logstash-input-tcp 6.2.7-java → 6.3.0-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/docs/index.asciidoc +35 -7
- data/lib/logstash/inputs/tcp.rb +30 -1
- data/lib/logstash-input-tcp_jars.rb +1 -1
- data/logstash-input-tcp.gemspec +2 -2
- data/spec/inputs/tcp_spec.rb +192 -6
- data/spec/spec_helper.rb +11 -0
- data/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.3.0/logstash-input-tcp-6.3.0.jar +0 -0
- data/version +1 -1
- metadata +7 -7
- data/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.2.7/logstash-input-tcp-6.2.7.jar +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f018798315cfe0b020a135261fd6145a2854fe8d432bec36b69168e72b21a226
|
4
|
+
data.tar.gz: 1c38f5e86c898ffe936a7970cbb50fe3b8ce2fe0e7ec0d8f9d99dabd13fd0046
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: df77c83316a7c9793b34ca0efeb16efa83ca53b3c59b1edbf53223a801e0dea865efbad074598d47013547f0beced6565cef49a109e13beb98c19859cbafa6c3
|
7
|
+
data.tar.gz: cf3e87359d1666fb6bbc6b42a595bf303714f19bd2cba77a4dc608c0d240b8d57bf9fdd59e38bb5ec4e1ccbc5996c42d0e92b2f99e5c06cd071eea8a10f0ae98
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,6 @@
|
|
1
|
+
## 6.3.0
|
2
|
+
- Feat: ssl_supported_protocols (TLSv1.3) + ssl_cipher_suites [#198](https://github.com/logstash-plugins/logstash-input-tcp/pull/198)
|
3
|
+
|
1
4
|
## 6.2.7
|
2
5
|
- Build: skip shadowing jar dependencies [#187](https://github.com/logstash-plugins/logstash-input-tcp/pull/187)
|
3
6
|
* plugin no longer shadows dependencies into its *logstash-input-tcp.jar*
|
data/docs/index.asciidoc
CHANGED
@@ -132,10 +132,12 @@ This plugin supports the following configuration options plus the <<plugins-{typ
|
|
132
132
|
| <<plugins-{type}s-{plugin}-proxy_protocol>> |<<boolean,boolean>>|No
|
133
133
|
| <<plugins-{type}s-{plugin}-ssl_cert>> |a valid filesystem path|No
|
134
134
|
| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
|
135
|
+
| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<string,string>>|No
|
135
136
|
| <<plugins-{type}s-{plugin}-ssl_enable>> |<<boolean,boolean>>|No
|
136
137
|
| <<plugins-{type}s-{plugin}-ssl_extra_chain_certs>> |<<array,array>>|No
|
137
138
|
| <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
|
138
139
|
| <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
|
140
|
+
| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
|
139
141
|
| <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|No
|
140
142
|
| <<plugins-{type}s-{plugin}-tcp_keep_alive>> |<<boolean,boolean>>|No
|
141
143
|
|=======================================================================
|
@@ -158,13 +160,13 @@ at the TCP layer and IPs will not be resolved to hostnames.
|
|
158
160
|
[id="plugins-{type}s-{plugin}-ecs_compatibility"]
|
159
161
|
===== `ecs_compatibility`
|
160
162
|
|
161
|
-
* Value type is <<string,string>>
|
162
|
-
* Supported values are:
|
163
|
-
** `disabled`: unstructured connection metadata added at root level
|
164
|
-
** `v1`,`v8`: structured connection metadata added under `[@metadata][input][tcp]`
|
165
|
-
* Default value depends on which version of Logstash is running:
|
166
|
-
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
167
|
-
** Otherwise, the default value is `disabled`.
|
163
|
+
* Value type is <<string,string>>
|
164
|
+
* Supported values are:
|
165
|
+
** `disabled`: unstructured connection metadata added at root level
|
166
|
+
** `v1`,`v8`: structured connection metadata added under `[@metadata][input][tcp]`
|
167
|
+
* Default value depends on which version of Logstash is running:
|
168
|
+
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
169
|
+
** Otherwise, the default value is `disabled`.
|
168
170
|
|
169
171
|
Controls this plugin's compatibility with the https://www.elastic.co/guide/en/ecs/current/index.html[Elastic Common Schema (ECS)].
|
170
172
|
The value of this setting affects the <<plugins-{type}s-{plugin}-ecs_metadata,placement of a TCP connection's metadata>> on events.
|
@@ -224,6 +226,18 @@ to the connecting clients.
|
|
224
226
|
Validate client certificate or certificate chain against these authorities.
|
225
227
|
You can define multiple files or paths. All the certificates will be read and added to the trust store.
|
226
228
|
|
229
|
+
[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
|
230
|
+
===== `ssl_cipher_suites`
|
231
|
+
|
232
|
+
* Value type is <<string,string>>
|
233
|
+
* Default value includes _all_ cipher suites enabled by the JDK and depends on JDK configuration
|
234
|
+
|
235
|
+
Supported cipher suites vary depending on Java version used, and entries look like `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`.
|
236
|
+
For more information, see Oracle’s https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[JDK SunJSSE provider documentation] and
|
237
|
+
the table of supported https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names[Java cipher suite names].
|
238
|
+
|
239
|
+
NOTE: To check the supported cipher suites locally run the following script: `$LS_HOME/bin/ruby -e 'p javax.net.ssl.SSLServerSocketFactory.getDefault.getSupportedCipherSuites'`.
|
240
|
+
|
227
241
|
[id="plugins-{type}s-{plugin}-ssl_enable"]
|
228
242
|
===== `ssl_enable`
|
229
243
|
|
@@ -258,6 +272,20 @@ The path to the private key corresponding to the specified certificate (PEM form
|
|
258
272
|
|
259
273
|
SSL key passphrase for the private key.
|
260
274
|
|
275
|
+
[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
|
276
|
+
===== `ssl_supported_protocols`
|
277
|
+
|
278
|
+
* Value type is <<string,string>>
|
279
|
+
* Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
|
280
|
+
* Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
|
281
|
+
`'TLSv1.1'` is not considered secure and is only provided for legacy applications.
|
282
|
+
|
283
|
+
List of allowed SSL/TLS versions to use when establishing a secure connection.
|
284
|
+
|
285
|
+
NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
|
286
|
+
the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
|
287
|
+
the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
|
288
|
+
|
261
289
|
[id="plugins-{type}s-{plugin}-ssl_verify"]
|
262
290
|
===== `ssl_verify`
|
263
291
|
|
data/lib/logstash/inputs/tcp.rb
CHANGED
@@ -112,6 +112,13 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
112
112
|
# All the certificates will be read and added to the trust store.
|
113
113
|
config :ssl_certificate_authorities, :validate => :array, :default => []
|
114
114
|
|
115
|
+
# NOTE: the default setting [] uses Java SSL engine defaults.
|
116
|
+
config :ssl_supported_protocols, :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => [], :list => true
|
117
|
+
|
118
|
+
# The list of ciphers suite to use, listed by priorities.
|
119
|
+
# NOTE: the default setting [] uses Java SSL defaults.
|
120
|
+
config :ssl_cipher_suites, :validate => SslContextBuilder.getSupportedCipherSuites.to_a, :default => [], :list => true
|
121
|
+
|
115
122
|
# Instruct the socket to use TCP keep alives. Uses OS defaults for keep alive settings.
|
116
123
|
config :tcp_keep_alive, :validate => :boolean, :default => false
|
117
124
|
|
@@ -286,7 +293,7 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
286
293
|
return @ssl_context if @ssl_context
|
287
294
|
|
288
295
|
begin
|
289
|
-
@ssl_context =
|
296
|
+
@ssl_context = new_ssl_context
|
290
297
|
@ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
|
291
298
|
@ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase.value)
|
292
299
|
if @ssl_extra_chain_certs.any?
|
@@ -297,6 +304,21 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
297
304
|
@ssl_context.cert_store = load_cert_store
|
298
305
|
@ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
|
299
306
|
end
|
307
|
+
|
308
|
+
@ssl_context.min_version = :TLS1_1 # not strictly required - JVM should have disabled TLSv1
|
309
|
+
if ssl_supported_protocols.any?
|
310
|
+
disabled_protocols = ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'] - ssl_supported_protocols
|
311
|
+
unless OpenSSL::SSL.const_defined? :OP_NO_TLSv1_3 # work-around JRuby-OpenSSL bug - missing constant
|
312
|
+
@ssl_context.max_version = :TLS1_2 if disabled_protocols.delete('TLSv1.3')
|
313
|
+
end
|
314
|
+
# mapping 'TLSv1.2' -> OpenSSL::SSL::OP_NO_TLSv1_2
|
315
|
+
disabled_protocols.map! { |v| OpenSSL::SSL.const_get "OP_NO_#{v.sub('.', '_')}" }
|
316
|
+
@ssl_context.options = disabled_protocols.reduce(@ssl_context.options, :|)
|
317
|
+
end
|
318
|
+
|
319
|
+
if ssl_cipher_suites.any?
|
320
|
+
@ssl_context.ciphers = ssl_cipher_suites # Java cipher names work with JOSSL >= 0.12.2
|
321
|
+
end
|
300
322
|
rescue => e
|
301
323
|
@logger.error("Could not inititalize SSL context", :message => e.message, :exception => e.class, :backtrace => e.backtrace)
|
302
324
|
raise e
|
@@ -305,6 +327,11 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
305
327
|
@ssl_context
|
306
328
|
end
|
307
329
|
|
330
|
+
# @note to be able to hook up into #ssl_context from tests
|
331
|
+
def new_ssl_context
|
332
|
+
OpenSSL::SSL::SSLContext.new
|
333
|
+
end
|
334
|
+
|
308
335
|
def load_cert_store
|
309
336
|
cert_store = OpenSSL::X509::Store.new
|
310
337
|
cert_store.set_default_paths
|
@@ -379,6 +406,8 @@ class LogStash::Inputs::Tcp < LogStash::Inputs::Base
|
|
379
406
|
.set_ssl_key_password(@ssl_key_passphrase.value)
|
380
407
|
.set_ssl_extra_chain_certs(@ssl_extra_chain_certs.to_java(:string))
|
381
408
|
.set_ssl_certificate_authorities(@ssl_certificate_authorities.to_java(:string))
|
409
|
+
.set_ssl_supported_protocols(ssl_supported_protocols.to_java(:string))
|
410
|
+
.set_ssl_cipher_suites(ssl_cipher_suites.to_java(:string))
|
382
411
|
.build_context
|
383
412
|
rescue java.lang.IllegalArgumentException => e
|
384
413
|
@logger.error("SSL configuration invalid", error_details(e))
|
data/logstash-input-tcp.gemspec
CHANGED
@@ -23,10 +23,10 @@ Gem::Specification.new do |s|
|
|
23
23
|
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
|
24
24
|
s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.2'
|
25
25
|
|
26
|
-
s.add_runtime_dependency 'logstash-core', '>=
|
26
|
+
s.add_runtime_dependency 'logstash-core', '>= 8.1.0'
|
27
27
|
|
28
28
|
# we depend on bouncycastle's bcpkix-jdk15on being on the class-path
|
29
|
-
s.add_runtime_dependency 'jruby-openssl', '>= 0.
|
29
|
+
s.add_runtime_dependency 'jruby-openssl', '>= 0.12.2' # 0.12 supports TLSv1.3
|
30
30
|
|
31
31
|
# line vs streaming codecs required for fix_streaming_codecs
|
32
32
|
# TODO: fix_streaming_codecs should be refactored to not
|
data/spec/inputs/tcp_spec.rb
CHANGED
@@ -568,18 +568,21 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
568
568
|
let(:sslsocket) { OpenSSL::SSL::SSLSocket.new(tcp, sslcontext) }
|
569
569
|
let(:message) { "message to #{port}" }
|
570
570
|
|
571
|
-
|
572
|
-
|
573
|
-
{
|
571
|
+
let(:base_config) do
|
572
|
+
{
|
574
573
|
"host" => "127.0.0.1",
|
575
574
|
"port" => port,
|
576
575
|
"ssl_enable" => true,
|
577
576
|
"ssl_cert" => chain_of_certificates[:b_cert].path,
|
578
577
|
"ssl_key" => chain_of_certificates[:b_key].path,
|
579
578
|
"ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
|
580
|
-
"ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ]
|
581
|
-
|
582
|
-
|
579
|
+
"ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ]
|
580
|
+
}
|
581
|
+
end
|
582
|
+
|
583
|
+
context "with a non encrypted private key" do
|
584
|
+
let(:config) do
|
585
|
+
base_config.merge "ssl_verify" => true
|
583
586
|
end
|
584
587
|
it "should be able to connect and write data" do
|
585
588
|
result = TcpHelpers.pipelineless_input(subject, 1) do
|
@@ -620,6 +623,7 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
620
623
|
expect(result.first.get("message")).to eq(message)
|
621
624
|
end
|
622
625
|
end
|
626
|
+
|
623
627
|
context "when using an encrypted private pkcs8 key" do
|
624
628
|
let(:config) do
|
625
629
|
{
|
@@ -646,6 +650,109 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
646
650
|
expect(result.first.get("message")).to eq(message)
|
647
651
|
end
|
648
652
|
end
|
653
|
+
|
654
|
+
context "with enforced protocol version" do
|
655
|
+
let(:config) do
|
656
|
+
base_config.merge 'ssl_supported_protocols' => [ tls_version ]
|
657
|
+
end
|
658
|
+
|
659
|
+
let(:tls_version) { 'TLSv1.3' }
|
660
|
+
|
661
|
+
it "should be able to connect and write data" do
|
662
|
+
used_tls_protocol = nil
|
663
|
+
result = TcpHelpers.pipelineless_input(subject, 1) do
|
664
|
+
sslsocket.connect
|
665
|
+
sslsocket.write("#{message}\n")
|
666
|
+
used_tls_protocol = sslsocket.session.to_java(javax.net.ssl.SSLSession).getProtocol
|
667
|
+
tcp.flush
|
668
|
+
sslsocket.close
|
669
|
+
tcp.close
|
670
|
+
end
|
671
|
+
expect(result.size).to eq(1)
|
672
|
+
expect(used_tls_protocol).to eql tls_version
|
673
|
+
end
|
674
|
+
end
|
675
|
+
|
676
|
+
context "with enforced protocol range" do
|
677
|
+
let(:config) do
|
678
|
+
base_config.merge 'ssl_supported_protocols' => [ 'TLSv1.3', 'TLSv1.2' ]
|
679
|
+
end
|
680
|
+
let(:sslcontext) do
|
681
|
+
super().tap { |ctx| ctx.ssl_version = 'TLSv1.2' }
|
682
|
+
end
|
683
|
+
|
684
|
+
it "should be able to connect and write data" do
|
685
|
+
used_tls_protocol = nil
|
686
|
+
result = TcpHelpers.pipelineless_input(subject, 1) do
|
687
|
+
sslsocket.connect
|
688
|
+
sslsocket.write("#{message}\n")
|
689
|
+
used_tls_protocol = sslsocket.session.to_java(javax.net.ssl.SSLSession).getProtocol
|
690
|
+
tcp.flush
|
691
|
+
sslsocket.close
|
692
|
+
tcp.close
|
693
|
+
end
|
694
|
+
expect(result.size).to eq(1)
|
695
|
+
expect(used_tls_protocol).to eql 'TLSv1.2'
|
696
|
+
end
|
697
|
+
end if TcpHelpers.tls13_available_by_default? # till CI testing against 6.x
|
698
|
+
|
699
|
+
context "with unsupported client protocol" do
|
700
|
+
let(:config) do
|
701
|
+
base_config.merge 'ssl_supported_protocols' => [ 'TLSv1.2' ]
|
702
|
+
end
|
703
|
+
let(:sslcontext) do
|
704
|
+
super().tap { |ctx| ctx.ssl_version = 'TLSv1.1' }
|
705
|
+
end
|
706
|
+
|
707
|
+
it "should not be able to connect" do
|
708
|
+
TcpHelpers.pipelineless_input(subject, 0) do
|
709
|
+
expect { sslsocket.connect }.to raise_error(OpenSSL::SSL::SSLError, /No appropriate protocol|protocol_version/i)
|
710
|
+
sslsocket.close
|
711
|
+
tcp.close
|
712
|
+
end
|
713
|
+
end
|
714
|
+
end
|
715
|
+
|
716
|
+
context "with specified cipher suites" do
|
717
|
+
let(:config) do
|
718
|
+
base_config.merge 'ssl_cipher_suites' => [ cipher_suite ]
|
719
|
+
end
|
720
|
+
|
721
|
+
let(:cipher_suite) { 'TLS_RSA_WITH_AES_128_GCM_SHA256' }
|
722
|
+
|
723
|
+
it "should be able to connect and write data" do
|
724
|
+
used_cipher_suite = nil
|
725
|
+
result = TcpHelpers.pipelineless_input(subject, 1) do
|
726
|
+
sslsocket.connect
|
727
|
+
sslsocket.write("#{message}\n")
|
728
|
+
used_cipher_suite = sslsocket.session.to_java(javax.net.ssl.SSLSession).getCipherSuite
|
729
|
+
tcp.flush
|
730
|
+
sslsocket.close
|
731
|
+
tcp.close
|
732
|
+
end
|
733
|
+
expect(result.size).to eq(1)
|
734
|
+
expect(used_cipher_suite).to eql cipher_suite
|
735
|
+
end
|
736
|
+
end
|
737
|
+
|
738
|
+
context "with unsupported client cipher" do
|
739
|
+
let(:config) do
|
740
|
+
base_config.merge 'ssl_cipher_suites' => [ 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' ]
|
741
|
+
end
|
742
|
+
|
743
|
+
let(:sslcontext) do
|
744
|
+
super().tap { |ctx| ctx.ciphers = [ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' ] }
|
745
|
+
end
|
746
|
+
|
747
|
+
it "should not be able to connect" do
|
748
|
+
TcpHelpers.pipelineless_input(subject, 0) do
|
749
|
+
expect { sslsocket.connect }.to raise_error(OpenSSL::SSL::SSLError, /handshake_failure|no cipher match/i)
|
750
|
+
sslsocket.close
|
751
|
+
tcp.close
|
752
|
+
end
|
753
|
+
end
|
754
|
+
end
|
755
|
+
|
649
756
|
end
|
650
757
|
|
651
758
|
context "with a poorly-behaving client" do
|
@@ -717,4 +824,83 @@ describe LogStash::Inputs::Tcp, :ecs_compatibility_support do
|
|
717
824
|
let(:config) { { "port" => port } }
|
718
825
|
end
|
719
826
|
end
|
827
|
+
|
828
|
+
context 'ssl context (client mode)' do
|
829
|
+
|
830
|
+
let(:chain_of_certificates) do
|
831
|
+
TcpHelpers.new.chain_of_certificates
|
832
|
+
end
|
833
|
+
|
834
|
+
let(:config) do
|
835
|
+
{
|
836
|
+
"host" => "127.0.0.1",
|
837
|
+
"port" => port,
|
838
|
+
"mode" => 'client',
|
839
|
+
"ssl_enable" => true,
|
840
|
+
"ssl_cert" => chain_of_certificates[:b_cert].path,
|
841
|
+
"ssl_key" => chain_of_certificates[:b_key].path,
|
842
|
+
"ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
|
843
|
+
"ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ]
|
844
|
+
}
|
845
|
+
end
|
846
|
+
|
847
|
+
subject(:plugin) { LogStash::Inputs::Tcp.new(config) }
|
848
|
+
|
849
|
+
let(:ssl_context) { plugin.send :ssl_context }
|
850
|
+
|
851
|
+
context "with cipher suites" do
|
852
|
+
let(:config) do
|
853
|
+
super().merge 'ssl_cipher_suites' => [ cipher_suite ]
|
854
|
+
end
|
855
|
+
|
856
|
+
let(:cipher_suite) { 'TLS_RSA_WITH_AES_128_GCM_SHA256' }
|
857
|
+
|
858
|
+
it "sets ciphers" do
|
859
|
+
cipher_ary = ssl_context.ciphers.first
|
860
|
+
expect( cipher_ary[0] ).to eql 'AES128-GCM-SHA256'
|
861
|
+
end
|
862
|
+
|
863
|
+
end
|
864
|
+
|
865
|
+
context "with forced protocol" do
|
866
|
+
let(:config) do
|
867
|
+
super().merge 'ssl_supported_protocols' => [ 'TLSv1.1' ]
|
868
|
+
end
|
869
|
+
|
870
|
+
it "limits protocol selection" do
|
871
|
+
if OpenSSL::SSL.const_defined? :OP_NO_TLSv1_3
|
872
|
+
ssl_context = subject.send :ssl_context
|
873
|
+
expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_3).to_not eql 0
|
874
|
+
expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_2).to_not eql 0
|
875
|
+
expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_1).to eql 0
|
876
|
+
else
|
877
|
+
ssl_context = OpenSSL::SSL::SSLContext.new
|
878
|
+
allow(subject).to receive(:new_ssl_context).and_return(ssl_context)
|
879
|
+
expect(ssl_context).to receive(:max_version=).with(:'TLS1_2').and_call_original
|
880
|
+
ssl_context = subject.send :ssl_context
|
881
|
+
expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_2).to_not eql 0
|
882
|
+
expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_1).to eql 0
|
883
|
+
end
|
884
|
+
end
|
885
|
+
|
886
|
+
end
|
887
|
+
|
888
|
+
context "with protocol range" do
|
889
|
+
let(:config) do
|
890
|
+
super().merge 'ssl_supported_protocols' => [ 'TLSv1.3', 'TLSv1.1', 'TLSv1.2' ]
|
891
|
+
end
|
892
|
+
|
893
|
+
it "does not limit protocol selection (except min_version)" do
|
894
|
+
ssl_context = OpenSSL::SSL::SSLContext.new
|
895
|
+
allow(subject).to receive(:new_ssl_context).and_return(ssl_context)
|
896
|
+
expect(ssl_context).to receive(:min_version=).with(:'TLS1_1').and_call_original
|
897
|
+
ssl_context = subject.send :ssl_context
|
898
|
+
expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_3).to eql 0 if OpenSSL::SSL.const_defined? :OP_NO_TLSv1_3
|
899
|
+
expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_2).to eql 0
|
900
|
+
expect(ssl_context.options & OpenSSL::SSL::OP_NO_TLSv1_1).to eql 0
|
901
|
+
end
|
902
|
+
end
|
903
|
+
|
904
|
+
end
|
905
|
+
|
720
906
|
end
|
data/spec/spec_helper.rb
CHANGED
@@ -7,6 +7,17 @@ require "stud/temporary"
|
|
7
7
|
|
8
8
|
class TcpHelpers
|
9
9
|
|
10
|
+
def self.tls13_available_by_default?
|
11
|
+
begin
|
12
|
+
context = javax.net.ssl.SSLContext.getInstance('TLS')
|
13
|
+
context.init nil, nil, nil
|
14
|
+
context.getDefaultSSLParameters.getProtocols.include? 'TLSv1.3'
|
15
|
+
rescue => e
|
16
|
+
warn "failed to detect TLSv1.3 support: #{e.inspect}"
|
17
|
+
nil
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
10
21
|
java_import 'org.bouncycastle.openssl.PEMParser'
|
11
22
|
java_import 'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder'
|
12
23
|
java_import 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter'
|
Binary file
|
data/version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
6.
|
1
|
+
6.3.0
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-input-tcp
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.
|
4
|
+
version: 6.3.0
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-06-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -49,7 +49,7 @@ dependencies:
|
|
49
49
|
requirements:
|
50
50
|
- - ">="
|
51
51
|
- !ruby/object:Gem::Version
|
52
|
-
version:
|
52
|
+
version: 8.1.0
|
53
53
|
name: logstash-core
|
54
54
|
prerelease: false
|
55
55
|
type: :runtime
|
@@ -57,13 +57,13 @@ dependencies:
|
|
57
57
|
requirements:
|
58
58
|
- - ">="
|
59
59
|
- !ruby/object:Gem::Version
|
60
|
-
version:
|
60
|
+
version: 8.1.0
|
61
61
|
- !ruby/object:Gem::Dependency
|
62
62
|
requirement: !ruby/object:Gem::Requirement
|
63
63
|
requirements:
|
64
64
|
- - ">="
|
65
65
|
- !ruby/object:Gem::Version
|
66
|
-
version: 0.
|
66
|
+
version: 0.12.2
|
67
67
|
name: jruby-openssl
|
68
68
|
prerelease: false
|
69
69
|
type: :runtime
|
@@ -71,7 +71,7 @@ dependencies:
|
|
71
71
|
requirements:
|
72
72
|
- - ">="
|
73
73
|
- !ruby/object:Gem::Version
|
74
|
-
version: 0.
|
74
|
+
version: 0.12.2
|
75
75
|
- !ruby/object:Gem::Dependency
|
76
76
|
requirement: !ruby/object:Gem::Requirement
|
77
77
|
requirements:
|
@@ -233,7 +233,7 @@ files:
|
|
233
233
|
- spec/spec_helper.rb
|
234
234
|
- vendor/jar-dependencies/commons-io/commons-io/2.8.0/commons-io-2.8.0.jar
|
235
235
|
- vendor/jar-dependencies/io/netty/netty-all/4.1.65.Final/netty-all-4.1.65.Final.jar
|
236
|
-
- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.
|
236
|
+
- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.3.0/logstash-input-tcp-6.3.0.jar
|
237
237
|
- version
|
238
238
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
239
239
|
licenses:
|