logstash-input-tcp 6.2.7-java → 6.3.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f83551a42283324a0f4f733c2f245b5fe3f2d71e482f15607257b2943f92e925
-  data.tar.gz: 30d47775fcdec83e4be7834c79b3cbf7c233a35284f60b7eb9f0431235c6442c
+  metadata.gz: f018798315cfe0b020a135261fd6145a2854fe8d432bec36b69168e72b21a226
+  data.tar.gz: 1c38f5e86c898ffe936a7970cbb50fe3b8ce2fe0e7ec0d8f9d99dabd13fd0046
 SHA512:
-  metadata.gz: d53bfe010749d42e0a7d7d288464b091678bb5f55da75008b0b2001f642ec36dde4d0c17050d981ec612c9a8b6fd263635473438b543e7ea7ecb7d5a00d8f530
-  data.tar.gz: 76180a9c1d8ad885e9ab5adb1ce4befade31cb9124ae2727035c26797b1498ff22d8bdbe91ee6e14b1b8c3840667a277e14460a9cc8adfacd85cee25324b690a
+  metadata.gz: df77c83316a7c9793b34ca0efeb16efa83ca53b3c59b1edbf53223a801e0dea865efbad074598d47013547f0beced6565cef49a109e13beb98c19859cbafa6c3
+  data.tar.gz: cf3e87359d1666fb6bbc6b42a595bf303714f19bd2cba77a4dc608c0d240b8d57bf9fdd59e38bb5ec4e1ccbc5996c42d0e92b2f99e5c06cd071eea8a10f0ae98

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+## 6.3.0
+  - Feat: ssl_supported_protocols (TLSv1.3) + ssl_cipher_suites [#198](https://github.com/logstash-plugins/logstash-input-tcp/pull/198)
+
 ## 6.2.7
   - Build: skip shadowing jar dependencies [#187](https://github.com/logstash-plugins/logstash-input-tcp/pull/187)
     * plugin no longer shadows dependencies into its *logstash-input-tcp.jar*

data/docs/index.asciidoc

@@ -132,10 +132,12 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-proxy_protocol>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_cert>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
+| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_enable>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_extra_chain_certs>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-tcp_keep_alive>> |<<boolean,boolean>>|No
 |=======================================================================
@@ -158,13 +160,13 @@ at the TCP layer and IPs will not be resolved to hostnames.
 [id="plugins-{type}s-{plugin}-ecs_compatibility"]
 ===== `ecs_compatibility`
 
-* Value type is <<string,string>>
-* Supported values are:
-** `disabled`: unstructured connection metadata added at root level
-** `v1`,`v8`: structured connection metadata added under `[@metadata][input][tcp]`
-* Default value depends on which version of Logstash is running:
-** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
-** Otherwise, the default value is `disabled`.
+  * Value type is <<string,string>>
+  * Supported values are:
+    ** `disabled`: unstructured connection metadata added at root level
+    ** `v1`,`v8`: structured connection metadata added under `[@metadata][input][tcp]`
+  * Default value depends on which version of Logstash is running:
+    ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
+    ** Otherwise, the default value is `disabled`.
 
 Controls this plugin's compatibility with the https://www.elastic.co/guide/en/ecs/current/index.html[Elastic Common Schema (ECS)].
 The value of this setting affects the <<plugins-{type}s-{plugin}-ecs_metadata,placement of a TCP connection's metadata>> on events.
@@ -224,6 +226,18 @@ to the connecting clients.
 Validate client certificate or certificate chain against these authorities.
 You can define multiple files or paths. All the certificates will be read and added to the trust store.
 
+[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
+===== `ssl_cipher_suites`
+
+  * Value type is <<string,string>>
+  * Default value includes _all_ cipher suites enabled by the JDK and depends on JDK configuration
+
+Supported cipher suites vary depending on Java version used, and entries look like `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`.
+For more information, see Oracle’s https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[JDK SunJSSE provider documentation] and
+the table of supported https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names[Java cipher suite names].
+
+NOTE: To check the supported cipher suites locally run the following script: `$LS_HOME/bin/ruby -e 'p javax.net.ssl.SSLServerSocketFactory.getDefault.getSupportedCipherSuites'`.
+
 [id="plugins-{type}s-{plugin}-ssl_enable"]
 ===== `ssl_enable` 
 
@@ -258,6 +272,20 @@ The path to the private key corresponding to the specified certificate (PEM form
 
 SSL key passphrase for the private key.
 
