logstash-input-tcp 5.0.9-java → 5.0.10-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 61f75f397819fe7ec52ebe3f7001294b1f9347e116d84ab9136ceb71b9f43694
-  data.tar.gz: 8bbf42e0358a82d6fe8cc05c9c87ad7335866a17f7bec046c414b5899cedb06e
+  metadata.gz: f637d5ed9693d5beb15a48cdd0fea3add3c5df312cf5efce134570c62ede5778
+  data.tar.gz: bba5e2a6a9e4b3ce69af2ddf9e3941125388df73504c9345f24342372aa2338c
 SHA512:
-  metadata.gz: 47e0697536fa5ac5a9bb4b8c0ee218d6d99a79fd0a24141a5f0b8c91e72a88d2e1d5c31153cd3b563e1b1e7fc0759f9da9e109ff6cd2453f98f0e3fd68b05866
-  data.tar.gz: d7bd3f0f555f4182753dfa7dbb7d6663b5623c8f10fdff00464a732d9551b0ed89abe7d26f532baaf91f3e94041887e1ea291f8753517113062cfb89c72bd4b7
+  metadata.gz: bdbdff7d0d2de89aada8254d93d72f528cb0bd1b605af6bdb7533a831c89492b34af296d142726c68a5d863727cedd344bb4c9e8f5ef356dfc491e442bc83eb2
+  data.tar.gz: e74e3262ea1c3f7f10ae82653e3a581361fadf9daafb0a44926f3f47138c0ef1e3c620ce013fb03cfd010858e8e79b865b23e95156fdcc9bea3c0489e0ee859b

data/CHANGELOG.md

@@ -1,6 +1,9 @@
+## 5.0.10
+  - Correctly set up the certificate chain so that the server will present cert + chain to client
+
 ## 5.0.9
   - New configuration option to set TCP keep-alive [#16](https://github.com/logstash-plugins/logstash-input-tcp/pull/116)
-  
+
 ## 5.0.8
   - Reorder shut down of the two event loops to prevent RejectedExecutionException
 

data/docs/index.asciidoc

@@ -83,6 +83,7 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
 | <<plugins-{type}s-{plugin}-proxy_protocol>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_cert>> |a valid filesystem path|No
+| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_enable>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_extra_chain_certs>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
@@ -139,7 +140,17 @@ http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
   * Value type is <<path,path>>
   * There is no default value for this setting.
 
-SSL certificate path
+Path to certificate in PEM format. This certificate will be presented
+to the connecting clients.
+
+[id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
+===== `ssl_extra_chain_certs`
+
+  * Value type is <<array,array>>
+  * Default value is `[]`
+
+Validate client certificate or certificate chain against these authorities.
+You can define multiple files or paths. All the certificates will be read and added to the trust store.
 
 [id="plugins-{type}s-{plugin}-ssl_enable"]
 ===== `ssl_enable` 
@@ -155,8 +166,9 @@ Enable SSL (must be set for other `ssl_` options to take effect).
   * Value type is <<array,array>>
   * Default value is `[]`
 
-An Array of extra X509 certificates to be added to the certificate chain.
-Useful when the CA chain is not necessary in the system store.
+An Array of paths to extra X509 certificates.
+These are used together with the certificate to construct the certificate chain
+presented to the client.
 
 [id="plugins-{type}s-{plugin}-ssl_key"]
 ===== `ssl_key` 
@@ -164,7 +176,7 @@ Useful when the CA chain is not necessary in the system store.
   * Value type is <<path,path>>
   * There is no default value for this setting.
 
-SSL key path
+The path to the private key corresponding to the specified certificate (PEM format).
 
 [id="plugins-{type}s-{plugin}-ssl_key_passphrase"]
 ===== `ssl_key_passphrase` 
@@ -172,7 +184,7 @@ SSL key path
   * Value type is <<password,password>>
   * Default value is `nil`
 
-SSL key passphrase
+SSL key passphrase for the private key.
 
 [id="plugins-{type}s-{plugin}-ssl_verify"]
 ===== `ssl_verify` 

data/lib/logstash/inputs/tcp.rb

@@ -105,6 +105,9 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   # Useful when the CA chain is not necessary in the system store.
   config :ssl_extra_chain_certs, :validate => :array, :default => []
 
+  # Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store.
+  config :ssl_certificate_authorities, :validate => :array, :default => []
+
   # Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
   config :tcp_keep_alive, :validate => :boolean, :default => false
 
@@ -310,6 +313,10 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
       @ssl_context = OpenSSL::SSL::SSLContext.new
       @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
       @ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase.value)
+      if @ssl_extra_chain_certs.any?
+        @ssl_context.extra_chain_cert = @ssl_extra_chain_certs.map {|cert_path| OpenSSL::X509::Certificate.new(File.read(cert_path)) }
+        @ssl_context.extra_chain_cert.unshift(OpenSSL::X509::Certificate.new(File.read(@ssl_cert)))
+      end
       if @ssl_verify
         @ssl_context.cert_store  = load_cert_store
         @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
@@ -325,7 +332,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   def load_cert_store
     cert_store = OpenSSL::X509::Store.new
     cert_store.set_default_paths
-    @ssl_extra_chain_certs.each do |cert|
+    @ssl_certificate_authorities.each do |cert|
       cert_store.add_file(cert)
     end
     cert_store

data/spec/inputs/tcp_spec.rb

@@ -335,11 +335,9 @@ describe LogStash::Inputs::Tcp do
       end
 
       context "when ssl_enable is true" do
-        let(:pki) { Flores::PKI.generate }
-        let(:certificate) { pki[0] }
-        let(:key) { pki[1] }
-        let(:certificate_file) { Stud::Temporary.file }
-        let(:key_file) { Stud::Temporary.file }
+        let(:self_signed_cert) { helper.certificate }
+        let(:certificate) { self_signed_cert.first }
+        let(:key) { self_signed_cert.last }
         let(:queue) { Queue.new }
 
         let(:config) do
@@ -347,30 +345,59 @@ describe LogStash::Inputs::Tcp do
             "host" => "127.0.0.1",
             "port" => port,
             "ssl_enable" => true,
-            "ssl_cert" => certificate_file.path,
-            "ssl_key" => key_file.path,
-
-            # Trust our self-signed cert.
-            # TODO(sissel): Make this a separate certificate for the client
-            "ssl_extra_chain_certs" => certificate_file.path
+            "ssl_cert" => certificate.path,
+            "ssl_key" => key.path,
+            "ssl_certificate_authorities" => certificate.path
           }
         end
 
         subject(:input) { LogStash::Plugin.lookup("input", "tcp").new(config) }
 
         before do
-          certificate_file.write(certificate)
-          key_file.write(key)
-
-          # Close to flush the file writes.
-          certificate_file.close
-          key_file.close
           subject.register
         end
 
-        after do
-          File.unlink(certificate_file.path)
-          File.unlink(key_file.path)
+        context "when using a certificate chain" do
+          let(:chain_of_certificates) { helper.chain_of_certificates }
+          let(:config) do
+            {
+              "host" => "127.0.0.1",
+              "port" => port,
+              "ssl_enable" => true,
+              "ssl_cert" => chain_of_certificates[:b_cert].path,
+              "ssl_key" => chain_of_certificates[:b_key].path,
+              "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
+              "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
+              "ssl_verify" => true
+            }
+          end
+          let(:tcp) { TCPSocket.new("127.0.0.1", port) }
+          let(:sslcontext) do
+            sslcontext = OpenSSL::SSL::SSLContext.new
+            sslcontext.verify_mode = OpenSSL::SSL::VERIFY_PEER
+            sslcontext.ca_file = chain_of_certificates[:root_ca].path
+            sslcontext.cert = OpenSSL::X509::Certificate.new(File.read(chain_of_certificates[:aa_cert].path))
+            sslcontext.key = OpenSSL::PKey::RSA.new(File.read(chain_of_certificates[:aa_key].path))
+            sslcontext
+          end
+          let(:sslsocket) { OpenSSL::SSL::SSLSocket.new(tcp, sslcontext) }
+          let(:input_task) { Stud::Task.new { input.run(queue) } }
+
+          before do
+            input_task
+          end
+
+          it "should be able to connect and write data" do
+            sslsocket.connect
+            sslsocket.write("Hello world\n")
+            tcp.flush
+            sslsocket.close
+            tcp.close
+            result = input_task.thread.join(0.5)
+            expect(result).to be_nil
+            expect(queue.size).to eq(1)
+          end
+
         end
 
         context "with a poorly-behaving client" do
@@ -456,8 +483,8 @@ describe LogStash::Inputs::Tcp do
             let(:garbage) { Flores::Random.iterations(max_length).collect { Flores::Random.integer(1...255) }.pack("C*") }
 
             before do
-              sslcontext.cert = certificate
-              sslcontext.key = key
+              sslcontext.cert = OpenSSL::X509::Certificate.new(File.read(certificate))
+              sslcontext.key = OpenSSL::PKey::RSA.new(File.read(key))
               sslcontext.verify_mode = OpenSSL::SSL::VERIFY_NONE
 
               sslsocket.connect

data/version

@@ -1 +1 @@
-5.0.9
+5.0.10

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 5.0.9
+  version: 5.0.10
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-06-11 00:00:00.000000000 Z
+date: 2018-10-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -163,7 +163,7 @@ files:
 - logstash-input-tcp.gemspec
 - spec/inputs/tcp_spec.rb
 - spec/spec_helper.rb
-- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.0.9/logstash-input-tcp-5.0.9.jar
+- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.0.10/logstash-input-tcp-5.0.10.jar
 - version
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses: