logstash-output-elasticsearch 11.13.1-java → 11.14.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d83bbddeedf7f5674416d431b0a54d7d939a7fd4a21853847f96c2ecf44659c8
-  data.tar.gz: 5d92c4dfd6e5843c7298021b98dcc86dcdfa3f5e8f474255c0358723a673d9cb
+  metadata.gz: 599447eb8d7d6af357940a497acb671bd54ab9b01be537cfd713f8d14d14ac41
+  data.tar.gz: b89e96d645a2f95691375cb9222115f5a740079c16145f3922f8a0e4829946f0
 SHA512:
-  metadata.gz: 47194a7711b93f6a1dcca191dc37a7c0bb14ddcf5591940520ad3e24e046df67850ec0fbf1c9ed769ff6706c7bd9b087bd44cd2d7b97be444bd7d8c5c48ad295
-  data.tar.gz: b7344d10ba9a8a09a5acb65348a4e7152407a3d98126843a8266112b67bc8e6a4859e7ab60e4a7d1bd448cde8d00d65c2e5dda9572eec175fc5cc2baab17441d
+  metadata.gz: c917762665f98bb2d27648a778d194e1371a620cab2db7313af9bd396d9652f5b011b4b1a686c248e31a2c2be768a34f00c26db887c0969cd1ad6079ca67ff04
+  data.tar.gz: 2f1363e687304472b57ec433cd25f5047e4b828cab48d2d5beeb676e280b977cf406a3ce9b1d5dcfebe70ec3c3ff39d118b003dcbb70e077b7620066b37a4e92

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 11.14.0
+ - Added SSL settings for: [#1115](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1115)
+   - `ssl_truststore_type`: The format of the truststore file
+   - `ssl_keystore_type`: The format of the keystore file
+   - `ssl_certificate`: OpenSSL-style X.509 certificate file to authenticate the client
+   - `ssl_key`: OpenSSL-style RSA private key that corresponds to the `ssl_certificate`
+   - `ssl_cipher_suites`: The list of cipher suites
+ - Reviewed and deprecated SSL settings to comply with Logstash's naming convention
+   - Deprecated `ssl` in favor of `ssl_enabled`
+   - Deprecated `cacert` in favor of `ssl_certificate_authorities`
+   - Deprecated `keystore` in favor of `ssl_keystore_path`
+   - Deprecated `keystore_password` in favor of `ssl_keystore_password`
+   - Deprecated `truststore` in favor of `ssl_truststore_path`
+   - Deprecated `truststore_password` in favor of `ssl_truststore_password`
+   - Deprecated `ssl_certificate_verification` in favor of `ssl_verification_mode`
+
 ## 11.13.1
  - Avoid crash by ensuring ILM settings are injected in the correct location depending on the default (or custom) template format, template_api setting and ES version [#1102](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1102)
 

data/docs/index.asciidoc

@@ -299,7 +299,7 @@ checks.
 ==== Elasticsearch Output Configuration Options
 
 This plugin supports the following configuration options plus the
-<<plugins-{type}s-{plugin}-common-options>> described later.
+<<plugins-{type}s-{plugin}-common-options>> and the <<plugins-{type}s-{plugin}-deprecated-options>> described later.
 
 [cols="<,<,<",options="header",]
 |=======================================================================
@@ -307,7 +307,6 @@ This plugin supports the following configuration options plus the
 | <<plugins-{type}s-{plugin}-action>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-api_key>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-bulk_path>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-cacert>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ca_trusted_fingerprint>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-cloud_auth>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-cloud_id>> |<<string,string>>|No
@@ -333,8 +332,6 @@ This plugin supports the following configuration options plus the
 | <<plugins-{type}s-{plugin}-ilm_policy>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ilm_rollover_alias>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-index>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-keystore>> |a valid filesystem path|No
-| <<plugins-{type}s-{plugin}-keystore_password>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-silence_errors_in_log>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-manage_template>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-parameters>> |<<hash,hash>>|No
@@ -358,16 +355,24 @@ This plugin supports the following configuration options plus the
 | <<plugins-{type}s-{plugin}-sniffing>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-sniffing_delay>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-sniffing_path>> |<<string,string>>|No
-| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
-| <<plugins-{type}s-{plugin}-ssl_certificate_verification>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl_certificate>> |<<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |list of <<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |list of <<string,string>>|No
+| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl_key>> |<<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_path>> |<<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_keystore_type>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-ssl_truststore_password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-ssl_truststore_path>> |<<path,path>>|No
+| <<plugins-{type}s-{plugin}-ssl_truststore_type>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-ssl_verification_mode>> |<<string,string>>, one of `["full", "none"]`|No
 | <<plugins-{type}s-{plugin}-template>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-template_api>> |<<string,string>>, one of `["auto", "legacy", "composable"]`|No
 | <<plugins-{type}s-{plugin}-template_name>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-template_overwrite>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-timeout>> |<<number,number>>|No
-| <<plugins-{type}s-{plugin}-truststore>> |a valid filesystem path|No
-| <<plugins-{type}s-{plugin}-truststore_password>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-upsert>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-user>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-validate_after_inactivity>> |<<number,number>>|No
@@ -408,7 +413,7 @@ For more details on actions, check out the {ref}/docs-bulk.html[Elasticsearch bu
   * There is no default value for this setting.
 
 Authenticate using Elasticsearch API key.
-Note that this option also requires SSL/TLS, which can be enabled by supplying a <<plugins-{type}s-{plugin}-cloud_id>>, a list of HTTPS <<plugins-{type}s-{plugin}-hosts>>, or by setting <<plugins-{type}s-{plugin}-ssl,`ssl => true`>>.
+Note that this option also requires SSL/TLS, which can be enabled by supplying a <<plugins-{type}s-{plugin}-cloud_id>>, a list of HTTPS <<plugins-{type}s-{plugin}-hosts>>, or by setting <<plugins-{type}s-{plugin}-ssl,`ssl_enabled => true`>>.
 
 Format is `id:api_key` where `id` and `api_key` are as returned by the
 Elasticsearch {ref}/security-api-create-api-key.html[Create API key API].
@@ -422,14 +427,6 @@ Elasticsearch {ref}/security-api-create-api-key.html[Create API key API].
 HTTP Path to perform the _bulk requests to
 this defaults to a concatenation of the path parameter and "_bulk"
 
-[id="plugins-{type}s-{plugin}-cacert"]
-===== `cacert`
-
-  * Value type is <<path,path>>
-  * There is no default value for this setting.
-
-The .cer or .pem file to validate the server's certificate.
-
 [id="plugins-{type}s-{plugin}-ca_trusted_fingerprint"]
 ===== `ca_trusted_fingerprint`
 
@@ -769,23 +766,6 @@ Logstash uses
 http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html[Joda
 formats] and the `@timestamp` field of each event is being used as source for the date.
 
-[id="plugins-{type}s-{plugin}-keystore"]
-===== `keystore`
-
-  * Value type is <<path,path>>
-  * There is no default value for this setting.
-
-The keystore used to present a certificate to the server.
-It can be either .jks or .p12
-
-[id="plugins-{type}s-{plugin}-keystore_password"]
-===== `keystore_password`
-
-  * Value type is <<password,password>>
-  * There is no default value for this setting.
-
-Set the keystore password
-
 [id="plugins-{type}s-{plugin}-manage_template"]
 ===== `manage_template`
 
@@ -1034,8 +1014,35 @@ the default value is computed by concatenating the path value and "_nodes/http"
 if sniffing_path is set it will be used as an absolute path
 do not use full URL here, only paths, e.g. "/sniff/_nodes/http"
 
-[id="plugins-{type}s-{plugin}-ssl"]
-===== `ssl`
+[id="plugins-{type}s-{plugin}-ssl_certificate"]
+===== `ssl_certificate`
+  * Value type is <<path,path>>
+  * There is no default value for this setting.
+
+SSL certificate to use to authenticate the client. This certificate should be an OpenSSL-style X.509 certificate file.
+
+NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-ssl_key>> is set.
+
+[id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
+===== `ssl_certificate_authorities`
+
+  * Value type is a list of <<path,path>>
+  * There is no default value for this setting
+
+The .cer or .pem files to validate the server's certificate.
+
+NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_truststore_path>> at the same time.
+
+[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
+===== `ssl_cipher_suites`
+  * Value type is a list of <<string,string>>
+  * There is no default value for this setting
+
+The list of cipher suites to use, listed by priorities.
+Supported cipher suites vary depending on the Java and protocol versions.
+
+[id="plugins-{type}s-{plugin}-ssl_enabled"]
+===== `ssl_enabled`
 
   * Value type is <<boolean,boolean>>
   * There is no default value for this setting.
@@ -1044,15 +1051,41 @@ Enable SSL/TLS secured communication to Elasticsearch cluster.
 Leaving this unspecified will use whatever scheme is specified in the URLs listed in <<plugins-{type}s-{plugin}-hosts>> or extracted from the <<plugins-{type}s-{plugin}-cloud_id>>.
 If no explicit protocol is specified plain HTTP will be used.
 
-[id="plugins-{type}s-{plugin}-ssl_certificate_verification"]
-===== `ssl_certificate_verification`
+[id="plugins-{type}s-{plugin}-ssl_key"]
+===== `ssl_key`
+  * Value type is <<path,path>>
+  * There is no default value for this setting.
 
-  * Value type is <<boolean,boolean>>
-  * Default value is `true`
+OpenSSL-style RSA private key that corresponds to the <<plugins-{type}s-{plugin}-ssl_certificate>>.
 
-Option to validate the server's certificate. Disabling this severely compromises security.
-For more information on disabling certificate verification please read
-https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
+NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-ssl_certificate>> is set.
+
+[id="plugins-{type}s-{plugin}-ssl_keystore_password"]
+===== `ssl_keystore_password`
+
+  * Value type is <<password,password>>
+  * There is no default value for this setting.
+
+Set the keystore password
+
+[id="plugins-{type}s-{plugin}-ssl_keystore_path"]
+===== `ssl_keystore_path`
+
+  * Value type is <<path,path>>
+  * There is no default value for this setting.
+
+The keystore used to present a certificate to the server.
+It can be either `.jks` or `.p12`
+
+NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate>> at the same time.
+
+[id="plugins-{type}s-{plugin}-ssl_keystore_type"]
+===== `ssl_keystore_type`
+
+  * Value can be any of: `jks`, `pkcs12`
+  * If not provided, the value will be inferred from the keystore filename.
+
+The format of the keystore file. It must be either `jks` or `pkcs12`.
 
 [id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
 ===== `ssl_supported_protocols`
@@ -1064,13 +1097,56 @@ https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
 
 List of allowed SSL/TLS versions to use when establishing a connection to the Elasticsearch cluster.
 
-For Java 8 `'TLSv1.3'` is supported  only since **8u262** (AdoptOpenJDK), but requires that you set the
+For Java 8 `'TLSv1.3'` is supported only since **8u262** (AdoptOpenJDK), but requires that you set the
 `LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
 
 NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
 the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
 the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
 
+[id="plugins-{type}s-{plugin}-ssl_truststore_password"]
+===== `ssl_truststore_password`
+
+  * Value type is <<password,password>>
+  * There is no default value for this setting.
+
+Set the truststore password
+
+[id="plugins-{type}s-{plugin}-ssl_truststore_path"]
+===== `ssl_truststore_path`
+
+  * Value type is <<path,path>>
+  * There is no default value for this setting.
+
+The truststore to validate the server's certificate.
+It can be either `.jks` or `.p12`.
+
+NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> at the same time.
+
+[id="plugins-{type}s-{plugin}-ssl_truststore_type"]
+===== `ssl_truststore_type`
+
+* Value can be any of: `jks`, `pkcs12`
+* If not provided, the value will be inferred from the truststore filename.
+
+The format of the truststore file. It must be either `jks` or `pkcs12`.
+
+[id="plugins-{type}s-{plugin}-ssl_verification_mode"]
+===== `ssl_verification_mode`
+
+  * Value can be any of: `full`, `none`
+  * Default value is `full`
+
+Defines how to verify the certificates presented by another party in the TLS connection:
+
+`full` validates that the server certificate has an issue date that’s within
+the not_before and not_after dates; chains to a trusted Certificate Authority (CA), and
+has a hostname or IP address that matches the names within the certificate.
+
+`none` performs no certificate validation.
+
+WARNING: Setting certificate verification to `none` disables many security benefits of SSL/TLS, which is very dangerous. For more information on disabling certificate verification please read https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
+
 [id="plugins-{type}s-{plugin}-template"]
 ===== `template`
 
@@ -1139,24 +1215,6 @@ the "logstash" template (i.e. removing all customized settings)
 Set the timeout, in seconds, for network operations and requests sent Elasticsearch. If
 a timeout occurs, the request will be retried.
 
-[id="plugins-{type}s-{plugin}-truststore"]
-===== `truststore`
-
-  * Value type is <<path,path>>
-  * There is no default value for this setting.
-
-The truststore to validate the server's certificate.
-It can be either .jks or .p12.
-Use either `:truststore` or `:cacert`.
-
-[id="plugins-{type}s-{plugin}-truststore_password"]
-===== `truststore_password`
-
-  * Value type is <<password,password>>
-  * There is no default value for this setting.
-
-Set the truststore password
-
 [id="plugins-{type}s-{plugin}-upsert"]
 ===== `upsert`
 
@@ -1213,6 +1271,97 @@ https://www.elastic.co/blog/elasticsearch-versioning-support[versioning support
 blog] and {ref}/docs-index_.html#_version_types[Version types] in the
 Elasticsearch documentation.
 
+[id="plugins-{type}s-{plugin}-deprecated-options"]
+==== Elasticsearch Output Deprecated Configuration Options
+
+This plugin supports the following deprecated configurations.
+
+WARNING: Deprecated options are subject to removal in future releases.
+
+[cols="<,<,<",options="header",]
+|=======================================================================
+|Setting|Input type|Replaced by
+| <<plugins-{type}s-{plugin}-cacert>> |a valid filesystem path|<<plugins-{type}s-{plugin}-ssl_certificate_authorities>>
+| <<plugins-{type}s-{plugin}-keystore>> |a valid filesystem path|<<plugins-{type}s-{plugin}-ssl_keystore_path>>
+| <<plugins-{type}s-{plugin}-keystore_password>> |<<password,password>>|<<plugins-{type}s-{plugin}-ssl_keystore_password>>
+| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|<<plugins-{type}s-{plugin}-ssl_enabled>>
+| <<plugins-{type}s-{plugin}-ssl_certificate_verification>> |<<boolean,boolean>>|<<plugins-{type}s-{plugin}-ssl_verification_mode>>
+| <<plugins-{type}s-{plugin}-truststore>> |a valid filesystem path|<<plugins-{type}s-{plugin}-ssl_truststore_path>>
+| <<plugins-{type}s-{plugin}-truststore_password>> |<<password,password>>|<<plugins-{type}s-{plugin}-ssl_truststore_password>>
+|=======================================================================
+
+
+[id="plugins-{type}s-{plugin}-cacert"]
+===== `cacert`
+deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_certificate_authorities>>]
+
+* Value type is a list of <<path,path>>
+* There is no default value for this setting.
+
+The .cer or .pem file to validate the server's certificate.
+
+[id="plugins-{type}s-{plugin}-keystore"]
+===== `keystore`
+deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_keystore_path>>]
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+
+The keystore used to present a certificate to the server.
+It can be either .jks or .p12
+
+NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate>> at the same time.
+
+[id="plugins-{type}s-{plugin}-keystore_password"]
+===== `keystore_password`
+deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_keystore_password>>]
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+
+Set the keystore password
+
+[id="plugins-{type}s-{plugin}-ssl"]
+===== `ssl`
+deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
+
+* Value type is <<boolean,boolean>>
+* There is no default value for this setting.
+
+Enable SSL/TLS secured communication to Elasticsearch cluster.
+Leaving this unspecified will use whatever scheme is specified in the URLs listed in <<plugins-{type}s-{plugin}-hosts>> or extracted from the <<plugins-{type}s-{plugin}-cloud_id>>.
+If no explicit protocol is specified plain HTTP will be used.
+
+[id="plugins-{type}s-{plugin}-ssl_certificate_verification"]
+===== `ssl_certificate_verification`
+deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_verification_mode>>]
+
+* Value type is <<boolean,boolean>>
+* Default value is `true`
+
+Option to validate the server's certificate. Disabling this severely compromises security.
+For more information on disabling certificate verification please read
+https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
+
+[id="plugins-{type}s-{plugin}-truststore"]
+===== `truststore`
+deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_truststore_path>>]
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+
+The truststore to validate the server's certificate.
+It can be either `.jks` or `.p12`.
+Use either `:truststore` or `:cacert`.
+
+[id="plugins-{type}s-{plugin}-truststore_password"]
+===== `truststore_password`
+deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_truststore_password>>]
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+
+Set the truststore password
 
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]

data/lib/logstash/outputs/elasticsearch/http_client_builder.rb

@@ -107,38 +107,53 @@ module LogStash; module Outputs; class ElasticSearch;
     end
 
     def self.setup_ssl(logger, params)
-      params["ssl"] = true if params["hosts"].any? {|h| h.scheme == "https" }
-      return {} if params["ssl"].nil?
+      params["ssl_enabled"] = true if params["hosts"].any? {|h| h.scheme == "https" }
+      return {} if params["ssl_enabled"].nil?
 
-      return {:ssl => {:enabled => false}} if params["ssl"] == false
+      return {:ssl => {:enabled => false}} if params["ssl_enabled"] == false
 
-      cacert, truststore, truststore_password, keystore, keystore_password =
-        params.values_at('cacert', 'truststore', 'truststore_password', 'keystore', 'keystore_password')
+      ssl_certificate_authorities, ssl_truststore_path, ssl_certificate, ssl_keystore_path = params.values_at('ssl_certificate_authorities', 'ssl_truststore_path', 'ssl_certificate', 'ssl_keystore_path')
 
-      if cacert && truststore
-        raise(LogStash::ConfigurationError, "Use either \"cacert\" or \"truststore\" when configuring the CA certificate") if truststore
+      if ssl_certificate_authorities && ssl_truststore_path
+        raise LogStash::ConfigurationError, 'Use either "ssl_certificate_authorities/cacert" or "ssl_truststore_path/truststore" when configuring the CA certificate'
+      end
+
+      if ssl_certificate && ssl_keystore_path
+        raise LogStash::ConfigurationError, 'Use either "ssl_certificate" or "ssl_keystore_path/keystore" when configuring client certificates'
       end
 
       ssl_options = {:enabled => true}
 
-      if cacert
-        ssl_options[:ca_file] = cacert
-      elsif truststore
-        ssl_options[:truststore_password] = truststore_password.value if truststore_password
+      if ssl_certificate_authorities&.any?
+        raise LogStash::ConfigurationError, 'Multiple values on "ssl_certificate_authorities" are not supported by this plugin' if ssl_certificate_authorities.size > 1
+        ssl_options[:ca_file] = ssl_certificate_authorities.first
       end
 
-      ssl_options[:truststore] = truststore if truststore
-      if keystore
-        ssl_options[:keystore] = keystore
-        ssl_options[:keystore_password] = keystore_password.value if keystore_password
+      setup_ssl_store(ssl_options, 'truststore', params)
+      setup_ssl_store(ssl_options, 'keystore', params)
+
+      ssl_key = params["ssl_key"]
+      if ssl_certificate
+        raise LogStash::ConfigurationError, 'Using an "ssl_certificate" requires an "ssl_key"' unless ssl_key
+        ssl_options[:client_cert] = ssl_certificate
+        ssl_options[:client_key] = ssl_key
+      elsif !ssl_key.nil?
+        raise LogStash::ConfigurationError, 'An "ssl_certificate" is required when using an "ssl_key"'
       end
 
-      if !params["ssl_certificate_verification"]
-        logger.warn "You have enabled encryption but DISABLED certificate verification, " +
-                    "to make sure your data is secure remove `ssl_certificate_verification => false`"
-        ssl_options[:verify] = :disable # false accepts self-signed but still validates hostname
+      ssl_verification_mode = params["ssl_verification_mode"]
+      unless ssl_verification_mode.nil?
+        case ssl_verification_mode
+          when 'none'
+            logger.warn "You have enabled encryption but DISABLED certificate verification, " +
+                          "to make sure your data is secure set `ssl_verification_mode => full`"
+            ssl_options[:verify] = :disable
+          else
+            ssl_options[:verify] = :strict
+        end
       end
 
+      ssl_options[:cipher_suites] = params["ssl_cipher_suites"] if params.include?("ssl_cipher_suites")
       ssl_options[:trust_strategy] = params["ssl_trust_strategy"] if params.include?("ssl_trust_strategy")
 
       protocols = params['ssl_supported_protocols']
@@ -147,6 +162,16 @@ module LogStash; module Outputs; class ElasticSearch;
       { ssl: ssl_options }
     end
 
+    # @param kind is a string [truststore|keystore]
+    def self.setup_ssl_store(ssl_options, kind, params)
+      store_path = params["ssl_#{kind}_path"]
+      if store_path
+        ssl_options[kind.to_sym] = store_path
+        ssl_options["#{kind}_type".to_sym] = params["ssl_#{kind}_type"] if params.include?("ssl_#{kind}_type")
+        ssl_options["#{kind}_password".to_sym] = params["ssl_#{kind}_password"].value if params.include?("ssl_#{kind}_password")
+      end
+    end
+
     def self.setup_basic_auth(logger, params)
       user, password = params["user"], params["password"]
       

data/lib/logstash/outputs/elasticsearch.rb

@@ -96,10 +96,14 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
   require "logstash/outputs/elasticsearch/data_stream_support"
   require 'logstash/plugin_mixins/ecs_compatibility_support'
   require 'logstash/plugin_mixins/deprecation_logger_support'
+  require 'logstash/plugin_mixins/normalize_config_support'
 
   # Protocol agnostic methods
   include(LogStash::PluginMixins::ElasticSearch::Common)
 
+  # Config normalization helpers
+  include(LogStash::PluginMixins::NormalizeConfigSupport)
+
   # Methods for ILM support
   include(LogStash::Outputs::ElasticSearch::Ilm)
 
@@ -282,6 +286,8 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
   end
 
   def register
+    setup_ssl_params!
+
     if !failure_type_logging_whitelist.empty?
       log_message = "'failure_type_logging_whitelist' is deprecated and in a future version of Elasticsearch " +
         "output plugin will be removed, please use 'silence_errors_in_log' instead."
@@ -622,6 +628,52 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
     end
   end
 
+  def setup_ssl_params!
+    @ssl_enabled = normalize_config(:ssl_enabled) do |normalize|
+      normalize.with_deprecated_alias(:ssl)
+    end
+
+    @ssl_certificate_authorities = normalize_config(:ssl_certificate_authorities) do |normalize|
+      normalize.with_deprecated_mapping(:cacert) do |cacert|
+        [cacert]
+      end
+    end
+
+    @ssl_keystore_path =  normalize_config(:ssl_keystore_path) do |normalize|
+      normalize.with_deprecated_alias(:keystore)
+    end
+
+    @ssl_keystore_password = normalize_config(:ssl_keystore_password) do |normalize|
+      normalize.with_deprecated_alias(:keystore_password)
+    end
+
+    @ssl_truststore_path = normalize_config(:ssl_truststore_path) do |normalize|
+      normalize.with_deprecated_alias(:truststore)
+    end
+
+    @ssl_truststore_password =  normalize_config(:ssl_truststore_password) do |normalize|
+      normalize.with_deprecated_alias(:truststore_password)
+    end
+
+    @ssl_verification_mode = normalize_config(:ssl_verification_mode) do |normalize|
+      normalize.with_deprecated_mapping(:ssl_certificate_verification) do |ssl_certificate_verification|
+        if ssl_certificate_verification == true
+          "full"
+        else
+          "none"
+        end
+      end
+    end
+
+    params['ssl_enabled'] = @ssl_enabled unless @ssl_enabled.nil?
+    params['ssl_certificate_authorities'] = @ssl_certificate_authorities unless @ssl_certificate_authorities.nil?
+    params['ssl_keystore_path'] = @ssl_keystore_path unless @ssl_keystore_path.nil?
+    params['ssl_keystore_password'] = @ssl_keystore_password unless @ssl_keystore_password.nil?
+    params['ssl_truststore_path'] = @ssl_truststore_path unless @ssl_truststore_path.nil?
+    params['ssl_truststore_password'] = @ssl_truststore_password unless @ssl_truststore_password.nil?
+    params['ssl_verification_mode'] = @ssl_verification_mode unless @ssl_verification_mode.nil?
+  end
+
   # To be overidden by the -java version
   VALID_HTTP_ACTIONS = ["index", "delete", "create", "update"]
   def valid_actions

data/lib/logstash/plugin_mixins/elasticsearch/api_configs.rb

@@ -45,35 +45,79 @@ module LogStash; module PluginMixins; module ElasticSearch
         # Enable SSL/TLS secured communication to Elasticsearch cluster. Leaving this unspecified will use whatever scheme
         # is specified in the URLs listed in 'hosts'. If no explicit protocol is specified plain HTTP will be used.
         # If SSL is explicitly disabled here the plugin will refuse to start if an HTTPS URL is given in 'hosts'
-        :ssl => { :validate => :boolean },
+        :ssl => { :validate => :boolean, :deprecated => "Set 'ssl_enabled' instead." },
+
+        # Enable SSL/TLS secured communication to Elasticsearch cluster. Leaving this unspecified will use whatever scheme
+        # is specified in the URLs listed in 'hosts'. If no explicit protocol is specified plain HTTP will be used.
+        # If SSL is explicitly disabled here the plugin will refuse to start if an HTTPS URL is given in 'hosts'
+        :ssl_enabled => { :validate => :boolean },
 
         # Option to validate the server's certificate. Disabling this severely compromises security.
         # For more information on disabling certificate verification please read
         # https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
-        :ssl_certificate_verification => { :validate => :boolean, :default => true },
+        :ssl_certificate_verification => { :validate => :boolean, :default => true, :deprecated => "Set 'ssl_verification_mode' instead." },
+
+        # Options to verify the server's certificate.
+        # "full": validates that the provided certificate has an issue date that’s within the not_before and not_after dates;
+        # chains to a trusted Certificate Authority (CA); has a hostname or IP address that matches the names within the certificate.
+        # "none": performs no certificate validation. Disabling this severely compromises security (https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf)
+        :ssl_verification_mode => { :validate => %w[full none], :default => 'full' },
 
         # The .cer or .pem file to validate the server's certificate
-        :cacert => { :validate => :path },
+        :cacert => { :validate => :path, :deprecated => "Set 'ssl_certificate_authorities' instead." },
+
+        # The .cer or .pem files to validate the server's certificate
+        :ssl_certificate_authorities => { :validate => :path, :list => true },
 
         # One or more hex-encoded SHA256 fingerprints to trust as Certificate Authorities
         :ca_trusted_fingerprint => LogStash::PluginMixins::CATrustedFingerprintSupport,
 
         # The JKS truststore to validate the server's certificate.
         # Use either `:truststore` or `:cacert`
-        :truststore => { :validate => :path },
+        :truststore => { :validate => :path, :deprecated => "Set 'ssl_truststore_path' instead." },
+
+        # The JKS truststore to validate the server's certificate.
+        # Use either `:ssl_truststore_path` or `:ssl_certificate_authorities`
+        :ssl_truststore_path => { :validate => :path },
+
+        # The format of the truststore file. It must be either jks or pkcs12
+        :ssl_truststore_type => { :validate => %w[pkcs12 jks] },
+
+        # Set the truststore password
+        :truststore_password => { :validate => :password, :deprecated => "Use 'ssl_truststore_password' instead." },
 
         # Set the truststore password
-        :truststore_password => { :validate => :password },
+        :ssl_truststore_password => { :validate => :password },
 
         # The keystore used to present a certificate to the server.
         # It can be either .jks or .p12
-        :keystore => { :validate => :path },
+        :keystore => { :validate => :path, :deprecated => "Set 'ssl_keystore_path' instead." },
+
+        # The keystore used to present a certificate to the server.
+        # It can be either .jks or .p12
+        :ssl_keystore_path => { :validate => :path },
+
+        # The format of the keystore file. It must be either jks or pkcs12
+        :ssl_keystore_type => { :validate => %w[pkcs12 jks] },
 
         # Set the keystore password
-        :keystore_password => { :validate => :password },
+        :keystore_password => { :validate => :password, :deprecated => "Set 'ssl_keystore_password' instead." },
+
+        # Set the keystore password
+        :ssl_keystore_password => { :validate => :password },
 
         :ssl_supported_protocols => { :validate => ['TLSv1.1', 'TLSv1.2', 'TLSv1.3'], :default => [], :list => true },
 
+        # OpenSSL-style X.509 certificate certificate to authenticate the client
+        :ssl_certificate => { :validate => :path },
+
+        # OpenSSL-style RSA private key to authenticate the client
+        :ssl_key => { :validate => :path },
+
+        # The list of cipher suites to use, listed by priorities.
+        # Supported cipher suites vary depending on which version of Java is used.
+        :ssl_cipher_suites => { :validate => :string, :list => true },
+
         # This setting asks Elasticsearch for the list of all cluster nodes and adds them to the hosts list.
         # Note: This will return ALL nodes with HTTP enabled (including master nodes!). If you use
         # this with master nodes, you probably want to disable HTTP on them by setting

data/lib/logstash/plugin_mixins/elasticsearch/common.rb

@@ -28,8 +28,7 @@ module LogStash; module PluginMixins; module ElasticSearch
 
       setup_hosts
 
-
-      params['ssl'] = effectively_ssl? unless params.include?('ssl')
+      params['ssl_enabled'] = effectively_ssl? unless params.include?('ssl_enabled')
 
       # inject the TrustStrategy from CATrustedFingerprintSupport
       if trust_strategy_for_ca_trusted_fingerprint
@@ -74,7 +73,7 @@ module LogStash; module PluginMixins; module ElasticSearch
     end
 
     def effectively_ssl?
-      return @ssl unless @ssl.nil?
+      return @ssl_enabled unless @ssl_enabled.nil?
 
       hosts = Array(@hosts)
       return false if hosts.nil? || hosts.empty?

data/logstash-output-elasticsearch.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-output-elasticsearch'
-  s.version         = '11.13.1'
+  s.version         = '11.14.0'
   s.licenses        = ['apache-2.0']
   s.summary         = "Stores logs in Elasticsearch"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -26,6 +26,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'logstash-mixin-ecs_compatibility_support', '~>1.0'
   s.add_runtime_dependency 'logstash-mixin-deprecation_logger_support', '~>1.0'
   s.add_runtime_dependency 'logstash-mixin-ca_trusted_fingerprint_support', '~>1.0'
+  s.add_runtime_dependency 'logstash-mixin-normalize_config_support', '~>1.0'
 
   s.add_development_dependency 'logstash-codec-plain'
   s.add_development_dependency 'logstash-devutils'

data/spec/integration/outputs/index_spec.rb

@@ -289,8 +289,8 @@ describe "indexing" do
         "hosts" => [ get_host_port ],
         "user" => user,
         "password" => password,
-        "ssl" => true,
-        "cacert" => cacert,
+        "ssl_enabled" => true,
+        "ssl_certificate_authorities" => cacert,
         "index" => index
       }
     end 
@@ -302,7 +302,7 @@ describe "indexing" do
 
       context "when no keystore nor ca cert set and verification is disabled" do
         let(:config) do
-          super().tap { |config| config.delete('cacert') }.merge('ssl_certificate_verification' => false)
+          super().tap { |config| config.delete('ssl_certificate_authorities') }.merge('ssl_verification_mode' => 'none')
         end
 
         include_examples("an indexer", true)
@@ -311,9 +311,9 @@ describe "indexing" do
       context "when keystore is set and verification is disabled" do
         let(:config) do
           super().merge(
-              'ssl_certificate_verification' => false,
-              'keystore' => 'spec/fixtures/test_certs/test.p12',
-              'keystore_password' => '1234567890'
+              'ssl_verification_mode' => 'none',
+              'ssl_keystore_path' => 'spec/fixtures/test_certs/test.p12',
+              'ssl_keystore_password' => '1234567890'
           )
         end
 
@@ -322,10 +322,10 @@ describe "indexing" do
 
       context "when keystore has self-signed cert and verification is disabled" do
         let(:config) do
-          super().tap { |config| config.delete('cacert') }.merge(
-              'ssl_certificate_verification' => false,
-              'keystore' => 'spec/fixtures/test_certs/test_self_signed.p12',
-              'keystore_password' => '1234567890'
+          super().tap { |config| config.delete('ssl_certificate_authorities') }.merge(
+              'ssl_verification_mode' => 'none',
+              'ssl_keystore_path' => 'spec/fixtures/test_certs/test_self_signed.p12',
+              'ssl_keystore_password' => '1234567890'
           )
         end
 
@@ -349,8 +349,8 @@ describe "indexing" do
         let(:config) do
           {
               "hosts" => ["https://#{CGI.escape(user)}:#{CGI.escape(password)}@elasticsearch:9200"],
-              "ssl" => true,
-              "cacert" => "spec/fixtures/test_certs/test.crt",
+              "ssl_enabled" => true,
+              "ssl_certificate_authorities" => "spec/fixtures/test_certs/test.crt",
               "index" => index
           }
         end
@@ -358,10 +358,10 @@ describe "indexing" do
         include_examples("an indexer", true)
       end
 
-      context "without providing `cacert`" do
+      context "without providing `ssl_certificate_authorities`" do
         let(:config) do
           super().tap do |c|
-            c.delete("cacert")
+            c.delete("ssl_certificate_authorities")
           end
         end
 
@@ -369,10 +369,10 @@ describe "indexing" do
       end
 
       if Gem::Version.new(LOGSTASH_VERSION) >= Gem::Version.new("8.3.0")
-        context "with `ca_trusted_fingerprint` instead of `cacert`" do
+        context "with `ca_trusted_fingerprint` instead of `ssl_certificate_authorities`" do
           let(:config) do
             super().tap do |c|
-              c.delete("cacert")
+              c.delete("ssl_certificate_authorities")
               c.update("ca_trusted_fingerprint" => ca_trusted_fingerprint)
             end
           end

data/spec/unit/outputs/elasticsearch/data_stream_support_spec.rb

@@ -114,7 +114,7 @@ describe LogStash::Outputs::ElasticSearch::DataStreamSupport do
       {
           'hosts' => [ 'http://127.0.0.1:12345' ],
           'http_compression' => 'true', 'bulk_path' => '_bulk', 'timeout' => '30',
-          'user' => 'elastic', 'password' => 'ForSearch!', 'ssl' => 'false'
+          'user' => 'elastic', 'password' => 'ForSearch!', 'ssl_enabled' => 'false'
       }
     end
 

data/spec/unit/outputs/elasticsearch_spec.rb

@@ -699,9 +699,8 @@ describe LogStash::Outputs::ElasticSearch do
       end
     end
 
-
-    context "With the 'ssl' option" do
-      let(:options) { {"ssl" => true}}
+    context "With the 'ssl_enabled' option" do
+      let(:options) { {"ssl_enabled" => true}}
 
       include_examples("an encrypted client connection")
     end
@@ -712,6 +711,81 @@ describe LogStash::Outputs::ElasticSearch do
     end
   end
 
+  describe "SSL deprecated settings" do
+    let(:base_options) { {"ssl" => "true"} }
+
+    context "with client certificate" do
+      let(:do_register) { true }
+      let(:cacert) { Stud::Temporary.file.path }
+      let(:options) { base_options.merge(
+        "cacert" => cacert,
+        "ssl_certificate_verification" => false
+      ) }
+
+      after :each do
+        File.delete(cacert)
+      end
+
+      it "should map new configs into params" do
+        expect(subject.params).to match hash_including(
+                                          "ssl_enabled" => true,
+                                          "ssl_verification_mode" => "none",
+                                          "ssl_certificate_authorities" => [cacert]
+                                        )
+      end
+
+      it "should set new configs variables" do
+        expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true)
+        expect(subject.instance_variable_get(:@ssl_verification_mode)).to eql("none")
+        expect(subject.instance_variable_get(:@ssl_certificate_authorities)).to eql([cacert])
+      end
+    end
+
+    context "with java stores" do
+      let(:do_register) { true }
+      let(:keystore) { Stud::Temporary.file.path }
+      let(:truststore) { Stud::Temporary.file.path }
+      let(:options) { base_options.merge(
+        "keystore" => keystore,
+        "keystore_password" => "keystore",
+        "truststore" => truststore,
+        "truststore_password" => "truststore",
+        "ssl_certificate_verification" => true
+      ) }
+
+      let(:spy_http_client_builder!) do
+        allow(described_class::HttpClientBuilder).to receive(:build).with(any_args).and_call_original
+        allow(described_class::HttpClientBuilder).to receive(:setup_ssl).with(any_args).and_return({})
+      end
+
+      after :each do
+        File.delete(keystore)
+        File.delete(truststore)
+      end
+
+      it "should map new configs into params" do
+        expect(subject.params).to match hash_including(
+                                          "ssl_enabled" => true,
+                                          "ssl_keystore_path" => keystore,
+                                          "ssl_truststore_path" => truststore,
+                                          "ssl_verification_mode" => "full"
+                                        )
+
+        expect(subject.params["ssl_keystore_password"].value).to eql("keystore")
+        expect(subject.params["ssl_truststore_password"].value).to eql("truststore")
+      end
+
+      it "should set new configs variables" do
+        expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true)
+        expect(subject.instance_variable_get(:@ssl_keystore_path)).to eql(keystore)
+        expect(subject.instance_variable_get(:@ssl_keystore_password).value).to eql("keystore")
+        expect(subject.instance_variable_get(:@ssl_truststore_path)).to eql(truststore)
+        expect(subject.instance_variable_get(:@ssl_truststore_password).value).to eql("truststore")
+        expect(subject.instance_variable_get(:@ssl_verification_mode)).to eql("full")
+      end
+    end
+  end
+
   describe "retry_on_conflict" do
     let(:num_retries) { 123 }
     let(:event) { LogStash::Event.new("myactionfield" => "update", "message" => "blah") }
@@ -1093,12 +1167,12 @@ describe LogStash::Outputs::ElasticSearch do
       it 'adds the appropriate Authorization header to the manticore client' do
         expect(manticore_options[:headers]).to eq({ "Authorization" => base64_api_key })
       end
-      it 'is provides ssl=>true to the http client builder' do; aggregate_failures do
-        expect(described_class::HttpClientBuilder).to have_received(:build).with(anything, anything, hash_including('ssl'=>true))
+      it 'is provides ssl_enabled=>true to the http client builder' do; aggregate_failures do
+        expect(described_class::HttpClientBuilder).to have_received(:build).with(anything, anything, hash_including('ssl_enabled'=>true))
       end; end
     end
 
-    context "when set without ssl => true" do
+    context "when set without ssl_enabled => true" do
       let(:do_register) { false } # this is what we want to test, so we disable the before(:each) call
       let(:options) { { "api_key" => api_key } }
 