+[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
+===== `ssl_supported_protocols`
+
+  * Value type is <<string,string>>
+  * Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
+  * Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
+    `'TLSv1.1'` is not considered secure and is only provided for legacy applications.
+
+List of allowed SSL/TLS versions to use when establishing a secure connection.
+
+NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
+the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
+the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
+
 [id="plugins-{type}s-{plugin}-ssl_verify"]
 ===== `ssl_verify` 
 

data/lib/logstash/inputs/tcp.rb

@@ -112,6 +112,13 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
   # All the certificates will be read and added to the trust store.
   config :ssl_certificate_authorities, :validate => :array, :default => []
 
+  # NOTE: the default setting [] uses Java SSL engine defaults.
+  config :ssl_supported_protocols, :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => [], :list => true
+
+  # The list of ciphers suite to use, listed by priorities.
+  # NOTE: the default setting [] uses Java SSL defaults.
+  config :ssl_cipher_suites, :validate => SslContextBuilder.getSupportedCipherSuites.to_a, :default => [], :list => true
+
   # Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
   config :tcp_keep_alive, :validate => :boolean, :default => false
 
@@ -286,7 +293,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     return @ssl_context if @ssl_context
 
     begin
-      @ssl_context = OpenSSL::SSL::SSLContext.new
+      @ssl_context = new_ssl_context
       @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
       @ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase.value)
       if @ssl_extra_chain_certs.any?
@@ -297,6 +304,21 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
         @ssl_context.cert_store  = load_cert_store
         @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
       end
+
+      @ssl_context.min_version = :TLS1_1 # not strictly required - JVM should have disabled TLSv1
+      if ssl_supported_protocols.any?
+        disabled_protocols = ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'] - ssl_supported_protocols
+        unless OpenSSL::SSL.const_defined? :OP_NO_TLSv1_3 # work-around JRuby-OpenSSL bug - missing constant
+          @ssl_context.max_version = :TLS1_2 if disabled_protocols.delete('TLSv1.3')
+        end
+        # mapping 'TLSv1.2' -> OpenSSL::SSL::OP_NO_TLSv1_2
+        disabled_protocols.map! { |v| OpenSSL::SSL.const_get "OP_NO_#{v.sub('.', '_')}" }
+        @ssl_context.options = disabled_protocols.reduce(@ssl_context.options, :|)
+      end
+
+      if ssl_cipher_suites.any?
+        @ssl_context.ciphers = ssl_cipher_suites # Java cipher names work with JOSSL >= 0.12.2
+      end
     rescue => e
       @logger.error("Could not inititalize SSL context", :message => e.message, :exception => e.class, :backtrace => e.backtrace)
       raise e
@@ -305,6 +327,11 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
     @ssl_context
   end
 
+  # @note to be able to hook up into #ssl_context from tests
+  def new_ssl_context
+    OpenSSL::SSL::SSLContext.new
+  end
+
   def load_cert_store
     cert_store = OpenSSL::X509::Store.new
     cert_store.set_default_paths
@@ -379,6 +406,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
       .set_ssl_key_password(@ssl_key_passphrase.value)
       .set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
       .set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
+      .set_ssl_supported_protocols(ssl_supported_protocols.to_java(:string))
+      .set_ssl_cipher_suites(ssl_cipher_suites.to_java(:string))
       .build_context
   rescue java.lang.IllegalArgumentException => e
     @logger.error("SSL configuration invalid", error_details(e))

data/lib/logstash-input-tcp_jars.rb

@@ -4,4 +4,4 @@ require 'jar_dependencies'
 require_jar('io.netty', 'netty-all', '4.1.65.Final')
 require_jar('commons-io', 'commons-io', '2.8.0')
 
-require_jar('org.logstash.inputs', 'logstash-input-tcp', '6.2.7')
+require_jar('org.logstash.inputs', 'logstash-input-tcp', '6.3.0')

data/logstash-input-tcp.gemspec

@@ -23,10 +23,10 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
   s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.2'
 
-  s.add_runtime_dependency 'logstash-core', '>= 6.7.0'
+  s.add_runtime_dependency 'logstash-core', '>= 8.1.0'
 
   # we depend on bouncycastle's bcpkix-jdk15on being on the class-path
-  s.add_runtime_dependency 'jruby-openssl', '>= 0.10.2'
+  s.add_runtime_dependency 'jruby-openssl', '>= 0.12.2' # 0.12 supports TLSv1.3 
 
   # line vs streaming codecs required for fix_streaming_codecs
   # TODO: fix_streaming_codecs should be refactored to not

data/spec/inputs/tcp_spec.rb

@@ -568,18 +568,21 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
           let(:sslsocket) { OpenSSL::SSL::SSLSocket.new(tcp, sslcontext) }
           let(:message) { "message to #{port}" }
 
-          context "with a non encrypted private key" do
-            let(:config) do
-              {
+          let(:base_config) do
+            {
                 "host" => "127.0.0.1",
                 "port" => port,
                 "ssl_enable" => true,
                 "ssl_cert" => chain_of_certificates[:b_cert].path,
                 "ssl_key" => chain_of_certificates[:b_key].path,
                 "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
-                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
-                "ssl_verify" => true
-              }
+                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ]
+            }
+          end
+
+          context "with a non encrypted private key" do
+            let(:config) do
+              base_config.merge "ssl_verify" => true
             end
             it "should be able to connect and write data" do
               result = TcpHelpers.pipelineless_input(subject, 1) do
@@ -620,6 +623,7 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
               expect(result.first.get("message")).to eq(message)
             end
           end
+
           context "when using an encrypted private pkcs8 key" do
             let(:config) do
               {
@@ -646,6 +650,109 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
               expect(result.first.get("message")).to eq(message)
             end
           end
+
+          context "with enforced protocol version" do
+            let(:config) do
+              base_config.merge 'ssl_supported_protocols' => [ tls_version ]
+            end
+
+            let(:tls_version) { 'TLSv1.3' }
+
+            it "should be able to connect and write data" do
+              used_tls_protocol = nil
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                used_tls_protocol = sslsocket.session.to_java(javax.net.ssl.SSLSession).getProtocol
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(used_tls_protocol).to eql tls_version
+            end
+          end
+
+          context "with enforced protocol range" do
+            let(:config) do
+              base_config.merge 'ssl_supported_protocols' => [ 'TLSv1.3', 'TLSv1.2' ]
+            end
+            let(:sslcontext) do
+              super().tap { |ctx| ctx.ssl_version = 'TLSv1.2' }
+            end
+
+            it "should be able to connect and write data" do
+              used_tls_protocol = nil
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                used_tls_protocol = sslsocket.session.to_java(javax.net.ssl.SSLSession).getProtocol
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(used_tls_protocol).to eql 'TLSv1.2'
+            end
+          end if TcpHelpers.tls13_available_by_default? # till CI testing against 6.x
+
+          context "with unsupported client protocol" do
+            let(:config) do
+              base_config.merge 'ssl_supported_protocols' => [ 'TLSv1.2' ]
+            end
+            let(:sslcontext) do
+              super().tap { |ctx| ctx.ssl_version = 'TLSv1.1' }
+            end
+
+            it "should not be able to connect" do
+              TcpHelpers.pipelineless_input(subject, 0) do
+                expect { sslsocket.connect }.to raise_error(OpenSSL::SSL::SSLError, /No appropriate protocol|protocol_version/i)
+                sslsocket.close
+                tcp.close
+              end
+            end
+          end
+
+          context "with specified cipher suites" do
+            let(:config) do
+              base_config.merge 'ssl_cipher_suites' => [ cipher_suite ]
+            end
+
+            let(:cipher_suite) { 'TLS_RSA_WITH_AES_128_GCM_SHA256' }
+
+            it "should be able to connect and write data" do
+              used_cipher_suite = nil
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                used_cipher_suite = sslsocket.session.to_java(javax.net.ssl.SSLSession).getCipherSuite
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(used_cipher_suite).to eql cipher_suite
+            end
+          end
+
+          context "with unsupported client cipher" do
+            let(:config) do
+              base_config.merge 'ssl_cipher_suites' => [ 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' ]
+            end
+
+            let(:sslcontext) do
+              super().tap { |ctx| ctx.ciphers = [ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' ] }
+            end
+
+            it "should not be able to connect" do
+              TcpHelpers.pipelineless_input(subject, 0) do
+                expect { sslsocket.connect }.to raise_error(OpenSSL::SSL::SSLError, /handshake_failure|no cipher match/i)
+                sslsocket.close
+                tcp.close
+              end
+            end
+          end
+
         end
 
         context "with a poorly-behaving client" do
@@ -717,4 +824,83 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
       let(:config) { { "port" => port } }
     end
   end
+
+  context 'ssl context (client mode)' do
+
+    let(:chain_of_certificates) do
+      TcpHelpers.new.chain_of_certificates
+    end
+
+    let(:config) do
+      {
+          "host" => "127.0.0.1",
+          "port" => port,
+          "mode" => 'client',
+          "ssl_enable" => true,
+          "ssl_cert" => chain_of_certificates[:b_cert].path,
+          "ssl_key" => chain_of_certificates[:b_key].path,
+          "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
+          "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ]
+      }
+    end
+
+    subject(:plugin) { LogStash::Inputs::Tcp.new(config) }
+
+    let(:ssl_context) { plugin.send :ssl_context }
+
+    context "with cipher suites" do
+      let(:config) do
+        super().merge 'ssl_cipher_suites' => [ cipher_suite ]
+      end
+
+      let(:cipher_suite) { 'TLS_RSA_WITH_AES_128_GCM_SHA256' }
+
+      it "sets ciphers" do
+        cipher_ary = ssl_context.ciphers.first
+        expect( cipher_ary[0] ).to eql 'AES128-GCM-SHA256'
+      end
+
+    end
+
+    context "with forced protocol" do
+      let(:config) do
+        super().merge 'ssl_supported_protocols' => [ 'TLSv1.1' ]
+      end
+
+      it "limits protocol selection" do
+        if OpenSSL::SSL.const_defined? :OP_NO_TLSv1_3
+          ssl_context = subject.send :ssl_context
+          expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_3).to_not eql 0
+          expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_2).to_not eql 0
+          expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_1).to eql 0
+        else
+          ssl_context = OpenSSL::SSL::SSLContext.new
+          allow(subject).to receive(:new_ssl_context).and_return(ssl_context)
+          expect(ssl_context).to receive(:max_version=).with(:'TLS1_2').and_call_original
+          ssl_context = subject.send :ssl_context
+          expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_2).to_not eql 0
+          expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_1).to eql 0
+        end
+      end
+
+    end
+
+    context "with protocol range" do
+      let(:config) do
+        super().merge 'ssl_supported_protocols' => [ 'TLSv1.3', 'TLSv1.1', 'TLSv1.2' ]
+      end
+
+      it "does not limit protocol selection (except min_version)" do
+        ssl_context = OpenSSL::SSL::SSLContext.new
+        allow(subject).to receive(:new_ssl_context).and_return(ssl_context)
+        expect(ssl_context).to receive(:min_version=).with(:'TLS1_1').and_call_original
+        ssl_context = subject.send :ssl_context
+        expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_3).to eql 0 if OpenSSL::SSL.const_defined? :OP_NO_TLSv1_3
+        expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_2).to eql 0
+        expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_1).to eql 0
+      end
+    end
+
+  end
+
 end

data/spec/spec_helper.rb

@@ -7,6 +7,17 @@ require "stud/temporary"
 
 class TcpHelpers
 
+  def self.tls13_available_by_default?
+    begin
+      context = javax.net.ssl.SSLContext.getInstance('TLS')
+      context.init nil, nil, nil
+      context.getDefaultSSLParameters.getProtocols.include? 'TLSv1.3'
+    rescue => e
+      warn "failed to detect TLSv1.3 support: #{e.inspect}"
+      nil
+    end
+  end
+
   java_import 'org.bouncycastle.openssl.PEMParser'
   java_import 'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder'
   java_import 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter'

data/version

@@ -1 +1 @@
-6.2.7
+6.3.0

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 6.2.7
+  version: 6.3.0
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-02-01 00:00:00.000000000 Z
+date: 2022-06-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -49,7 +49,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.7.0
+        version: 8.1.0
   name: logstash-core
   prerelease: false
   type: :runtime
@@ -57,13 +57,13 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.7.0
+        version: 8.1.0
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.10.2
+        version: 0.12.2
   name: jruby-openssl
   prerelease: false
   type: :runtime
@@ -71,7 +71,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.10.2
+        version: 0.12.2
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
@@ -233,7 +233,7 @@ files:
 - spec/spec_helper.rb
 - vendor/jar-dependencies/commons-io/commons-io/2.8.0/commons-io-2.8.0.jar
 - vendor/jar-dependencies/io/netty/netty-all/4.1.65.Final/netty-all-4.1.65.Final.jar
-- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.2.7/logstash-input-tcp-6.2.7.jar
+- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.3.0/logstash-input-tcp-6.3.0.jar
 - version
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses: