|
+
deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
|
274
|
+
|
275
|
+
* Value type is <<boolean,boolean>>
|
276
|
+
* Default value is `false`
|
277
|
+
|
278
|
+
Enable SSL (must be set for other `ssl_` options to take effect).
|
279
|
+
|
280
|
+
[id="plugins-{type}s-{plugin}-ssl_enabled"]
|
281
|
+
===== `ssl_enabled`
|
243
282
|
|
244
283
|
* Value type is <<boolean,boolean>>
|
245
284
|
* Default value is `false`
|
@@ -286,8 +325,27 @@ NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as
|
|
286
325
|
the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
|
287
326
|
the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
|
288
327
|
|
328
|
+
[id="plugins-{type}s-{plugin}-ssl_verification_mode"]
|
329
|
+
===== `ssl_verification_mode`
|
330
|
+
|
331
|
+
* Value can be any of: `full`, `none`
|
332
|
+
* Default value is `full`
|
333
|
+
|
334
|
+
Defines how to verify the certificates presented by another party in the TLS connection:
|
335
|
+
|
336
|
+
`full` validates that the server certificate has an issue date that's within
|
337
|
+
the not_before and not_after dates; chains to a trusted Certificate Authority (CA), and
|
338
|
+
has a hostname or IP address that matches the names within the certificate.
|
339
|
+
|
340
|
+
`none` performs no certificate validation.
|
341
|
+
|
342
|
+
This setting can be used only if <<plugins-{type}s-{plugin}-mode>> is `client`.
|
343
|
+
|
344
|
+
WARNING: Setting certificate verification to `none` disables many security benefits of SSL/TLS, which is very dangerous. For more information on disabling certificate verification please read https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
|
345
|
+
|
289
346
|
[id="plugins-{type}s-{plugin}-ssl_verify"]
|
290
|
-
===== `ssl_verify`
|
347
|
+
===== `ssl_verify`
|
348
|
+
deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_client_authentication>> and <<plugins-{type}s-{plugin}-ssl_verification_mode>>]
|
291
349
|
|
292
350
|
* Value type is <<boolean,boolean>>
|
293
351
|
* Default value is `true`
|
@@ -62,7 +62,7 @@ class LogStash::Inputs::Tcp::DecoderImpl
|
|
62
62
|
|
63
63
|
private
|
64
64
|
def extract_sslsubject(channel)
|
65
|
-
return nil unless @tcp.
|
65
|
+
return nil unless @tcp.ssl_peer_verification_enabled?
|
66
66
|
|
67
67
|
channel.pipeline().get("ssl-handler").engine().getSession().getPeerPrincipal().getName()
|
68
68
|
rescue Exception => e
|
data/lib/logstash/inputs/tcp.rb
CHANGED
@@ -6,6 +6,7 @@ require "logstash/inputs/base"
|
|
6
6
|
require "logstash/util/socket_peer"
|
7
7
|
require "logstash-input-tcp_jars"
|
8
8
|
require 'logstash/plugin_mixins/ecs_compatibility_support'
|
9
|
+
require "logstash/plugin_mixins/normalize_config_support"
|
9
10
|
|
10
11
|
require "socket"
|
11
12
|
require "openssl"
|
@@ -68,6 +69,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
68
69
|
# ecs_compatibility option, provided by Logstash core or the support adapter.
|
69
70
|
include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
|
70
71
|
|
72
|
+
include LogStash::PluginMixins::NormalizeConfigSupport
|
73
|
+
|
71
74
|
config_name "tcp"
|
72
75
|
|
73
76
|
default :codec, "line"
|
@@ -89,14 +92,34 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
89
92
|
config :proxy_protocol, :validate => :boolean, :default => false
|
90
93
|
|
91
94
|
# Enable SSL (must be set for other `ssl_` options to take effect).
|
92
|
-
config :ssl_enable, :validate => :boolean, :default => false
|
95
|
+
config :ssl_enable, :validate => :boolean, :default => false, :deprecated => "Use 'ssl_enabled' instead."
|
96
|
+
|
97
|
+
# Enable SSL (must be set for other `ssl_` options to take effect).
|
98
|
+
config :ssl_enabled, :validate => :boolean, :default => false
|
99
|
+
|
100
|
+
# Controls the server’s behavior in regard to requesting a certificate from client connections.
|
101
|
+
# `none`: No client authentication
|
102
|
+
# `optional`: Requests a client certificate but the client is not required to present one.
|
103
|
+
# `required`: Forces a client to present a certificate.
|
104
|
+
# This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
|
105
|
+
config :ssl_client_authentication, :validate => %w[none optional required], :default => 'required'
|
93
106
|
|
94
107
|
# Verify the identity of the other end of the SSL connection against the CA.
|
95
108
|
# For input, sets the field `sslsubject` to that of the client certificate.
|
96
|
-
config :ssl_verify, :validate => :boolean, :default => true
|
109
|
+
config :ssl_verify, :validate => :boolean, :default => true, :deprecated => "Use 'ssl_client_authentication' when mode is 'server' or 'ssl_verification_mode' when mode is 'client'"
|
110
|
+
|
111
|
+
# Options to verify the server's certificate.
|
112
|
+
# "full": validates that the provided certificate has an issue date that’s within the not_before and not_after dates;
|
113
|
+
# chains to a trusted Certificate Authority (CA); has a hostname or IP address that matches the names within the certificate.
|
114
|
+
# "certificate": Validates the provided certificate and verifies that it’s signed by a trusted authority (CA), but does’t check the certificate hostname.
|
115
|
+
# "none": performs no certificate validation. Disabling this severely compromises security (https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf)
|
116
|
+
config :ssl_verification_mode, :validate => %w[full none], :default => 'full'
|
117
|
+
|
118
|
+
# SSL certificate path
|
119
|
+
config :ssl_cert, :validate => :path, :deprecated => "Use 'ssl_certificate' instead."
|
97
120
|
|
98
121
|
# SSL certificate path
|
99
|
-
config :
|
122
|
+
config :ssl_certificate, :validate => :path
|
100
123
|
|
101
124
|
# SSL key path
|
102
125
|
config :ssl_key, :validate => :path
|
@@ -140,6 +163,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
140
163
|
super(*args)
|
141
164
|
|
142
165
|
setup_fields!
|
166
|
+
setup_ssl_params!
|
143
167
|
|
144
168
|
self.class.patch_socket_peer!
|
145
169
|
|
@@ -154,6 +178,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
154
178
|
|
155
179
|
def register
|
156
180
|
fix_streaming_codecs
|
181
|
+
validate_ssl_config!
|
157
182
|
|
158
183
|
if server?
|
159
184
|
@loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive, java_ssl_context)
|
@@ -163,7 +188,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
163
188
|
def run(output_queue)
|
164
189
|
@output_queue = output_queue
|
165
190
|
if server?
|
166
|
-
@logger.info("Starting tcp input listener", :address => "#{@host}:#{@port}", :
|
191
|
+
@logger.info("Starting tcp input listener", :address => "#{@host}:#{@port}", :ssl_enabled => @ssl_enabled)
|
167
192
|
@loop.run
|
168
193
|
else
|
169
194
|
run_client()
|
@@ -210,6 +235,15 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
210
235
|
@dns_reverse_lookup_enabled
|
211
236
|
end
|
212
237
|
|
238
|
+
def ssl_peer_verification_enabled?
|
239
|
+
return false unless @ssl_enabled
|
240
|
+
if server?
|
241
|
+
@ssl_client_authentication && @ssl_client_authentication != 'none'
|
242
|
+
else
|
243
|
+
@ssl_verification_mode == 'full'
|
244
|
+
end
|
245
|
+
end
|
246
|
+
|
213
247
|
private
|
214
248
|
|
215
249
|
def run_client()
|
@@ -229,7 +263,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
229
263
|
client_port = socket.peeraddr[1]
|
230
264
|
|
231
265
|
# Client mode sslsubject extraction, server mode happens in DecoderImpl#decode
|
232
|
-
ssl_subject = socket.peer_cert.subject.to_s if
|
266
|
+
ssl_subject = socket.peer_cert.subject.to_s if ssl_peer_verification_enabled?
|
233
267
|
peer = "#{client_address}:#{client_port}"
|
234
268
|
first_read = true
|
235
269
|
codec = @codec.clone
|
@@ -289,6 +323,80 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
289
323
|
@field_sslsubject = ecs_select[disabled: "sslsubject", v1: "[@metadata][input][tcp][tls][client][subject]"].freeze
|
290
324
|
end
|
291
325
|
|
326
|
+
def validate_ssl_config!
|
327
|
+
unless @ssl_enabled
|
328
|
+
ignored_ssl_settings = original_params.select { |k| k != 'ssl_enabled' && k != 'ssl_enable' && k.start_with?('ssl_') }
|
329
|
+
@logger.warn("Configured SSL settings are not used when `#{provided_ssl_enabled_config_name}` is set to `false`: #{ignored_ssl_settings.keys}") if ignored_ssl_settings.any?
|
330
|
+
return
|
331
|
+
end
|
332
|
+
|
333
|
+
if @ssl_certificate && !@ssl_key
|
334
|
+
raise LogStash::ConfigurationError, "Using an `ssl_certificate` requires an `ssl_key`"
|
335
|
+
elsif @ssl_key && !@ssl_certificate
|
336
|
+
raise LogStash::ConfigurationError, 'An `ssl_certificate` is required when using an `ssl_key`'
|
337
|
+
end
|
338
|
+
|
339
|
+
if server?
|
340
|
+
validate_server_ssl_config!
|
341
|
+
else
|
342
|
+
validate_client_ssl_config!
|
343
|
+
end
|
344
|
+
end
|
345
|
+
|
346
|
+
def validate_client_ssl_config!
|
347
|
+
if original_params.include?('ssl_client_authentication')
|
348
|
+
raise LogStash::ConfigurationError, "`ssl_client_authentication` must not be configured when mode is `client`, use `ssl_verification_mode` instead."
|
349
|
+
end
|
350
|
+
end
|
351
|
+
|
352
|
+
def validate_server_ssl_config!
|
353
|
+
if original_params.include?('ssl_verification_mode')
|
354
|
+
raise LogStash::ConfigurationError, "`ssl_verification_mode` must not be configured when mode is `server`, use `ssl_client_authentication` instead."
|
355
|
+
end
|
356
|
+
|
357
|
+
if @ssl_certificate.nil?
|
358
|
+
raise LogStash::ConfigurationError, "An `ssl_certificate` is required when `#{provided_ssl_enabled_config_name}` => true"
|
359
|
+
end
|
360
|
+
|
361
|
+
ssl_client_authentication_provided = original_params.include?('ssl_client_authentication')
|
362
|
+
if ssl_client_authentication_provided && @ssl_client_authentication != 'none' && (@ssl_certificate_authorities.nil? || @ssl_certificate_authorities.empty?)
|
363
|
+
raise LogStash::ConfigurationError, "An `ssl_certificate_authorities` is required when `ssl_client_authentication` => `#{@ssl_client_authentication}`"
|
364
|
+
end
|
365
|
+
end
|
366
|
+
|
367
|
+
def provided_ssl_enabled_config_name
|
368
|
+
original_params.include?('ssl_enable') ? 'ssl_enable' : 'ssl_enabled'
|
369
|
+
end
|
370
|
+
|
371
|
+
def setup_ssl_params!
|
372
|
+
@ssl_enabled = normalize_config(:ssl_enabled) do |normalizer|
|
373
|
+
normalizer.with_deprecated_alias(:ssl_enable)
|
374
|
+
end
|
375
|
+
|
376
|
+
@ssl_certificate = normalize_config(:ssl_certificate) do |normalizer|
|
377
|
+
normalizer.with_deprecated_alias(:ssl_cert)
|
378
|
+
end
|
379
|
+
|
380
|
+
if server?
|
381
|
+
@ssl_client_authentication = normalize_config(:ssl_client_authentication) do |normalizer|
|
382
|
+
normalizer.with_deprecated_mapping(:ssl_verify) do |ssl_verify|
|
383
|
+
ssl_verify == true ? "required" : "none"
|
384
|
+
end
|
385
|
+
end
|
386
|
+
else
|
387
|
+
@ssl_verification_mode = normalize_config(:ssl_verification_mode) do |normalize|
|
388
|
+
normalize.with_deprecated_mapping(:ssl_verify) do |ssl_verify|
|
389
|
+
ssl_verify == true ? "full" : "none"
|
390
|
+
end
|
391
|
+
end
|
392
|
+
end
|
393
|
+
|
394
|
+
params['ssl_enabled'] = @ssl_enabled unless @ssl_enabled.nil?
|
395
|
+
params['ssl_certificate'] = @ssl_certificate unless @ssl_certificate.nil?
|
396
|
+
params['ssl_verification_mode'] = @ssl_verification_mode unless @ssl_verification_mode.nil?
|
397
|
+
params['ssl_client_authentication'] = @ssl_client_authentication unless @ssl_client_authentication.nil?
|
398
|
+
end
|
399
|
+
|
292
400
|
def server?
|
293
401
|
@mode == "server"
|
294
402
|
end
|
@@ -298,13 +406,13 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
298
406
|
|
299
407
|
begin
|
300
408
|
@ssl_context = new_ssl_context
|
301
|
-
@ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@
|
409
|
+
@ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_certificate))
|
302
410
|
@ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase.value)
|
303
411
|
if @ssl_extra_chain_certs.any?
|
304
412
|
@ssl_context.extra_chain_cert = @ssl_extra_chain_certs.map {|cert_path| OpenSSL::X509::Certificate.new(File.read(cert_path)) }
|
305
|
-
@ssl_context.extra_chain_cert.unshift(OpenSSL::X509::Certificate.new(File.read(@
|
413
|
+
@ssl_context.extra_chain_cert.unshift(OpenSSL::X509::Certificate.new(File.read(@ssl_certificate)))
|
306
414
|
end
|
307
|
-
if @
|
415
|
+
if @ssl_verification_mode == "full"
|
308
416
|
@ssl_context.cert_store = load_cert_store
|
309
417
|
@ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
|
310
418
|
end
|
@@ -349,7 +457,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
349
457
|
socket = TCPSocket.new(@host, @port)
|
350
458
|
socket.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, @tcp_keep_alive)
|
351
459
|
|
352
|
-
if @
|
460
|
+
if @ssl_enabled
|
353
461
|
socket = OpenSSL::SSL::SSLSocket.new(socket, ssl_context)
|
354
462
|
socket.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, @tcp_keep_alive)
|
355
463
|
socket.connect
|
@@ -402,16 +510,13 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
402
510
|
end
|
403
511
|
|
404
512
|
def java_ssl_context
|
405
|
-
|
406
|
-
|
407
|
-
.
|
408
|
-
.
|
409
|
-
.
|
410
|
-
.
|
411
|
-
.
|
412
|
-
.set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
|
413
|
-
.set_ssl_supported_protocols(ssl_supported_protocols.to_java(:string))
|
414
|
-
.set_ssl_cipher_suites(ssl_cipher_suites.to_java(:string))
|
513
|
+
return nil unless @ssl_enabled
|
514
|
+
SslContextBuilder.new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.value)
|
515
|
+
.set_client_authentication(SslContextBuilder::SslClientAuthentication.of(@ssl_client_authentication))
|
516
|
+
.set_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
|
517
|
+
.set_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
|
518
|
+
.set_supported_protocols(ssl_supported_protocols.to_java(:string))
|
519
|
+
.set_cipher_suites(ssl_cipher_suites.to_java(:string))
|
415
520
|
.build_context
|
416
521
|
rescue java.lang.IllegalArgumentException => e
|
417
522
|
@logger.error("SSL configuration invalid", error_details(e))
|
@@ -1,12 +1,12 @@
|
|
1
1
|
# AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.
|
2
2
|
|
3
3
|
require 'jar_dependencies'
|
4
|
-
require_jar('io.netty', 'netty-buffer', '4.1.
|
5
|
-
require_jar('io.netty', 'netty-codec', '4.1.
|
6
|
-
require_jar('io.netty', 'netty-common', '4.1.
|
7
|
-
require_jar('io.netty', 'netty-transport', '4.1.
|
8
|
-
require_jar('io.netty', 'netty-handler', '4.1.
|
9
|
-
require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.
|
10
|
-
require_jar('commons-io', 'commons-io', '2.
|
4
|
+
require_jar('io.netty', 'netty-buffer', '4.1.94.Final')
|
5
|
+
require_jar('io.netty', 'netty-codec', '4.1.94.Final')
|
6
|
+
require_jar('io.netty', 'netty-common', '4.1.94.Final')
|
7
|
+
require_jar('io.netty', 'netty-transport', '4.1.94.Final')
|
8
|
+
require_jar('io.netty', 'netty-handler', '4.1.94.Final')
|
9
|
+
require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.94.Final')
|
10
|
+
require_jar('commons-io', 'commons-io', '2.13.0')
|
11
11
|
|
12
|
-
require_jar('org.logstash.inputs', 'logstash-input-tcp', '6.
|
12
|
+
require_jar('org.logstash.inputs', 'logstash-input-tcp', '6.4.0')
|
data/logstash-input-tcp.gemspec
CHANGED
@@ -22,6 +22,7 @@ Gem::Specification.new do |s|
|
|
22
22
|
# Gem dependencies
|
23
23
|
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
|
24
24
|
s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.2'
|
25
|
+
s.add_runtime_dependency 'logstash-mixin-normalize_config_support', '~>1.0'
|
25
26
|
|
26
27
|
s.add_runtime_dependency 'logstash-core', '>= 8.1.0'
|
27
28
|
|
data/spec/inputs/tcp_spec.rb
CHANGED
@@ -357,8 +357,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
357
357
|
{
|
358
358
|
"host" => "127.0.0.1",
|
359
359
|
"port" => port,
|
360
|
-
"
|
361
|
-
"
|
360
|
+
"ssl_enabled" => true,
|
361
|
+
"ssl_certificate" => certificate_file.path,
|
362
362
|
"ssl_key" => key_file.path
|
363
363
|
}
|
364
364
|
end
|
@@ -411,8 +411,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
411
411
|
{
|
412
412
|
"host" => "127.0.0.1",
|
413
413
|
"port" => port,
|
414
|
-
"
|
415
|
-
"
|
414
|
+
"ssl_enabled" => true,
|
415
|
+
"ssl_certificate" => certificate_file.path,
|
416
416
|
"ssl_key" => key_file.path
|
417
417
|
}
|
418
418
|
end
|
@@ -435,8 +435,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
435
435
|
{
|
436
436
|
"host" => "127.0.0.1",
|
437
437
|
"port" => port,
|
438
|
-
"
|
439
|
-
"
|
438
|
+
"ssl_enabled" => true,
|
439
|
+
"ssl_certificate" => File.expand_path('../fixtures/encrypted_aes256.crt', File.dirname(__FILE__)),
|
440
440
|
"ssl_key" => File.expand_path('../fixtures/encrypted_aes256.key', File.dirname(__FILE__)),
|
441
441
|
"ssl_key_passphrase" => '1234',
|
442
442
|
}
|
@@ -453,8 +453,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
453
453
|
{
|
454
454
|
"host" => "127.0.0.1",
|
455
455
|
"port" => port,
|
456
|
-
"
|
457
|
-
"
|
456
|
+
"ssl_enabled" => true,
|
457
|
+
"ssl_certificate" => File.expand_path('../fixtures/encrypted_seed.crt', File.dirname(__FILE__)),
|
458
458
|
"ssl_key" => File.expand_path('../fixtures/encrypted_seed.key', File.dirname(__FILE__)),
|
459
459
|
"ssl_key_passphrase" => '1234',
|
460
460
|
}
|
@@ -472,8 +472,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
472
472
|
{
|
473
473
|
"host" => "127.0.0.1",
|
474
474
|
"port" => port,
|
475
|
-
"
|
476
|
-
"
|
475
|
+
"ssl_enabled" => true,
|
476
|
+
"ssl_certificate" => File.expand_path('../fixtures/encrypted_des.crt', File.dirname(__FILE__)),
|
477
477
|
"ssl_key" => File.expand_path('../fixtures/encrypted_des.key', File.dirname(__FILE__)),
|
478
478
|
"ssl_key_passphrase" => '1234',
|
479
479
|
}
|
@@ -490,8 +490,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
490
490
|
{
|
491
491
|
"host" => "127.0.0.1",
|
492
492
|
"port" => port,
|
493
|
-
"
|
494
|
-
"
|
493
|
+
"ssl_enabled" => true,
|
494
|
+
"ssl_certificate" => File.expand_path('../fixtures/encrypted-pkcs8.crt', File.dirname(__FILE__)),
|
495
495
|
"ssl_key" => File.expand_path('../fixtures/encrypted-pkcs8.key', File.dirname(__FILE__)),
|
496
496
|
"ssl_key_passphrase" => '1234',
|
497
497
|
}
|
@@ -509,8 +509,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
509
509
|
{
|
510
510
|
"host" => "127.0.0.1",
|
511
511
|
"port" => port,
|
512
|
-
"
|
513
|
-
"
|
512
|
+
"ssl_enabled" => true,
|
513
|
+
"ssl_certificate" => File.expand_path('../fixtures/encrypted-pkcs5v15.crt', File.dirname(__FILE__)),
|
514
514
|
"ssl_key" => File.expand_path('../fixtures/encrypted-pkcs5v15.key', File.dirname(__FILE__)),
|
515
515
|
"ssl_key_passphrase" => '1234',
|
516
516
|
}
|
@@ -527,8 +527,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
527
527
|
{
|
528
528
|
"host" => "127.0.0.1",
|
529
529
|
"port" => port,
|
530
|
-
"
|
531
|
-
"
|
530
|
+
"ssl_enabled" => true,
|
531
|
+
"ssl_certificate" => File.expand_path('../fixtures/small.crt', File.dirname(__FILE__)),
|
532
532
|
"ssl_key" => File.expand_path('../fixtures/small.key', File.dirname(__FILE__)),
|
533
533
|
}
|
534
534
|
end
|
@@ -538,6 +538,166 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
538
538
|
end
|
539
539
|
|
540
540
|
end
|
541
|
+
|
542
|
+
context "with only ssl_certificate set" do
|
543
|
+
let(:config) do
|
544
|
+
{
|
545
|
+
"host" => "127.0.0.1",
|
546
|
+
"port" => port,
|
547
|
+
"ssl_enabled" => true,
|
548
|
+
"ssl_certificate" => File.expand_path('../fixtures/small.crt', File.dirname(__FILE__)),
|
549
|
+
}
|
550
|
+
end
|
551
|
+
|
552
|
+
it "should raise a configuration error to request also `ssl_key`" do
|
553
|
+
expect { subject.register }.to raise_error(LogStash::ConfigurationError, /Using an `ssl_certificate` requires an `ssl_key`/)
|
554
|
+
end
|
555
|
+
end
|
556
|
+
|
557
|
+
context "with only ssl_key set" do
|
558
|
+
let(:config) do
|
559
|
+
{
|
560
|
+
"host" => "127.0.0.1",
|
561
|
+
"port" => port,
|
562
|
+
"ssl_enabled" => true,
|
563
|
+
"ssl_key" => File.expand_path('../fixtures/small.key', File.dirname(__FILE__)),
|
564
|
+
}
|
565
|
+
end
|
566
|
+
|
567
|
+
it "should raise a configuration error to request also `ssl_certificate`" do
|
568
|
+
expect { subject.register }.to raise_error(LogStash::ConfigurationError, /An `ssl_certificate` is required when using an `ssl_key`/)
|
569
|
+
end
|
570
|
+
end
|
571
|
+
|
572
|
+
context "and mode is server" do
|
573
|
+
let(:config) do
|
574
|
+
{
|
575
|
+
"host" => "127.0.0.1",
|
576
|
+
"port" => port,
|
577
|
+
"mode" => 'server',
|
578
|
+
"ssl_enabled" => true,
|
579
|
+
"ssl_certificate" => File.expand_path('../fixtures/small.crt', File.dirname(__FILE__)),
|
580
|
+
"ssl_key" => File.expand_path('../fixtures/small.key', File.dirname(__FILE__)),
|
581
|
+
}
|
582
|
+
end
|
583
|
+
|
584
|
+
context "with no ssl_certificate" do
|
585
|
+
let(:config) { super().reject { |k| "ssl_key".eql?(k) || "ssl_certificate".eql?(k) } }
|
586
|
+
|
587
|
+
it "should raise a configuration error" do
|
588
|
+
expect { subject.register }.to raise_error(LogStash::ConfigurationError, /An `ssl_certificate` is required when `ssl_enabled` => true/)
|
589
|
+
end
|
590
|
+
end
|
591
|
+
|
592
|
+
context "with ssl_client_authentication = `none` and no ssl_certificate_authorities" do
|
593
|
+
let(:config) { super().merge(
|
594
|
+
'ssl_client_authentication' => 'none',
|
595
|
+
'ssl_certificate_authorities' => []
|
596
|
+
) }
|
597
|
+
|
598
|
+
it "should register without errors" do
|
599
|
+
expect { subject.register }.to_not raise_error
|
600
|
+
end
|
601
|
+
end
|
602
|
+
|
603
|
+
context "with deprecated ssl_verify = true and no ssl_certificate_authorities" do
|
604
|
+
let(:config) { super().merge(
|
605
|
+
'ssl_verify' => true,
|
606
|
+
'ssl_certificate_authorities' => []
|
607
|
+
) }
|
608
|
+
|
609
|
+
it "should register without errors" do
|
610
|
+
expect { subject.register }.to_not raise_error
|
611
|
+
end
|
612
|
+
end
|
613
|
+
|
614
|
+
%w[required optional].each do |ssl_client_authentication|
|
615
|
+
context "with ssl_client_authentication = `#{ssl_client_authentication}` and no ssl_certificate_authorities" do
|
616
|
+
let(:config) { super().merge(
|
617
|
+
'ssl_client_authentication' => ssl_client_authentication,
|
618
|
+
'ssl_certificate_authorities' => []
|
619
|
+
) }
|
620
|
+
|
621
|
+
it "should raise a configuration error" do
|
622
|
+
expect { subject.register }.to raise_error(LogStash::ConfigurationError, /An `ssl_certificate_authorities` is required when `ssl_client_authentication` => `#{ssl_client_authentication}`/)
|
623
|
+
end
|
624
|
+
end
|
625
|
+
end
|
626
|
+
|
627
|
+
context "with ssl_verification_mode" do
|
628
|
+
let(:config) do
|
629
|
+
super().merge 'ssl_verification_mode' => 'full'
|
630
|
+
end
|
631
|
+
|
632
|
+
it "should raise a configuration error" do
|
633
|
+
expect{subject.register}.to raise_error(LogStash::ConfigurationError, /`ssl_verification_mode` must not be configured when mode is `server`, use `ssl_client_authentication` instead/)
|
634
|
+
end
|
635
|
+
end
|
636
|
+
end
|
637
|
+
|
638
|
+
context "with deprecated settings" do
|
639
|
+
let(:ssl_verify) { true }
|
640
|
+
let(:certificate_path) { File.expand_path('../fixtures/small.crt', File.dirname(__FILE__)) }
|
641
|
+
let(:config) do
|
642
|
+
{
|
643
|
+
"host" => "127.0.0.1",
|
644
|
+
"port" => port,
|
645
|
+
"ssl_enable" => true,
|
646
|
+
"ssl_cert" => certificate_path,
|
647
|
+
"ssl_key" => File.expand_path('../fixtures/small.key', File.dirname(__FILE__)),
|
648
|
+
"ssl_verify" => ssl_verify
|
649
|
+
}
|
650
|
+
end
|
651
|
+
|
652
|
+
context "and mode is server" do
|
653
|
+
let(:config) { super().merge("mode" => 'server') }
|
654
|
+
[true, false].each do |verify|
|
655
|
+
context "and ssl_verify is #{verify}" do
|
656
|
+
let(:ssl_verify) { verify }
|
657
|
+
|
658
|
+
it "should set new configs params" do
|
659
|
+
subject.register
|
660
|
+
expect(subject.params).to match hash_including(
|
661
|
+
"ssl_enabled" => true,
|
662
|
+
"ssl_certificate" => certificate_path,
|
663
|
+
"ssl_client_authentication" => verify ? 'required' : 'none')
|
664
|
+
end
|
665
|
+
|
666
|
+
it "should set new configs variables" do
|
667
|
+
subject.register
|
668
|
+
expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true)
|
669
|
+
expect(subject.instance_variable_get(:@ssl_client_authentication)).to eql(verify ? 'required' : 'none')
|
670
|
+
expect(subject.instance_variable_get(:@ssl_certificate)).to eql(certificate_path)
|
671
|
+
end
|
672
|
+
end
|
673
|
+
end
|
674
|
+
end
|
675
|
+
|
676
|
+
context "and mode is client" do
|
677
|
+
let(:config) { super().merge("mode" => 'client') }
|
678
|
+
[true, false].each do |verify|
|
679
|
+
context "and ssl_verify is #{verify}" do
|
680
|
+
let(:ssl_verify) { verify }
|
681
|
+
|
682
|
+
it "should set new configs params" do
|
683
|
+
subject.register
|
684
|
+
expect(subject.params).to match hash_including(
|
685
|
+
"ssl_enabled" => true,
|
686
|
+
"ssl_certificate" => certificate_path,
|
687
|
+
"ssl_verification_mode" => verify ? 'full' : 'none'
|
688
|
+
)
|
689
|
+
end
|
690
|
+
|
691
|
+
it "should set new configs variables" do
|
692
|
+
subject.register
|
693
|
+
expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true)
|
694
|
+
expect(subject.instance_variable_get(:@ssl_verification_mode)).to eql(verify ? 'full' : 'none')
|
695
|
+
expect(subject.instance_variable_get(:@ssl_certificate)).to eql(certificate_path)
|
696
|
+
end
|
697
|
+
end
|
698
|
+
end
|
699
|
+
end
|
700
|
+
end
|
541
701
|
end
|
542
702
|
end
|
543
703
|
|
@@ -546,7 +706,7 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
546
706
|
# TODO(sissel): Implement normal event-receipt tests as as a shared example
|
547
707
|
end
|
548
708
|
|
549
|
-
context "when
|
709
|
+
context "when ssl_enabled is true" do
|
550
710
|
let(:input) { subject }
|
551
711
|
let(:queue) { Queue.new }
|
552
712
|
before(:each) do
|
@@ -575,8 +735,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
575
735
|
{
|
576
736
|
"host" => "127.0.0.1",
|
577
737
|
"port" => port,
|
578
|
-
"
|
579
|
-
"
|
738
|
+
"ssl_enabled" => true,
|
739
|
+
"ssl_certificate" => chain_of_certificates[:b_cert].path,
|
580
740
|
"ssl_key" => chain_of_certificates[:b_key].path,
|
581
741
|
"ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
|
582
742
|
"ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ]
|
@@ -605,13 +765,13 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
605
765
|
{
|
606
766
|
"host" => "127.0.0.1",
|
607
767
|
"port" => port,
|
608
|
-
"
|
609
|
-
"
|
768
|
+
"ssl_enabled" => true,
|
769
|
+
"ssl_certificate" => chain_of_certificates[:be_cert].path,
|
610
770
|
"ssl_key" => chain_of_certificates[:be_key].path,
|
611
771
|
"ssl_key_passphrase" => "passpasspassword",
|
612
772
|
"ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
|
613
773
|
"ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
|
614
|
-
"
|
774
|
+
"ssl_client_authentication" => 'required'
|
615
775
|
}
|
616
776
|
end
|
617
777
|
it "should be able to connect and write data" do
|
@@ -632,13 +792,13 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
632
792
|
{
|
633
793
|
"host" => "127.0.0.1",
|
634
794
|
"port" => port,
|
635
|
-
"
|
636
|
-
"
|
795
|
+
"ssl_enabled" => true,
|
796
|
+
"ssl_certificate" => chain_of_certificates[:be_cert].path,
|
637
797
|
"ssl_key" => chain_of_certificates[:be_key_pkcs8].path,
|
638
798
|
"ssl_key_passphrase" => "passpasspassword",
|
639
799
|
"ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
|
640
800
|
"ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
|
641
|
-
"
|
801
|
+
"ssl_client_authentication" => 'required'
|
642
802
|
}
|
643
803
|
end
|
644
804
|
it "should be able to connect and write data" do
|
@@ -659,12 +819,12 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
659
819
|
{
|
660
820
|
"host" => "127.0.0.1",
|
661
821
|
"port" => port,
|
662
|
-
"
|
663
|
-
"
|
822
|
+
"ssl_enabled" => true,
|
823
|
+
"ssl_certificate" => chain_of_certificates[:b_cert].path,
|
664
824
|
"ssl_key" => chain_of_certificates[:b_key].path,
|
665
825
|
"ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
|
666
826
|
"ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
|
667
|
-
"
|
827
|
+
"ssl_client_authentication" => 'required'
|
668
828
|
}
|
669
829
|
end
|
670
830
|
|
@@ -871,8 +1031,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
871
1031
|
"host" => "127.0.0.1",
|
872
1032
|
"port" => port,
|
873
1033
|
"mode" => 'client',
|
874
|
-
"
|
875
|
-
"
|
1034
|
+
"ssl_enabled" => true,
|
1035
|
+
"ssl_certificate" => chain_of_certificates[:b_cert].path,
|
876
1036
|
"ssl_key" => chain_of_certificates[:b_key].path,
|
877
1037
|
"ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
|
878
1038
|
"ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ]
|
@@ -936,6 +1096,15 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
936
1096
|
end
|
937
1097
|
end
|
938
1098
|
|
1099
|
+
context "with ssl_client_authentication" do
|
1100
|
+
let(:config) do
|
1101
|
+
super().merge 'ssl_client_authentication' => 'required'
|
1102
|
+
end
|
1103
|
+
|
1104
|
+
it "should raise a configuration error" do
|
1105
|
+
expect{subject.register}.to raise_error(LogStash::ConfigurationError, /`ssl_client_authentication` must not be configured when mode is `client`, use `ssl_verification_mode` instead/)
|
1106
|
+
end
|
1107
|
+
end
|
939
1108
|
end
|
940
1109
|
|
941
1110
|
end
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
data/version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
6.
|
1
|
+
6.4.0
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-input-tcp
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.
|
4
|
+
version: 6.4.0
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-06
|
11
|
+
date: 2023-07-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -44,6 +44,20 @@ dependencies:
|
|
44
44
|
- - "~>"
|
45
45
|
- !ruby/object:Gem::Version
|
46
46
|
version: '1.2'
|
47
|
+
- !ruby/object:Gem::Dependency
|
48
|
+
requirement: !ruby/object:Gem::Requirement
|
49
|
+
requirements:
|
50
|
+
- - "~>"
|
51
|
+
- !ruby/object:Gem::Version
|
52
|
+
version: '1.0'
|
53
|
+
name: logstash-mixin-normalize_config_support
|
54
|
+
prerelease: false
|
55
|
+
type: :runtime
|
56
|
+
version_requirements: !ruby/object:Gem::Requirement
|
57
|
+
requirements:
|
58
|
+
- - "~>"
|
59
|
+
- !ruby/object:Gem::Version
|
60
|
+
version: '1.0'
|
47
61
|
- !ruby/object:Gem::Dependency
|
48
62
|
requirement: !ruby/object:Gem::Requirement
|
49
63
|
requirements:
|
@@ -231,14 +245,14 @@ files:
|
|
231
245
|
- spec/fixtures/small.key
|
232
246
|
- spec/inputs/tcp_spec.rb
|
233
247
|
- spec/spec_helper.rb
|
234
|
-
- vendor/jar-dependencies/commons-io/commons-io/2.
|
235
|
-
- vendor/jar-dependencies/io/netty/netty-buffer/4.1.
|
236
|
-
- vendor/jar-dependencies/io/netty/netty-codec/4.1.
|
237
|
-
- vendor/jar-dependencies/io/netty/netty-common/4.1.
|
238
|
-
- vendor/jar-dependencies/io/netty/netty-handler/4.1.
|
239
|
-
- vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.
|
240
|
-
- vendor/jar-dependencies/io/netty/netty-transport/4.1.
|
241
|
-
- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.
|
248
|
+
- vendor/jar-dependencies/commons-io/commons-io/2.13.0/commons-io-2.13.0.jar
|
249
|
+
- vendor/jar-dependencies/io/netty/netty-buffer/4.1.94.Final/netty-buffer-4.1.94.Final.jar
|
250
|
+
- vendor/jar-dependencies/io/netty/netty-codec/4.1.94.Final/netty-codec-4.1.94.Final.jar
|
251
|
+
- vendor/jar-dependencies/io/netty/netty-common/4.1.94.Final/netty-common-4.1.94.Final.jar
|
252
|
+
- vendor/jar-dependencies/io/netty/netty-handler/4.1.94.Final/netty-handler-4.1.94.Final.jar
|
253
|
+
- vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.94.Final/netty-transport-native-unix-common-4.1.94.Final.jar
|
254
|
+
- vendor/jar-dependencies/io/netty/netty-transport/4.1.94.Final/netty-transport-4.1.94.Final.jar
|
255
|
+
- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.4.0/logstash-input-tcp-6.4.0.jar
|
242
256
|
- version
|
243
257
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
244
258
|
licenses:
|
Binary file
|