logstash-output-elasticsearch 11.3.3-java → 11.5.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d61a9b747e103df43da5dbfb1d17b1b569be50c28c309b31b465473b745d25c
-  data.tar.gz: 730421e68d942ed0deb80afc3c8691dc3d42a7c0942b0184e45898d46829a816
+  metadata.gz: 7eab2dc342c636e2d5df4e2f9bbd776b446cf110a0803c11fc919fcbbd2f2d83
+  data.tar.gz: 565ed3031b685f8541853043d486bda0cff8aa7da2c6f2733e0e2b43345de099
 SHA512:
-  metadata.gz: 6541260b1af413acf1b4728aca0d3590e622dce3096257c67e6a27bd66468d773cc197d6b2055fca17439ec5861aed422e198c8c3ab8475ebd257a63f0e6ca56
-  data.tar.gz: '00410793caecb073abea82106174bc894f13aeb8d8d20e44d22c223ad80a1fd5adfc8b1d7b80fe6670aa0b9fe7f4ce577f6c60f6505064b6678dcfd1100edd0e'
+  metadata.gz: 1fbb452170d276531d9b202538d9cf0a23b834053309c818aaaff6f75dd41ecd3d787394234c295639d95d2fe763d1063424cff56b598d1ba16e2fe92374df44
+  data.tar.gz: 6b7f17fa679306e65ec94a048ef2205ec9f884cbd11fe1adf861dbb1eccaea752105c3bf149a4fe08f1cdb3c6189200d612dc4cece52ac937eb78d599b188926

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 11.5.0
+ - Feat: add ssl_supported_protocols option [#1055](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1055)
+
+## 11.4.2
+ - [DOC] Add `v8` to supported values for ecs_compatiblity defaults [#1059](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1059)
+
+## 11.4.1
+ - Feat: upgrade manticore (http-client) library [#1063](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1063)
+   - the underlying changes include latest HttpClient (4.5.13)
+   - resolves an old issue with `ssl_certificate_verification => false` still doing some verification logic
+
+## 11.4.0
+ - Updates ECS templates [#1062](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1062)
+   - Updates v1 templates to 1.12.1 for use with Elasticsearch 7.x and 8.x
+   - Updates BETA preview of ECS v8 templates for Elasticsearch 7.x and 8.x
+
 ## 11.3.3
  - Feat: add support for 'traces' data stream type [#1057](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1057)
 

data/Gemfile

@@ -12,4 +12,5 @@ end
 
 if RUBY_VERSION == "1.9.3"
   gem 'rake', '12.2.1'
-end
+end
+

data/docs/index.asciidoc

@@ -355,6 +355,7 @@ This plugin supports the following configuration options plus the
 | <<plugins-{type}s-{plugin}-sniffing_path>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_verification>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-template>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-template_name>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-template_overwrite>> |<<boolean,boolean>>|No
@@ -554,7 +555,7 @@ If you don't set a value for this option:
 * Value type is <<string,string>>
 * Supported values are:
 ** `disabled`: does not provide ECS-compatible templates
-** `v1`: provides defaults that are compatible with v1 of the Elastic Common Schema
+** `v1`,`v8`: Elastic Common Schema-compliant behavior
 * Default value depends on which version of Logstash is running:
 ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
 ** Otherwise, the default value is `disabled`.
@@ -1004,6 +1005,23 @@ Option to validate the server's certificate. Disabling this severely compromises
 For more information on disabling certificate verification please read
 https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
 
+[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
+===== `ssl_supported_protocols`
+
+  * Value type is <<string,string>>
+  * Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'`
+  * Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`.
+    `'TLSv1.1'` is not considered secure and is only provided for legacy applications.
+
+List of allowed SSL/TLS versions to use when establishing a connection to the Elasticsearch cluster.
+
+For Java 8 `'TLSv1.3'` is supported  only since **8u262** (AdoptOpenJDK), but requires that you set the
+`LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
+
+NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
+the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
+the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
+
 [id="plugins-{type}s-{plugin}-template"]
 ===== `template`
 
@@ -1018,8 +1036,8 @@ If not set, the included template will be used.
 
   * Value type is <<string,string>>
   * Default value depends on whether <<plugins-{type}s-{plugin}-ecs_compatibility>> is enabled:
-  ** ECS Compatibility disabled: `logstash`
-  ** ECS Compatibility enabled: `ecs-logstash`
+    ** ECS Compatibility disabled: `logstash`
+    ** ECS Compatibility enabled: `ecs-logstash`
 
 
 This configuration option defines how the template is named inside Elasticsearch.

data/lib/logstash/outputs/elasticsearch/http_client.rb

@@ -283,11 +283,11 @@ module LogStash; module Outputs; class ElasticSearch;
     end
 
     def client_settings
-      @options[:client_settings] || {}
+      @_client_settings ||= @options[:client_settings] || {}
     end
 
     def ssl_options
-      client_settings.fetch(:ssl, {})
+      @_ssl_options ||= client_settings.fetch(:ssl, {})
     end
 
     def http_compression

data/lib/logstash/outputs/elasticsearch/http_client_builder.rb

@@ -132,14 +132,16 @@ module LogStash; module Outputs; class ElasticSearch;
         ssl_options[:keystore] = keystore
         ssl_options[:keystore_password] = keystore_password.value if keystore_password
       end
+
       if !params["ssl_certificate_verification"]
-        logger.warn [
-                       "** WARNING ** Detected UNSAFE options in elasticsearch output configuration!",
-                       "** WARNING ** You have enabled encryption but DISABLED certificate verification.",
-                       "** WARNING ** To make sure your data is secure change :ssl_certificate_verification to true"
-                     ].join("\n")
-        ssl_options[:verify] = false
+        logger.warn "You have enabled encryption but DISABLED certificate verification, " +
+                    "to make sure your data is secure remove `ssl_certificate_verification => false`"
+        ssl_options[:verify] = :disable # false accepts self-signed but still validates hostname
       end
+
+      protocols = params['ssl_supported_protocols']
+      ssl_options[:protocols] = protocols if protocols && protocols.any?
+
       { ssl: ssl_options }
     end