@@ -1114,14 +1188,14 @@ describe LogStash::Outputs::ElasticSearch do
       end
     end
 
-    context "when set without ssl specified but with an https host" do
+    context "when set without ssl_enabled specified but with an https host" do
       let(:do_register) { false } # this is what we want to test, so we disable the before(:each) call
       let(:options) { { "hosts" => ["https://some.host.com"], "api_key" => api_key } }
 
       it_behaves_like 'secure api-key authenticated client'
     end
 
-    context "when set without ssl specified but with an http host`" do
+    context "when set without ssl_enabled specified but with an http host`" do
       let(:do_register) { false } # this is what we want to test, so we disable the before(:each) call
       let(:options) { { "hosts" => ["http://some.host.com"], "api_key" => api_key } }
 
@@ -1130,9 +1204,9 @@ describe LogStash::Outputs::ElasticSearch do
       end
     end
 
-    context "when set with `ssl => false`" do
+    context "when set with `ssl_enabled => false`" do
       let(:do_register) { false } # this is what we want to test, so we disable the before(:each) call
-      let(:options) { { "ssl" => "false", "api_key" => api_key } }
+      let(:options) { { "ssl_enabled" => "false", "api_key" => api_key } }
 
       it "should raise a configuration error" do
         expect { subject.register }.to raise_error LogStash::ConfigurationError, /requires SSL\/TLS/
@@ -1142,13 +1216,13 @@ describe LogStash::Outputs::ElasticSearch do
     context "when set" do
       let(:options) { { "api_key" => ::LogStash::Util::Password.new(api_key) } }
 
-      context "with ssl => true" do
-        let(:options) { super().merge("ssl" => true) }
+      context "with ssl_enabled => true" do
+        let(:options) { super().merge("ssl_enabled" => true) }
         it_behaves_like 'secure api-key authenticated client'
       end
 
-      context "with ssl => false" do
-        let(:options) { super().merge("ssl" => "false") }
+      context "with ssl_enabled => false" do
+        let(:options) { super().merge("ssl_enabled" => "false") }
 
         let(:do_register) { false } # this is what we want to test, so we disable the before(:each) call
         it "should raise a configuration error" do
@@ -1156,7 +1230,7 @@ describe LogStash::Outputs::ElasticSearch do
         end
       end
 
-      context "without ssl specified" do
+      context "without ssl_enabled specified" do
         context "with an https host" do
           let(:options) { super().merge("hosts" => ["https://some.host.com"]) }
           it_behaves_like 'secure api-key authenticated client'
@@ -1180,7 +1254,7 @@ describe LogStash::Outputs::ElasticSearch do
 
     context 'user also set' do
       let(:do_register) { false } # this is what we want to test, so we disable the before(:each) call
-      let(:options) { { "ssl" => true, "api_key" => api_key, 'user' => 'another' } }
+      let(:options) { { "ssl_enabled" => true, "api_key" => api_key, 'user' => 'another' } }
 
       it "should fail" do
         expect { subject.register }.to raise_error LogStash::ConfigurationError, /Multiple authentication options are specified/
@@ -1189,7 +1263,7 @@ describe LogStash::Outputs::ElasticSearch do
 
     context 'cloud_auth also set' do
       let(:do_register) { false } # this is what we want to test, so we disable the before(:each) call
-      let(:options) { { "ssl" => true, "api_key" => api_key, 'cloud_auth' => 'foobar' } }
+      let(:options) { { "ssl_enabled" => true, "api_key" => api_key, 'cloud_auth' => 'foobar' } }
 
       it "should fail" do
         expect { subject.register }.to raise_error LogStash::ConfigurationError, /Multiple authentication options are specified/

data/spec/unit/outputs/elasticsearch_ssl_spec.rb

@@ -1,81 +1,197 @@
 require_relative "../../../spec/spec_helper"
 require 'stud/temporary'
 
-describe "SSL option" do
+describe "SSL options" do
   let(:manticore_double) { double("manticoreSSL #{self.inspect}") }
+
+  let(:settings) { { "ssl_enabled" => true, "hosts" => "localhost", "pool_max" => 1, "pool_max_per_route" => 1 } }
+
+  subject do
+    require "logstash/outputs/elasticsearch"
+    LogStash::Outputs::ElasticSearch.new(settings)
+  end
+
   before do
     allow(manticore_double).to receive(:close)
-    
+
     response_double = double("manticore response").as_null_object
     # Allow healtchecks
     allow(manticore_double).to receive(:head).with(any_args).and_return(response_double)
     allow(manticore_double).to receive(:get).with(any_args).and_return(response_double)
-    
     allow(::Manticore::Client).to receive(:new).and_return(manticore_double)
   end
-  
-  context "when using ssl without cert verification" do
-    subject do
-      require "logstash/outputs/elasticsearch"
-      settings = {
-        "hosts" => "localhost",
-        "ssl" => true,
-        "ssl_certificate_verification" => false,
-        "pool_max" => 1,
-        "pool_max_per_route" => 1
-      }
-      LogStash::Outputs::ElasticSearch.new(settings)
+
+  after do
+    subject.close
+  end
+
+  context "when ssl_verification_mode" do
+    context "is set to none" do
+      let(:settings) { super().merge(
+        "ssl_verification_mode" => 'none',
+      ) }
+
+      it "should print a warning" do
+        expect(subject.logger).to receive(:warn).with(/You have enabled encryption but DISABLED certificate verification/).at_least(:once)
+        allow(subject.logger).to receive(:warn).with(any_args)
+
+        subject.register
+        allow(LogStash::Outputs::ElasticSearch::HttpClient::Pool).to receive(:start)
+      end
+
+      it "should pass the flag to the ES client" do
+        expect(::Manticore::Client).to receive(:new) do |args|
+          expect(args[:ssl]).to match hash_including(:enabled => true, :verify => :disable)
+        end.and_return(manticore_double)
+
+        subject.register
+      end
     end
-    
-    after do
-      subject.close
+
+    context "is set to full" do
+      let(:settings) { super().merge(
+        "ssl_verification_mode" => 'full',
+      ) }
+
+      it "should pass the flag to the ES client" do
+        expect(::Manticore::Client).to receive(:new) do |args|
+          expect(args[:ssl]).to match hash_including(:enabled => true, :verify => :strict)
+        end.and_return(manticore_double)
+
+        subject.register
+      end
     end
-    
-    it "should pass the flag to the ES client" do
-      expect(::Manticore::Client).to receive(:new) do |args|
-        expect(args[:ssl]).to match hash_including(:enabled => true, :verify => :disable)
-      end.and_return(manticore_double)
-      
-      subject.register
+  end
+
+  context "with the conflicting configs" do
+    context "ssl_certificate_authorities and ssl_truststore_path set" do
+      let(:ssl_truststore_path) { Stud::Temporary.file.path }
+      let(:ssl_certificate_authorities_path) { Stud::Temporary.file.path }
+      let(:settings) { super().merge(
+        "ssl_truststore_path" => ssl_truststore_path,
+        "ssl_certificate_authorities" => ssl_certificate_authorities_path
+      ) }
+
+      after :each do
+        File.delete(ssl_truststore_path)
+        File.delete(ssl_certificate_authorities_path)
+      end
+
+      it "should raise a configuration error" do
+        expect { subject.register }.to raise_error(LogStash::ConfigurationError, /Use either "ssl_certificate_authorities\/cacert" or "ssl_truststore_path\/truststore"/)
+      end
     end
 
-    it "should print a warning" do
-      disabled_matcher = /You have enabled encryption but DISABLED certificate verification/
-      expect(subject.logger).to receive(:warn).with(disabled_matcher).at_least(:once)
-      allow(subject.logger).to receive(:warn).with(any_args)
-      
-      subject.register
-      allow(LogStash::Outputs::ElasticSearch::HttpClient::Pool).to receive(:start)
+    context "ssl_certificate and ssl_keystore_path set" do
+      let(:ssl_keystore_path) { Stud::Temporary.file.path }
+      let(:ssl_certificate_path) { Stud::Temporary.file.path }
+      let(:settings) { super().merge(
+        "ssl_certificate" => ssl_certificate_path,
+        "ssl_keystore_path" => ssl_keystore_path
+      ) }
+
+      after :each do
+        File.delete(ssl_keystore_path)
+        File.delete(ssl_certificate_path)
+      end
+
+      it "should raise a configuration error" do
+        expect { subject.register }.to raise_error(LogStash::ConfigurationError, /Use either "ssl_certificate" or "ssl_keystore_path\/keystore"/)
+      end
     end
   end
 
-  context "when using ssl with client certificates" do
-    let(:keystore_path) { Stud::Temporary.file.path }
-    before do
-      `openssl req -x509  -batch -nodes -newkey rsa:2048 -keyout lumberjack.key -out #{keystore_path}.pem`
-    end
+  context "when configured with Java store files" do
+    let(:ssl_truststore_path) { Stud::Temporary.file.path }
+    let(:ssl_keystore_path) { Stud::Temporary.file.path }
 
     after :each do
-      File.delete(keystore_path)
-      subject.close
+      File.delete(ssl_truststore_path)
+      File.delete(ssl_keystore_path)
+    end
+
+    let(:settings) { super().merge(
+      "ssl_truststore_path" => ssl_truststore_path,
+      "ssl_truststore_type" => "jks",
+      "ssl_truststore_password" => "foo",
+      "ssl_keystore_path" => ssl_keystore_path,
+      "ssl_keystore_type" => "jks",
+      "ssl_keystore_password" => "bar",
+      "ssl_verification_mode" => "full",
+      "ssl_cipher_suites" => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"],
+      "ssl_supported_protocols" => ["TLSv1.3"]
+    ) }
+
+    it "should pass the parameters to the ES client" do
+      expect(::Manticore::Client).to receive(:new) do |args|
+        expect(args[:ssl]).to match hash_including(
+                                      :enabled => true,
+                                      :keystore => ssl_keystore_path,
+                                      :keystore_type => "jks",
+                                      :keystore_password => "bar",
+                                      :truststore => ssl_truststore_path,
+                                      :truststore_type => "jks",
+                                      :truststore_password => "foo",
+                                      :verify => :strict,
+                                      :cipher_suites => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"],
+                                      :protocols => ["TLSv1.3"],
+                                    )
+      end.and_return(manticore_double)
+
+      subject.register
     end
+  end
+
+  context "when configured with certificate files" do
+    let(:ssl_certificate_authorities_path) { Stud::Temporary.file.path }
+    let(:ssl_certificate_path) { Stud::Temporary.file.path }
+    let(:ssl_key_path) { Stud::Temporary.file.path }
+    let(:settings) { super().merge(
+      "ssl_certificate_authorities" => [ssl_certificate_authorities_path],
+      "ssl_certificate" => ssl_certificate_path,
+      "ssl_key" => ssl_key_path,
+      "ssl_verification_mode" => "full",
+      "ssl_cipher_suites" => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"],
+      "ssl_supported_protocols" => ["TLSv1.3"]
+    ) }
 
-    subject do
-      require "logstash/outputs/elasticsearch"
-      settings = {
-        "hosts" => "node01",
-        "ssl" => true,
-        "cacert" => keystore_path,
-      }
-      next LogStash::Outputs::ElasticSearch.new(settings)
+    after :each do
+      File.delete(ssl_certificate_authorities_path)
+      File.delete(ssl_certificate_path)
+      File.delete(ssl_key_path)
     end
 
-    it "should pass the keystore parameters to the ES client" do
+    it "should pass the parameters to the ES client" do
       expect(::Manticore::Client).to receive(:new) do |args|
-        expect(args[:ssl]).to include(:keystore => keystore_path, :keystore_password => "test")
-      end.and_call_original
+        expect(args[:ssl]).to match hash_including(
+                                      :enabled => true,
+                                      :ca_file => ssl_certificate_authorities_path,
+                                      :client_cert => ssl_certificate_path,
+                                      :client_key => ssl_key_path,
+                                      :verify => :strict,
+                                      :cipher_suites => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"],
+                                      :protocols => ["TLSv1.3"],
+                                    )
+      end.and_return(manticore_double)
+
       subject.register
     end
 
+    context "and only the ssl_certificate is set" do
+      let(:settings) { super().reject { |k| "ssl_key".eql?(k) } }
+
+      it "should raise a configuration error" do
+        expect { subject.register }.to raise_error(LogStash::ConfigurationError, /Using an "ssl_certificate" requires an "ssl_key"/)
+      end
+    end
+
+    context "and only the ssl_key is set" do
+      let(:settings) { super().reject { |k| "ssl_certificate".eql?(k) } }
+
+      it "should raise a configuration error" do
+        expect { subject.register }.to raise_error(LogStash::ConfigurationError, /An "ssl_certificate" is required when using an "ssl_key"/)
+      end
+    end
   end
 end
+

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-output-elasticsearch
 version: !ruby/object:Gem::Version
-  version: 11.13.1
+  version: 11.14.0
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-07 00:00:00.000000000 Z
+date: 2023-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -112,6 +112,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  name: logstash-mixin-normalize_config_support
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements: