logstash-input-tcp 6.3.4-java → 6.4.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f97b059c6bc48a23105c209642e5f6ededac0470fa0110b25e9851b25b85a9f4
-  data.tar.gz: 63de33eb7f87e46de9b0328acdc815c75f91cc7a36ce995862af1144ab801a72
+  metadata.gz: 3a112bdd1b3844e11d4948abcb693e51b079746a2a1decd790f2cb7ee107ec60
+  data.tar.gz: bf9f795b4894c85009355afc24695d7c12202db5029fd314328912694f556d5a
 SHA512:
-  metadata.gz: f67054c4b774f6fd8ee7256a4a1e9800fe4fc0ff65399b630547541174099dfdb8597303945a63d90c7cac637712979c57c747eb115fbfdd66bcb0f330a10c59
-  data.tar.gz: 64a4f02759aee0ac47f043943f33210cd5df95d20dc6eecb0ecb0bb047a3d3b8e42fda98b4e08aa6b8c4a4647eb665811a83f2a885e01c68bfbe72bf1bbb2bc2
+  metadata.gz: cea7c145bf773108a4800f6421b57a4c72e7df8b4ab1f7a4ea9a55310e34afc56a5f2a839663e11b32f9580d035cf1058f4cff495074e62ab710645187377065
+  data.tar.gz: 41b388723083feb40e7cfd83b893286ee4f1c64a1e63d7f1d9f58653b87c65689187edfd21aaa81fb6269b19655207f3959937039fac45b9a6c0120994b1eff5

data/CHANGELOG.md

@@ -1,3 +1,14 @@
+## 6.4.0
+  - Reviewed and deprecated SSL settings to comply with Logstash's naming convention [#213](https://github.com/logstash-plugins/logstash-input-tcp/pull/213)
+    - Deprecated `ssl_enable` in favor of `ssl_enabled`
+    - Deprecated `ssl_cert` in favor of `ssl_certificate`
+    - Deprecated `ssl_verify` in favor of `ssl_client_authentication` when mode is `server`
+    - Deprecated `ssl_verify` in favor of `ssl_verification_mode` when mode is `client`
+  - Added SSL configuration validations
+
+## 6.3.5
+  - update netty to 4.1.94 and other dependencies [#216](https://github.com/logstash-plugins/logstash-input-tcp/pull/216)
+
 ## 6.3.4
   - Fix: reduce error logging (to info level) on connection resets [#214](https://github.com/logstash-plugins/logstash-input-tcp/pull/214)
 

data/docs/index.asciidoc

@@ -95,8 +95,8 @@ Available when receiving events by proxy and
 l|[@metadata][input][tcp][proxy][port]  l|[proxy_port]
 
 .1+|SSL Subject Metadata from a secured TCP
-connection. Available when `ssl_enable => true`
-AND `ssl_verify => true`                        l|[@metadata][input][tcp][ssl][subject] l|[sslsubject]
+connection. Available when `ssl_enabled => true`
+AND `ssl_client_authentication => 'optional' or 'required'`                        l|[@metadata][input][tcp][ssl][subject] l|[sslsubject]
 |=======================================================================
 
 For example, the Elastic Common Schema reserves the https://www.elastic.co/guide/en/ecs/current/ecs-host.html[top-level `host` field] for information about the host on which the event happened.
@@ -130,15 +130,19 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-mode>> |<<string,string>>, one of `["server", "client"]`|No
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
 | <<plugins-{type}s-{plugin}-proxy_protocol>> |<<boolean,boolean>>|No
-| <<plugins-{type}s-{plugin}-ssl_cert>> |a valid filesystem path|No
+| <<plugins-{type}s-{plugin}-ssl_cert>> |a valid filesystem path|__Deprecated__
+| <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-ssl_enable>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl_client_authentication>> |<<string,string>>, one of `["none", "optional", "required"]`|No
+| <<plugins-{type}s-{plugin}-ssl_enable>> |<<boolean,boolean>>|__Deprecated__
+| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_extra_chain_certs>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl_verification_mode>> |<<string,string>>, one of `["full", "none"]`|No
+| <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-tcp_keep_alive>> |<<boolean,boolean>>|No
 |=======================================================================
 
@@ -210,6 +214,7 @@ http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
 
 [id="plugins-{type}s-{plugin}-ssl_cert"]
 ===== `ssl_cert` 
+deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_certificate>>]
 
   * Value type is <<path,path>>
   * There is no default value for this setting.
@@ -217,6 +222,15 @@ http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
 Path to certificate in PEM format. This certificate will be presented
 to the connecting clients.
 
+[id="plugins-{type}s-{plugin}-ssl_certificate"]
+===== `ssl_certificate`
+
+  * Value type is <<path,path>>
+  * There is no default value for this setting.
+
+Path to certificate in PEM format. This certificate will be presented
+to the other part of the TLS connection.
+
 [id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
 ===== `ssl_certificate_authorities`
 
@@ -238,8 +252,33 @@ the table of supported https://docs.oracle.com/en/java/javase/11/docs/specs/secu
 
 NOTE: To check the supported cipher suites locally run the following script: `$LS_HOME/bin/ruby -e 'p javax.net.ssl.SSLServerSocketFactory.getDefault.getSupportedCipherSuites'`.
 
+[id="plugins-{type}s-{plugin}-ssl_client_authentication"]
+===== `ssl_client_authentication`
+
+  * Value can be any of: `none`, `optional`, `required`
+  * Default value is `required`
+
+Controls the server's behavior in regard to requesting a certificate from client connections:
+`none` disables the client authentication. `required` forces a client to present a certificate, while `optional` requests a client certificate
+but the client is not required to present one.
+
+When mutual TLS is enabled (`optional` or `required`), the certificate presented by the client must be signed by trusted
+<<plugins-{type}s-{plugin}-ssl_certificate_authorities>> (CAs).
+Please note that the server does not validate the client certificate CN (Common Name) or SAN (Subject Alternative Name).
+
+NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-mode>> is `server` and <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> is set.
+
 [id="plugins-{type}s-{plugin}-ssl_enable"]
 ===== `ssl_enable` 
+deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `false`
+
+Enable SSL (must be set for other `ssl_` options to take effect).
+
+[id="plugins-{type}s-{plugin}-ssl_enabled"]
+===== `ssl_enabled`
 
   * Value type is <<boolean,boolean>>
   * Default value is `false`
@@ -286,8 +325,27 @@ NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as
 the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
 the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
 
+[id="plugins-{type}s-{plugin}-ssl_verification_mode"]
+===== `ssl_verification_mode`
+
+  * Value can be any of: `full`, `none`
+  * Default value is `full`
+
+Defines how to verify the certificates presented by another party in the TLS connection:
+
+`full` validates that the server certificate has an issue date that's within
+the not_before and not_after dates; chains to a trusted Certificate Authority (CA), and
+has a hostname or IP address that matches the names within the certificate.
+
+`none` performs no certificate validation.
+
+This setting can be used only if <<plugins-{type}s-{plugin}-mode>> is `client`.
+
+WARNING: Setting certificate verification to `none` disables many security benefits of SSL/TLS, which is very dangerous. For more information on disabling certificate verification please read https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
+
 [id="plugins-{type}s-{plugin}-ssl_verify"]
-===== `ssl_verify` 
+===== `ssl_verify`
+deprecated[6.4.0, Replaced by <<plugins-{type}s-{plugin}-ssl_client_authentication>> and <<plugins-{type}s-{plugin}-ssl_verification_mode>>]
 
   * Value type is <<boolean,boolean>>
   * Default value is `true`

data/lib/logstash/inputs/tcp/decoder_impl.rb

@@ -62,7 +62,7 @@ class LogStash::Inputs::Tcp::DecoderImpl
 
   private
   def extract_sslsubject(channel)
-    return nil unless @tcp.ssl_enable && @tcp.ssl_verify
+    return nil unless @tcp.ssl_peer_verification_enabled?
 
     channel.pipeline().get("ssl-handler").engine().getSession().getPeerPrincipal().getName()
   rescue Exception => e

data/lib/logstash/inputs/tcp.rb

@@ -6,6 +6,7 @@ require "logstash/inputs/base"
 require "logstash/util/socket_peer"
 require "logstash-input-tcp_jars"
 require 'logstash/plugin_mixins/ecs_compatibility_support'
+require "logstash/plugin_mixins/normalize_config_support"
 
 require "socket"
 require "openssl"
@@ -68,6 +69,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   # ecs_compatibility option, provided by Logstash core or the support adapter.
   include LogStash::PluginMixins::ECSCompatibilitySupport(:disabled, :v1, :v8 => :v1)
 
+  include LogStash::PluginMixins::NormalizeConfigSupport
+
   config_name "tcp"
 
   default :codec, "line"
@@ -89,14 +92,34 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   config :proxy_protocol, :validate => :boolean, :default => false
 
   # Enable SSL (must be set for other `ssl_` options to take effect).
-  config :ssl_enable, :validate => :boolean, :default => false
+  config :ssl_enable, :validate => :boolean, :default => false, :deprecated => "Use 'ssl_enabled' instead."
+
+  # Enable SSL (must be set for other `ssl_` options to take effect).
+  config :ssl_enabled, :validate => :boolean, :default => false
+
+  # Controls the server’s behavior in regard to requesting a certificate from client connections.
+  # `none`: No client authentication
+  # `optional`: Requests a client certificate but the client is not required to present one.
+  # `required`: Forces a client to present a certificate.
+  # This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
+  config :ssl_client_authentication, :validate => %w[none optional required], :default => 'required'
 
   # Verify the identity of the other end of the SSL connection against the CA.
   # For input, sets the field `sslsubject` to that of the client certificate.
-  config :ssl_verify, :validate => :boolean, :default => true
+  config :ssl_verify, :validate => :boolean, :default => true, :deprecated => "Use 'ssl_client_authentication' when mode is 'server' or 'ssl_verification_mode' when mode is 'client'"
+
+  # Options to verify the server's certificate.
+  # "full": validates that the provided certificate has an issue date that’s within the not_before and not_after dates;
+  # chains to a trusted Certificate Authority (CA); has a hostname or IP address that matches the names within the certificate.
+  # "certificate": Validates the provided certificate and verifies that it’s signed by a trusted authority (CA), but does’t check the certificate hostname.
+  # "none": performs no certificate validation. Disabling this severely compromises security (https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf)
+  config :ssl_verification_mode, :validate => %w[full none], :default => 'full'
+
+  # SSL certificate path
+  config :ssl_cert, :validate => :path, :deprecated => "Use 'ssl_certificate' instead."
 
   # SSL certificate path
-  config :ssl_cert, :validate => :path
+  config :ssl_certificate, :validate => :path
 
   # SSL key path
   config :ssl_key, :validate => :path
@@ -140,6 +163,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     super(*args)
 
     setup_fields!
+    setup_ssl_params!
 
     self.class.patch_socket_peer!
 
@@ -154,6 +178,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
   def register
     fix_streaming_codecs
+    validate_ssl_config!
 
     if server?
       @loop = InputLoop.new(@host, @port, DecoderImpl.new(@codec, self), @tcp_keep_alive, java_ssl_context)
@@ -163,7 +188,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   def run(output_queue)
     @output_queue = output_queue
     if server?
-      @logger.info("Starting tcp input listener", :address => "#{@host}:#{@port}", :ssl_enable => @ssl_enable)
+      @logger.info("Starting tcp input listener", :address => "#{@host}:#{@port}", :ssl_enabled => @ssl_enabled)
       @loop.run
     else
       run_client()
@@ -210,6 +235,15 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     @dns_reverse_lookup_enabled
   end
 
+  def ssl_peer_verification_enabled?
+    return false unless @ssl_enabled
+    if server?
+      @ssl_client_authentication && @ssl_client_authentication != 'none'
+    else
+      @ssl_verification_mode == 'full'
+    end
+  end
+
   private
 
   def run_client()
@@ -229,7 +263,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     client_port = socket.peeraddr[1]
 
     # Client mode sslsubject extraction, server mode happens in DecoderImpl#decode
-    ssl_subject = socket.peer_cert.subject.to_s if @ssl_enable && @ssl_verify
+    ssl_subject = socket.peer_cert.subject.to_s if ssl_peer_verification_enabled?
     peer = "#{client_address}:#{client_port}"
     first_read = true
     codec = @codec.clone
@@ -289,6 +323,80 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     @field_sslsubject = ecs_select[disabled: "sslsubject",              v1: "[@metadata][input][tcp][tls][client][subject]"].freeze
   end
 
+  def validate_ssl_config!
+    unless @ssl_enabled
+      ignored_ssl_settings = original_params.select { |k| k != 'ssl_enabled' && k != 'ssl_enable' && k.start_with?('ssl_') }
+      @logger.warn("Configured SSL settings are not used when `#{provided_ssl_enabled_config_name}` is set to `false`: #{ignored_ssl_settings.keys}") if ignored_ssl_settings.any?
+      return
+    end
+
+    if @ssl_certificate && !@ssl_key
+      raise LogStash::ConfigurationError, "Using an `ssl_certificate` requires an `ssl_key`"
+    elsif @ssl_key && !@ssl_certificate
+      raise LogStash::ConfigurationError, 'An `ssl_certificate` is required when using an `ssl_key`'
+    end
+
+    if server?
+      validate_server_ssl_config!
+    else
+      validate_client_ssl_config!
+    end
+  end
+
+  def validate_client_ssl_config!
+    if original_params.include?('ssl_client_authentication')
+      raise LogStash::ConfigurationError, "`ssl_client_authentication` must not be configured when mode is `client`, use `ssl_verification_mode` instead."
+    end
+  end
+
+  def validate_server_ssl_config!
+    if original_params.include?('ssl_verification_mode')
+      raise LogStash::ConfigurationError, "`ssl_verification_mode` must not be configured when mode is `server`, use `ssl_client_authentication` instead."
+    end
+
+    if @ssl_certificate.nil?
+      raise LogStash::ConfigurationError, "An `ssl_certificate` is required when `#{provided_ssl_enabled_config_name}` => true"
+    end
+
+    ssl_client_authentication_provided = original_params.include?('ssl_client_authentication')
+    if ssl_client_authentication_provided && @ssl_client_authentication != 'none' && (@ssl_certificate_authorities.nil? || @ssl_certificate_authorities.empty?)
+        raise LogStash::ConfigurationError, "An `ssl_certificate_authorities` is required when `ssl_client_authentication` => `#{@ssl_client_authentication}`"
+    end
+  end
+
+  def provided_ssl_enabled_config_name
+    original_params.include?('ssl_enable') ? 'ssl_enable' : 'ssl_enabled'
+  end
+
+  def setup_ssl_params!
+    @ssl_enabled = normalize_config(:ssl_enabled) do |normalizer|
+      normalizer.with_deprecated_alias(:ssl_enable)
+    end
+
+    @ssl_certificate = normalize_config(:ssl_certificate) do |normalizer|
+      normalizer.with_deprecated_alias(:ssl_cert)
+    end
+
+    if server?
+      @ssl_client_authentication = normalize_config(:ssl_client_authentication) do |normalizer|
+        normalizer.with_deprecated_mapping(:ssl_verify) do |ssl_verify|
+          ssl_verify == true ? "required" : "none"
+        end
+      end
+    else
+      @ssl_verification_mode = normalize_config(:ssl_verification_mode) do |normalize|
+        normalize.with_deprecated_mapping(:ssl_verify) do |ssl_verify|
+          ssl_verify == true ? "full" : "none"
+        end
+      end
+    end
+
+    params['ssl_enabled'] = @ssl_enabled unless @ssl_enabled.nil?
+    params['ssl_certificate'] = @ssl_certificate unless @ssl_certificate.nil?
+    params['ssl_verification_mode'] = @ssl_verification_mode unless @ssl_verification_mode.nil?
+    params['ssl_client_authentication'] = @ssl_client_authentication unless @ssl_client_authentication.nil?
+  end
+
   def server?
     @mode == "server"
   end
@@ -298,13 +406,13 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
 
     begin
       @ssl_context = new_ssl_context
-      @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
+      @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_certificate))
       @ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase.value)
       if @ssl_extra_chain_certs.any?
         @ssl_context.extra_chain_cert = @ssl_extra_chain_certs.map {|cert_path| OpenSSL::X509::Certificate.new(File.read(cert_path)) }
-        @ssl_context.extra_chain_cert.unshift(OpenSSL::X509::Certificate.new(File.read(@ssl_cert)))
+        @ssl_context.extra_chain_cert.unshift(OpenSSL::X509::Certificate.new(File.read(@ssl_certificate)))
       end
-      if @ssl_verify
+      if @ssl_verification_mode == "full"
         @ssl_context.cert_store  = load_cert_store
         @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
       end
@@ -349,7 +457,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     socket = TCPSocket.new(@host, @port)
     socket.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, @tcp_keep_alive)
 
-    if @ssl_enable
+    if @ssl_enabled
       socket = OpenSSL::SSL::SSLSocket.new(socket, ssl_context)
       socket.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, @tcp_keep_alive)
       socket.connect
@@ -402,16 +510,13 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   end
 
   def java_ssl_context
-    SslContextBuilder.new
-      .set_ssl_enabled(@ssl_enable)
-      .set_should_verify(@ssl_verify)
-      .set_ssl_cert(@ssl_cert)
-      .set_ssl_key(@ssl_key)
-      .set_ssl_key_password(@ssl_key_passphrase.value)
-      .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
-      .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
-      .set_ssl_supported_protocols(ssl_supported_protocols.to_java(:string))
-      .set_ssl_cipher_suites(ssl_cipher_suites.to_java(:string))
+    return nil unless @ssl_enabled
+    SslContextBuilder.new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.value)
+      .set_client_authentication(SslContextBuilder::SslClientAuthentication.of(@ssl_client_authentication))
+      .set_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
+      .set_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
+      .set_supported_protocols(ssl_supported_protocols.to_java(:string))
+      .set_cipher_suites(ssl_cipher_suites.to_java(:string))
       .build_context
   rescue java.lang.IllegalArgumentException => e
     @logger.error("SSL configuration invalid", error_details(e))

data/lib/logstash-input-tcp_jars.rb

@@ -1,12 +1,12 @@
 # AUTOGENERATED BY THE GRADLE SCRIPT. DO NOT EDIT.
 
 require 'jar_dependencies'
-require_jar('io.netty', 'netty-buffer', '4.1.93.Final')
-require_jar('io.netty', 'netty-codec', '4.1.93.Final')
-require_jar('io.netty', 'netty-common', '4.1.93.Final')
-require_jar('io.netty', 'netty-transport', '4.1.93.Final')
-require_jar('io.netty', 'netty-handler', '4.1.93.Final')
-require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.93.Final')
-require_jar('commons-io', 'commons-io', '2.8.0')
+require_jar('io.netty', 'netty-buffer', '4.1.94.Final')
+require_jar('io.netty', 'netty-codec', '4.1.94.Final')
+require_jar('io.netty', 'netty-common', '4.1.94.Final')
+require_jar('io.netty', 'netty-transport', '4.1.94.Final')
+require_jar('io.netty', 'netty-handler', '4.1.94.Final')
+require_jar('io.netty', 'netty-transport-native-unix-common', '4.1.94.Final')
+require_jar('commons-io', 'commons-io', '2.13.0')
 
-require_jar('org.logstash.inputs', 'logstash-input-tcp', '6.3.4')
+require_jar('org.logstash.inputs', 'logstash-input-tcp', '6.4.0')

data/logstash-input-tcp.gemspec

@@ -22,6 +22,7 @@ Gem::Specification.new do |s|
   # Gem dependencies
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.2'
+  s.add_runtime_dependency 'logstash-mixin-normalize_config_support', '~>1.0'
 
   s.add_runtime_dependency 'logstash-core', '>= 8.1.0'
 

data/spec/inputs/tcp_spec.rb

@@ -357,8 +357,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
           {
             "host" => "127.0.0.1",
             "port" => port,
-            "ssl_enable" => true,
-            "ssl_cert" => certificate_file.path,
+            "ssl_enabled" => true,
+            "ssl_certificate" => certificate_file.path,
             "ssl_key" => key_file.path
           }
         end
@@ -411,8 +411,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
             {
               "host" => "127.0.0.1",
               "port" => port,
-              "ssl_enable" => true,
-              "ssl_cert" => certificate_file.path,
+              "ssl_enabled" => true,
+              "ssl_certificate" => certificate_file.path,
               "ssl_key" => key_file.path
             }
           end
@@ -435,8 +435,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
             {
                 "host" => "127.0.0.1",
                 "port" => port,
-                "ssl_enable" => true,
-                "ssl_cert" => File.expand_path('../fixtures/encrypted_aes256.crt', File.dirname(__FILE__)),
+                "ssl_enabled" => true,
+                "ssl_certificate" => File.expand_path('../fixtures/encrypted_aes256.crt', File.dirname(__FILE__)),
                 "ssl_key" => File.expand_path('../fixtures/encrypted_aes256.key', File.dirname(__FILE__)),
                 "ssl_key_passphrase" => '1234',
             }
@@ -453,8 +453,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
             {
                 "host" => "127.0.0.1",
                 "port" => port,
-                "ssl_enable" => true,
-                "ssl_cert" => File.expand_path('../fixtures/encrypted_seed.crt', File.dirname(__FILE__)),
+                "ssl_enabled" => true,
+                "ssl_certificate" => File.expand_path('../fixtures/encrypted_seed.crt', File.dirname(__FILE__)),
                 "ssl_key" => File.expand_path('../fixtures/encrypted_seed.key', File.dirname(__FILE__)),
                 "ssl_key_passphrase" => '1234',
             }
@@ -472,8 +472,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
             {
                 "host" => "127.0.0.1",
                 "port" => port,
-                "ssl_enable" => true,
-                "ssl_cert" => File.expand_path('../fixtures/encrypted_des.crt', File.dirname(__FILE__)),
+                "ssl_enabled" => true,
+                "ssl_certificate" => File.expand_path('../fixtures/encrypted_des.crt', File.dirname(__FILE__)),
                 "ssl_key" => File.expand_path('../fixtures/encrypted_des.key', File.dirname(__FILE__)),
                 "ssl_key_passphrase" => '1234',
             }
@@ -490,8 +490,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
             {
                 "host" => "127.0.0.1",
                 "port" => port,
-                "ssl_enable" => true,
-                "ssl_cert" => File.expand_path('../fixtures/encrypted-pkcs8.crt', File.dirname(__FILE__)),
+                "ssl_enabled" => true,
+                "ssl_certificate" => File.expand_path('../fixtures/encrypted-pkcs8.crt', File.dirname(__FILE__)),
                 "ssl_key" => File.expand_path('../fixtures/encrypted-pkcs8.key', File.dirname(__FILE__)),
                 "ssl_key_passphrase" => '1234',
             }
@@ -509,8 +509,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
             {
                 "host" => "127.0.0.1",
                 "port" => port,
-                "ssl_enable" => true,
-                "ssl_cert" => File.expand_path('../fixtures/encrypted-pkcs5v15.crt', File.dirname(__FILE__)),
+                "ssl_enabled" => true,
+                "ssl_certificate" => File.expand_path('../fixtures/encrypted-pkcs5v15.crt', File.dirname(__FILE__)),
                 "ssl_key" => File.expand_path('../fixtures/encrypted-pkcs5v15.key', File.dirname(__FILE__)),
                 "ssl_key_passphrase" => '1234',
             }
@@ -527,8 +527,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
             {
                 "host" => "127.0.0.1",
                 "port" => port,
-                "ssl_enable" => true,
-                "ssl_cert" => File.expand_path('../fixtures/small.crt', File.dirname(__FILE__)),
+                "ssl_enabled" => true,
+                "ssl_certificate" => File.expand_path('../fixtures/small.crt', File.dirname(__FILE__)),
                 "ssl_key" => File.expand_path('../fixtures/small.key', File.dirname(__FILE__)),
             }
           end
@@ -538,6 +538,166 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
           end
 
         end
+
+        context "with only ssl_certificate set" do
+          let(:config) do
+            {
+              "host" => "127.0.0.1",
+              "port" => port,
+              "ssl_enabled" => true,
+              "ssl_certificate" => File.expand_path('../fixtures/small.crt', File.dirname(__FILE__)),
+            }
+          end
+
+          it "should raise a configuration error to request also `ssl_key`" do
+            expect { subject.register }.to raise_error(LogStash::ConfigurationError, /Using an `ssl_certificate` requires an `ssl_key`/)
+          end
+        end
+
+        context "with only ssl_key set" do
+          let(:config) do
+            {
+              "host" => "127.0.0.1",
+              "port" => port,
+              "ssl_enabled" => true,
+              "ssl_key" => File.expand_path('../fixtures/small.key', File.dirname(__FILE__)),
+            }
+          end
+
+          it "should raise a configuration error to request also `ssl_certificate`" do
+            expect { subject.register }.to raise_error(LogStash::ConfigurationError, /An `ssl_certificate` is required when using an `ssl_key`/)
+          end
+        end
+
+        context "and mode is server" do
+          let(:config) do
+            {
+              "host" => "127.0.0.1",
+              "port" => port,
+              "mode" => 'server',
+              "ssl_enabled" => true,
+              "ssl_certificate" => File.expand_path('../fixtures/small.crt', File.dirname(__FILE__)),
+              "ssl_key" => File.expand_path('../fixtures/small.key', File.dirname(__FILE__)),
+            }
+          end
+
+          context "with no ssl_certificate" do
+            let(:config) { super().reject { |k| "ssl_key".eql?(k) || "ssl_certificate".eql?(k) } }
+
+            it "should raise a configuration error" do
+              expect { subject.register }.to raise_error(LogStash::ConfigurationError, /An `ssl_certificate` is required when `ssl_enabled` => true/)
+            end
+          end
+
+          context "with ssl_client_authentication = `none` and no ssl_certificate_authorities" do
+            let(:config) { super().merge(
+              'ssl_client_authentication' => 'none',
+              'ssl_certificate_authorities' => []
+            ) }
+
+            it "should register without errors" do
+              expect { subject.register }.to_not raise_error
+            end
+          end
+
+          context "with deprecated ssl_verify = true and no ssl_certificate_authorities" do
+            let(:config) { super().merge(
+              'ssl_verify' => true,
+              'ssl_certificate_authorities' => []
+            ) }
+
+            it "should register without errors" do
+              expect { subject.register }.to_not raise_error
+            end
+          end
+
+          %w[required optional].each do |ssl_client_authentication|
+            context "with ssl_client_authentication = `#{ssl_client_authentication}` and no ssl_certificate_authorities" do
+              let(:config) { super().merge(
+                'ssl_client_authentication' => ssl_client_authentication,
+                'ssl_certificate_authorities' => []
+              ) }
+
+              it "should raise a configuration error" do
+                expect { subject.register }.to raise_error(LogStash::ConfigurationError, /An `ssl_certificate_authorities` is required when `ssl_client_authentication` => `#{ssl_client_authentication}`/)
+              end
+            end
+          end
+
+          context "with ssl_verification_mode" do
+            let(:config) do
+              super().merge 'ssl_verification_mode' => 'full'
+            end
+
+            it "should raise a configuration error" do
+              expect{subject.register}.to raise_error(LogStash::ConfigurationError, /`ssl_verification_mode` must not be configured when mode is `server`, use `ssl_client_authentication` instead/)
+            end
+          end
+        end
+
+        context "with deprecated settings" do
+          let(:ssl_verify) { true }
+          let(:certificate_path) { File.expand_path('../fixtures/small.crt', File.dirname(__FILE__)) }
+          let(:config) do
+            {
+              "host" => "127.0.0.1",
+              "port" => port,
+              "ssl_enable" => true,
+              "ssl_cert" => certificate_path,
+              "ssl_key" => File.expand_path('../fixtures/small.key', File.dirname(__FILE__)),
+              "ssl_verify" => ssl_verify
+            }
+          end
+
+          context "and mode is server" do
+            let(:config) { super().merge("mode" => 'server') }
+            [true, false].each do |verify|
+              context "and ssl_verify is #{verify}" do
+                let(:ssl_verify) { verify }
+
+                it "should set new configs params" do
+                  subject.register
+                  expect(subject.params).to match hash_including(
+                    "ssl_enabled" => true,
+                    "ssl_certificate" => certificate_path,
+                    "ssl_client_authentication" => verify ? 'required' : 'none')
+                end
+
+                it "should set new configs variables" do
+                  subject.register
+                  expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true)
+                  expect(subject.instance_variable_get(:@ssl_client_authentication)).to eql(verify ? 'required' : 'none')
+                  expect(subject.instance_variable_get(:@ssl_certificate)).to eql(certificate_path)
+                end
+              end
+            end
+          end
+
+          context "and mode is client" do
+            let(:config) { super().merge("mode" => 'client') }
+            [true, false].each do |verify|
+              context "and ssl_verify is #{verify}" do
+                let(:ssl_verify) { verify }
+
+                it "should set new configs params" do
+                  subject.register
+                  expect(subject.params).to match hash_including(
+                    "ssl_enabled" => true,
+                    "ssl_certificate" => certificate_path,
+                    "ssl_verification_mode" => verify ? 'full' : 'none'
+                  )
+                end
+
+                it "should set new configs variables" do
+                  subject.register
+                  expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true)
+                  expect(subject.instance_variable_get(:@ssl_verification_mode)).to eql(verify ? 'full' : 'none')
+                  expect(subject.instance_variable_get(:@ssl_certificate)).to eql(certificate_path)
+                end
+              end
+            end
+          end
+        end
       end
     end
 
@@ -546,7 +706,7 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
         # TODO(sissel): Implement normal event-receipt tests as as a shared example
       end
 
-      context "when ssl_enable is true" do
+      context "when ssl_enabled is true" do
         let(:input) { subject }
         let(:queue) { Queue.new }
         before(:each) do
@@ -575,8 +735,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
             {
                 "host" => "127.0.0.1",
                 "port" => port,
-                "ssl_enable" => true,
-                "ssl_cert" => chain_of_certificates[:b_cert].path,
+                "ssl_enabled" => true,
+                "ssl_certificate" => chain_of_certificates[:b_cert].path,
                 "ssl_key" => chain_of_certificates[:b_key].path,
                 "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
                 "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ]
@@ -605,13 +765,13 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
               {
                 "host" => "127.0.0.1",
                 "port" => port,
-                "ssl_enable" => true,
-                "ssl_cert" => chain_of_certificates[:be_cert].path,
+                "ssl_enabled" => true,
+                "ssl_certificate" => chain_of_certificates[:be_cert].path,
                 "ssl_key" => chain_of_certificates[:be_key].path,
                 "ssl_key_passphrase" => "passpasspassword",
                 "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
                 "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
-                "ssl_verify" => true
+                "ssl_client_authentication" => 'required'
               }
             end
             it "should be able to connect and write data" do
@@ -632,13 +792,13 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
               {
                 "host" => "127.0.0.1",
                 "port" => port,
-                "ssl_enable" => true,
-                "ssl_cert" => chain_of_certificates[:be_cert].path,
+                "ssl_enabled" => true,
+                "ssl_certificate" => chain_of_certificates[:be_cert].path,
                 "ssl_key" => chain_of_certificates[:be_key_pkcs8].path,
                 "ssl_key_passphrase" => "passpasspassword",
                 "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
                 "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
-                "ssl_verify" => true
+                "ssl_client_authentication" => 'required'
               }
             end
             it "should be able to connect and write data" do
@@ -659,12 +819,12 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
               {
                 "host" => "127.0.0.1",
                 "port" => port,
-                "ssl_enable" => true,
-                "ssl_cert" => chain_of_certificates[:b_cert].path,
+                "ssl_enabled" => true,
+                "ssl_certificate" => chain_of_certificates[:b_cert].path,
                 "ssl_key" => chain_of_certificates[:b_key].path,
                 "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
                 "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
-                "ssl_verify" => true
+                "ssl_client_authentication" => 'required'
               }
             end
 
@@ -871,8 +1031,8 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
           "host" => "127.0.0.1",
           "port" => port,
           "mode" => 'client',
-          "ssl_enable" => true,
-          "ssl_cert" => chain_of_certificates[:b_cert].path,
+          "ssl_enabled" => true,
+          "ssl_certificate" => chain_of_certificates[:b_cert].path,
           "ssl_key" => chain_of_certificates[:b_key].path,
           "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
           "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ]
@@ -936,6 +1096,15 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
       end
     end
 
+    context "with ssl_client_authentication" do
+      let(:config) do
+        super().merge 'ssl_client_authentication' => 'required'
+      end
+
+      it "should raise a configuration error" do
+        expect{subject.register}.to raise_error(LogStash::ConfigurationError, /`ssl_client_authentication` must not be configured when mode is `client`, use `ssl_verification_mode` instead/)
+      end
+    end
   end
 
 end

data/version

@@ -1 +1 @@
-6.3.4
+6.4.0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 6.3.4
+  version: 6.4.0
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-06-23 00:00:00.000000000 Z
+date: 2023-07-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -44,6 +44,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-mixin-normalize_config_support
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -231,14 +245,14 @@ files:
 - spec/fixtures/small.key
 - spec/inputs/tcp_spec.rb
 - spec/spec_helper.rb
-- vendor/jar-dependencies/commons-io/commons-io/2.8.0/commons-io-2.8.0.jar
-- vendor/jar-dependencies/io/netty/netty-buffer/4.1.93.Final/netty-buffer-4.1.93.Final.jar
-- vendor/jar-dependencies/io/netty/netty-codec/4.1.93.Final/netty-codec-4.1.93.Final.jar
-- vendor/jar-dependencies/io/netty/netty-common/4.1.93.Final/netty-common-4.1.93.Final.jar
-- vendor/jar-dependencies/io/netty/netty-handler/4.1.93.Final/netty-handler-4.1.93.Final.jar
-- vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.93.Final/netty-transport-native-unix-common-4.1.93.Final.jar
-- vendor/jar-dependencies/io/netty/netty-transport/4.1.93.Final/netty-transport-4.1.93.Final.jar
-- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.3.4/logstash-input-tcp-6.3.4.jar
+- vendor/jar-dependencies/commons-io/commons-io/2.13.0/commons-io-2.13.0.jar
+- vendor/jar-dependencies/io/netty/netty-buffer/4.1.94.Final/netty-buffer-4.1.94.Final.jar
+- vendor/jar-dependencies/io/netty/netty-codec/4.1.94.Final/netty-codec-4.1.94.Final.jar
+- vendor/jar-dependencies/io/netty/netty-common/4.1.94.Final/netty-common-4.1.94.Final.jar
+- vendor/jar-dependencies/io/netty/netty-handler/4.1.94.Final/netty-handler-4.1.94.Final.jar
+- vendor/jar-dependencies/io/netty/netty-transport-native-unix-common/4.1.94.Final/netty-transport-native-unix-common-4.1.94.Final.jar
+- vendor/jar-dependencies/io/netty/netty-transport/4.1.94.Final/netty-transport-4.1.94.Final.jar
+- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.4.0/logstash-input-tcp-6.4.0.jar
 - version
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses: