logstash-output-tcp 6.2.2 → 7.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 12e6eaa4720dc56a6588aae77dd029643860e9ee7bfd92e5afe8893c32773f39
-  data.tar.gz: dd6cc7805773a7a5151aeb43c72a2d5f6122aee654c14cf206a41bdb870ca0be
+  metadata.gz: d6f831af52dc575cf49b8bd64ac494753bbc852bb8cdc37df12ff7c1b0b40a7f
+  data.tar.gz: c0fd08ae08b9b9518f37164539db57a137ffea4c1a92b82915b2678f329b4247
 SHA512:
-  metadata.gz: e1a94857cb7891d1c95b30f14e19967e1a46a56c1b3380d479d064b5094318ec598914b268e13bd8c101e5234241ba0534410808152bfe1fd02d03bb63efdf0a
-  data.tar.gz: e16e659b6b97859000185d15321a2dd6c805da96628464b0989db7a6cf1879c7270309ce2eb5ba49266ea4582182f8d04183f2c7ea62094ff38b5a5053c5a168
+  metadata.gz: 3d2bf294da64059cdfd5d25ab58172e8b0d02011b9657fc72bbda2e4839d71ef64465405af9320fbaff72c2c4e76308fd696577f84c4eabad7e52bd8011ce6ca
+  data.tar.gz: 6ec47a3647e01a3324ddfdf9c0804d14aafa610e5e648d65fa90e37c89831cf1a8f5e3c3f709c564d9ae3bd55a794af62d9bbca8f2d098e0963e347e7a5ed85e

data/CHANGELOG.md

@@ -1,6 +1,11 @@
-## 6.2.2
-  - Invoke post_connection_check on connect [#61](https://github.com/logstash-plugins/logstash-output-tcp/pull/61)
-
+## 7.0.0
+  - SSL settings that were marked deprecated in version `6.2.0` are now marked obsolete, and will prevent the plugin from starting.
+  - These settings are:
+      - `ssl_cert`, which should be replaced by `ssl_certificate`
+      - `ssl_cacert`, which should be replaced by `ssl_certificate_authorities`
+      - `ssl_enable`, which should be replaced by `ssl_enabled`
+      - `ssl_verify`, which should be replaced by `ssl_client_authentication` when `mode` is `server` or `ssl_verification_mode`when mode is `client`
+      - [58](https://github.com/logstash-plugins/logstash-output-tcp/pull/58)
 ## 6.2.1
   - Document correct default plugin codec [#54](https://github.com/logstash-plugins/logstash-output-tcp/pull/54)
 

data/docs/index.asciidoc

@@ -33,6 +33,10 @@ depending on `mode`.
 
 This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.
 
+NOTE: As of version `7.0.0` of this plugin, a number of previously deprecated settings related to SSL have been removed. Please see the
+<<plugins-{type}s-{plugin}-obsolete-options>> for more details.
+
+
 [cols="<,<,<",options="header",]
 |=======================================================================
 |Setting |Input type|Required
@@ -40,19 +44,15 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-mode>> |<<string,string>>, one of `["server", "client"]`|No
 | <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
 | <<plugins-{type}s-{plugin}-reconnect_interval>> |<<number,number>>|No
-| <<plugins-{type}s-{plugin}-ssl_cacert>> |a valid filesystem path|__Deprecated__
-| <<plugins-{type}s-{plugin}-ssl_cert>> |a valid filesystem path|__Deprecated__
 | <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
 | <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_client_authentication>> |<<string,string>>, one of `["none", "optional", "required"]`|No
-| <<plugins-{type}s-{plugin}-ssl_enable>> |<<boolean,boolean>>|__Deprecated__
 | <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-ssl_verification_mode>> |<<string,string>>, one of `["full", "none"]`|No
-| <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|No
 |=======================================================================
 
 Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
@@ -97,24 +97,6 @@ When mode is `client`, the port to connect to.
 
 When connect failed,retry interval in sec.
 
-[id="plugins-{type}s-{plugin}-ssl_cacert"]
-===== `ssl_cacert` 
-deprecated[6.2.0, Replaced by <<plugins-{type}s-{plugin}-ssl_certificate_authorities>>]
-
-  * Value type is <<path,path>>
-  * There is no default value for this setting.
-
-The SSL CA certificate, chainfile or CA path. The system CA path is automatically included.
-
-[id="plugins-{type}s-{plugin}-ssl_cert"]
-===== `ssl_cert` 
-deprecated[6.2.0, Replaced by <<plugins-{type}s-{plugin}-ssl_certificate>>]
-
-  * Value type is <<path,path>>
-  * There is no default value for this setting.
-
-SSL certificate path
-
 [id="plugins-{type}s-{plugin}-ssl_certificate"]
 ===== `ssl_certificate`
 
@@ -160,15 +142,6 @@ Please note that the server does not validate the client certificate CN (Common
 NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-mode>> is `server` and <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> is set.
 
 
-[id="plugins-{type}s-{plugin}-ssl_enable"]
-===== `ssl_enable` 
-deprecated[6.2.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
-
-  * Value type is <<boolean,boolean>>
-  * Default value is `false`
-
-Enable SSL (must be set for other `ssl_` options to take effect).
-
 [id="plugins-{type}s-{plugin}-ssl_enabled"]
 ===== `ssl_enabled`
 
@@ -223,15 +196,21 @@ has a hostname or IP address that matches the names within the certificate.
 
 NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-mode>> is `client`.
 
-[id="plugins-{type}s-{plugin}-ssl_verify"]
-===== `ssl_verify` 
-deprecated[6.2.0, Replaced by <<plugins-{type}s-{plugin}-ssl_client_authentication>> and <<plugins-{type}s-{plugin}-ssl_verification_mode>>]
+[id="plugins-{type}s-{plugin}-obsolete-options"]
+==== TCP Output Obsolete Configuration Options
+
+WARNING: As of version `6.0.0` of this plugin, some configuration options have been replaced.
+The plugin will fail to start if it contains any of these obsolete options. 
 
-  * Value type is <<boolean,boolean>>
-  * Default value is `false`
 
-Verify the identity of the other end of the SSL connection against the CA.
-For input, sets the field `sslsubject` to that of the client certificate.
+[cols="<,<",options="header",]
+|=======================================================================
+|Setting|Replaced by
+| ssl_cacert |<<plugins-{type}s-{plugin}-ssl_certificate_authorities>>
+| ssl_cert |<<plugins-{type}s-{plugin}-ssl_certificate>>
+| ssl_enable |<<plugins-{type}s-{plugin}-ssl_enabled>>
+| ssl_verify |<<plugins-{type}s-{plugin}-ssl_client_authentication>> in `server` mode and <<plugins-{type}s-{plugin}-ssl_verification_mode>> in `client` mode
+|=======================================================================
 
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]

data/lib/logstash/outputs/tcp.rb

@@ -3,7 +3,6 @@ require "logstash/outputs/base"
 require "logstash/namespace"
 require "thread"
 require "logstash/util/socket_peer"
-require "logstash/plugin_mixins/normalize_config_support"
 
 # Write events over a TCP socket.
 #
@@ -13,8 +12,6 @@ require "logstash/plugin_mixins/normalize_config_support"
 # depending on `mode`.
 class LogStash::Outputs::Tcp < LogStash::Outputs::Base
 
-  include LogStash::PluginMixins::NormalizeConfigSupport
-
   config_name "tcp"
   concurrency :single
 
@@ -35,9 +32,6 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base
   # `client` connects to a server.
   config :mode, :validate => ["server", "client"], :default => "client"
 
-  # Enable SSL (must be set for other `ssl_` options to take effect).
-  config :ssl_enable, :validate => :boolean, :default => false, :deprecated => "Use 'ssl_enabled' instead."
-
   # Enable SSL (must be set for other `ssl_` options to take effect).
   config :ssl_enabled, :validate => :boolean, :default => false
 
@@ -48,10 +42,6 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base
   # This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
   config :ssl_client_authentication, :validate => %w[none optional required], :default => 'none'
 
-  # Verify the identity of the other end of the SSL connection against the CA.
-  # For input, sets the field `sslsubject` to that of the client certificate.
-  config :ssl_verify, :validate => :boolean, :default => false, :deprecated => "Use 'ssl_client_authentication' when `mode` is 'server' or 'ssl_verification_mode' when mode is `client`"
-
   # Options to verify the server's certificate.
   # "full": validates that the provided certificate has an issue date that’s within the not_before and not_after dates;
   # chains to a trusted Certificate Authority (CA); has a hostname or IP address that matches the names within the certificate.
@@ -59,16 +49,11 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base
   # "none": performs no certificate validation. Disabling this severely compromises security (https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf)
   config :ssl_verification_mode, :validate => %w[full none], :default => 'full'
 
-  # The SSL CA certificate, chainfile or CA path. The system CA path is automatically included.
-  config :ssl_cacert, :validate => :path, :deprecated => "Use 'ssl_certificate_authorities' instead."
 
   # Validate client certificate or certificate chain against these authorities. You can define multiple files.
   # All the certificates will be read and added to the trust store.
   config :ssl_certificate_authorities, :validate => :path, :list => true
 
-  # SSL certificate path
-  config :ssl_cert, :validate => :path, :deprecated => "Use 'ssl_certificate' instead."
-
   # SSL certificate path
   config :ssl_certificate, :validate => :path
 
@@ -84,6 +69,11 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base
   # The list of ciphers suite to use
   config :ssl_cipher_suites, :validate => :string, :list => true
 
+  config :ssl_enable, :obsolete  => "Use 'ssl_enabled' instead."
+  config :ssl_verify, :obsolete => "Use 'ssl_client_authentication' when `mode` is 'server' or 'ssl_verification_mode' when mode is `client`"
+  config :ssl_cacert, :obsolete => "Use 'ssl_certificate_authorities' instead."
+  config :ssl_cert, :obsolete => "Use 'ssl_certificate' instead."
+
   class Client
 
     ##
@@ -189,11 +179,6 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base
   end
   private :load_cert_store
 
-  def initialize(*args)
-    super(*args)
-    setup_ssl_params!
-  end
-
   # @overload Base#register
   def register
     require "socket"
@@ -279,7 +264,7 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base
     client_socket = nil
     @codec.on_event do |event, payload|
       begin
-        client_socket = retryable_connect unless client_socket
+        client_socket = connect unless client_socket
         while payload && payload.bytesize > 0
           begin
             written_bytes_size = client_socket.write_nonblock(payload)
@@ -331,34 +316,32 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base
     @logger.error(msg, details)
   end
 
+  private
+
   def connect
-    client_socket = TCPSocket.new(@host, @port)
-    if @ssl_enabled
-      client_socket = OpenSSL::SSL::SSLSocket.new(client_socket, @ssl_context)
-      begin
-        client_socket.connect
-        client_socket.post_connection_check(@host) if @ssl_verification_mode == 'full'
-      rescue OpenSSL::SSL::SSLError => ssle
-        log_error 'connect ssl failure:', ssle, backtrace: false
-        client_socket.close rescue nil
-        raise
+    begin
+      client_socket = TCPSocket.new(@host, @port)
+      if @ssl_enabled
+        client_socket = OpenSSL::SSL::SSLSocket.new(client_socket, @ssl_context)
+        begin
+          client_socket.connect
+        rescue OpenSSL::SSL::SSLError => ssle
+          log_error 'connect ssl failure:', ssle, backtrace: false
+          # NOTE(mrichar1): Hack to prevent hammering peer
+          sleep(5)
+          raise
+        end
       end
+      client_socket.extend(::LogStash::Util::SocketPeer)
+      @logger.debug("opened connection", :client => client_socket.peer)
+      return client_socket
+    rescue => e
+      log_error 'failed to connect:', e
+      sleep @reconnect_interval
+      retry
     end
-    client_socket.extend(::LogStash::Util::SocketPeer)
-    @logger.debug("opened connection", :client => client_socket.peer)
-    client_socket
-  end
-
-  private
-  def retryable_connect
-    connect
-  rescue => e
-    log_error 'failed to connect:', e
-    sleep @reconnect_interval
-    retry
-  end
+  end # def connect
 
-  private
   def validate_ssl_config!
     unless @ssl_enabled
       ignored_ssl_settings = original_params.select { |k| k != 'ssl_enabled' && k != 'ssl_enable' && k.start_with?('ssl_') }
@@ -407,47 +390,6 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base
     original_params.include?('ssl_enable') ? 'ssl_enable' : 'ssl_enabled'
   end
 
-  def setup_ssl_params!
-    @ssl_enabled = normalize_config(:ssl_enabled) do |normalizer|
-      normalizer.with_deprecated_alias(:ssl_enable)
-    end
-
-    @ssl_certificate = normalize_config(:ssl_certificate) do |normalizer|
-      normalizer.with_deprecated_alias(:ssl_cert)
-    end
-
-    if server?
-      @ssl_client_authentication = normalize_config(:ssl_client_authentication) do |normalizer|
-        normalizer.with_deprecated_mapping(:ssl_verify) do |ssl_verify|
-          ssl_verify == true ? 'required' : 'none'
-        end
-      end
-    else
-      @ssl_verification_mode = normalize_config(:ssl_verification_mode) do |normalize|
-        normalize.with_deprecated_mapping(:ssl_verify) do |ssl_verify|
-          ssl_verify == true ? 'full' : 'none'
-        end
-      end
-
-      # Keep backwards compatibility with the default :ssl_verify value (false)
-      if !original_params.include?('ssl_verify') && !original_params.include?('ssl_verification_mode')
-        @ssl_verification_mode = 'none'
-      end
-    end
-
-    @ssl_certificate_authorities = normalize_config(:ssl_certificate_authorities) do |normalize|
-      normalize.with_deprecated_mapping(:ssl_cacert) do |ssl_cacert|
-        if File.directory?(ssl_cacert)
-          Dir.children(ssl_cacert)
-          .map{ |f| File.join(ssl_cacert, f) }
-          .reject{ |f| File.directory?(f) || File.basename(f).start_with?('.') }
-        else
-          [ssl_cacert]
-        end
-      end
-    end
-  end
-
   def server?
     @mode == "server"
   end # def server?

data/logstash-output-tcp.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-output-tcp'
-  s.version         = '6.2.2'
+  s.version         = '7.0.0'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Writes events over a TCP socket"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
@@ -24,7 +24,6 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'logstash-core', '>= 8.1.0'
   s.add_runtime_dependency 'logstash-codec-json'
   s.add_runtime_dependency 'stud'
-  s.add_runtime_dependency 'logstash-mixin-normalize_config_support', '~>1.0'
 
   s.add_runtime_dependency 'jruby-openssl', '>= 0.12.2' # 0.12 supports TLSv1.3
 

data/spec/fixtures/encrypted/instance.crt

@@ -1,29 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIFCTCCAvGgAwIBAgIUdHG7Xk1l4WxvSlUvAk1mpmlhCTQwDQYJKoZIhvcNAQEL
-BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDQyNDE1MDUzMFoXDTI2MDQy
-NDE1MDUzMFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF
-AAOCAg8AMIICCgKCAgEApPKmPu7+6UxegJTzmS672REWIo+YtCK0I+Wxb4/SYwBo
-9zbeGPYzs5PDA8kc8slWHsXuItjsRe5aPwtXjgmySpdQJN+RafO+F5r2nDnNftPs
-oSqINJChKxfGAW+kNWDPU7gJWIujReBBrAojouPxSKsVmldtQONwS6aOJ397iPYH
-d17eoqlKtQbCSwoNFTj+QkAeZRtbuwyfuwqdv1srn5HAaLMcJfXJ++1J400GLacw
-Zk54HlPsPfFp092fMh0S2rkUc8ksSF3Ak5vJEgKIu3yYv3Exttvv5C1Hw5i0T1fk
-26TEpsDkM3v+rJROLWZegolmyOOwPz+5OxhwCf806qatWbqQACBbS/Dpgd9wjeDO
-cyunucN5zSjRYkRY0otsMOIFAfLumZJBOOJz2J1PkyfE1u38tHTBQ/EGFB/T60IN
-6IE4xLCV3dlxM29ezEg7Lc+tzgMFWtWmMUlJP0HT8KUkBIyjaNl7PAgwrZvL9clQ
-5ppLbU2A3e4HDE4PCqjfUq7ZEbgB0kiyvTb8LkOXRqu/jvQt3Askm6WnHGggCLY9
-MYRzOkYOtCJn8zS/RY4KWrciOJYc8ieKoJ96oHc/gWkeIsL5eZ0RDUmwXbNqff8K
-Ol2lx/UceoY89qoLBsTcD3Gdq4hKP5opEpsOPrTQA52Os01pEEJx4oB8tkLC00EC
-AwEAAaNTMFEwHQYDVR0OBBYEFJLCl1hNHzoaJG4yaZTY0tRkBqt3MB8GA1UdIwQY
-MBaAFJLCl1hNHzoaJG4yaZTY0tRkBqt3MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggIBADlqdYnWF/dfNwvrP7A0lqiCO8Gc5ia/tP5xepswtKHwTLlf
-WzvGI9gDDOdaOLU2BNAJjn5o6DA9MF9IWNHYCnEp0ZKTXX69IlJB3/VK2JU0L2pY
-R9deha5fqAELge9o1dZ4lwvHPCsRO3peNSbQCVXSPSRNw/iQITrL/VM2qT88bJd9
-v/DK0UNnhmJKNXQSjHwUtkBeKXrIURRlmkXr6YR+wIhQEm8Tx0dJTmUVb1e7bjmm
-/NwDG+qFFiGScLzmVVk2gAaiPJpOFjyFqsazMUXPD/3uHPwIvVXpLxr0pby2bMHj
-8FAxYYqIKcx8m0tSFecOx7k1gp1nODygJQwXuqsVbJjM1x1xA8WL0a4dcr7WCqhj
-bswICLFPHTRhEqK1D8a6TEe156H2b0p4YFhjXDy94ppGEg+1/bKklehihpS2nerO
-JUiuWrLNirK3Xqs7rNJ1tMx+D3fCJOdnELYjYB7HbIyySF5wTtNKSPGzhI7HMdj9
-s1B8OuNJTDPKkz3P3OOFUL5Eqs6Ztvzt58+VBMv7X3+8qrSfgmhzKVm4vv3t/pOX
-M3ACdYyC4y6p2HtoPke1C4ySze7f2LAW+g3Pj7awlSUsnaf2gElke8UszMvl84qI
-QZ7qExJbYJ7UU9gzNG2rHE/e1OM4OL+W70t44QgNiynQCVfhC+XTAmjF0NZn
+MIIDIjCCAgqgAwIBAgIUTCjyocBgCYSWU/GYI58F0IBXLHswDQYJKoZIhvcNAQEL
+BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
+cmF0ZWQgQ0EwHhcNMjIwMzIxMDc1NTU2WhcNMjUwMzIwMDc1NTU2WjATMREwDwYD
+VQQDEwhpbnN0YW5jZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJKT
+f0FF/R9WBC7lwN0IJdOn+jPJJ+4M3LY/sfFuTaAUgPSaiRLLzCjox1p1Xy9z+xyk
+C2Dkhb4FdOZBNqS/w0Z7lkrha8VZg2UKW4+i1lq4ANPl9sP9YCbh1R+SRdpHnZX7
+APG798+0+NC4GmEeOIFfWsEE4MiFXAPunhAlAbxMl6e5htX4cgYWMbH67Ur1/uQB
+26Y6PBahKP7dbxaL/ugPE6MDmmA+cNRWMa21Ay2h94IesRXwNRFn1gQ1SqKU0hBJ
+KX7u0IoYyS6nbDlF6E+npLLWzDMCHsykrnadWV5kDSNv1t7Wvk0noNStrryOXgtc
+7iCCOX1oqsP/yDNl9OECAwEAAaNNMEswHQYDVR0OBBYEFBtzuCJPEhHW3ZD1bReq
+S6K3P09OMB8GA1UdIwQYMBaAFJcC1Mw29qzRV0dPCCc6GyB8LXx3MAkGA1UdEwQC
+MAAwDQYJKoZIhvcNAQELBQADggEBAHvXsfMgY+PTBCnW3A6QCGZ3jTSRqqXRFYB8
+b/unfhD4iUFlgO4a/UCL2MTsFYXkzvlzwQyH6ll9/rTslBvJLiqi3+IZMfGNoaNI
+LhTLy0NF9scPju7Q6MxcPAceI4gmxKyBWJxm4XYJ1VwmPKJNzKqFEwfPWMakxUaT
+wiuhVodqZweWi7S2keYiduBLEbqWBJPKAnb8e3PIILBqL0nfhmVw0NSAD19d9oLR
+89AaY8zQ4YL4Txs4FSrK0VQl3L6NAtAaq9JvXqzXD/E0EO1YL8ykM3Zash/GG9iN
+B9Momegqn8/q7pfoWdkE2oL9KUKispUT9Fq3mY6KHZL1T4SbxL8=
 -----END CERTIFICATE-----

data/spec/fixtures/encrypted/instance.key

@@ -1,54 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,4E027532A0DE587AFF949BA191AB0BC1
+DEK-Info: AES-128-CBC,635374A0A566A0189BE4366E77881457
 
-qRkEJzBeUiaCXUlFHBmuoDC8kMAcrc7LTICcvfrZksXd8NzyXef+mzh9Np6MkeFz
-XEmk0kfXYHSJTiNA5RJipzAxp/erbhMXJoiid4YYcwvpNEN3RE3TMp7v+01G5v4K
-6m5mRDKHSy5QTbvh+72q3f0UumPva/VKOtrZnllATxQ4Irk08NJEMZBb/SrY9ajZ
-sbWzVLGNhNhNY6//wIq5fOBUlxd4muaIwA9Ck761/hnkXvlE0/kiP7CabKkruAF3
-kF5C3chqYZFVWbLaeO+ZhD7S2tSBHqJLgtAt8xDC5u2ujOxDILB6x4IJ9t+dZasS
-XMmahYZYhNwrdD0TijBn3ccQPYehlCqRokqBRylVs43G8SlT3360g2XtIFXSCD95
-DaR6LPZmR3w5NHEc1oEZ65Z3q1jk2Bd4WKl2mmrky1BuZjdoB/XeeGPJPuVJXvkD
-78ogn0oP/01xAAyTx88jb4x32RMBKb7lBR0DYNtbxJd3lpv5oH5ZeyU3zHEeTrIY
-9Kr+c2OqsGGv2jMGyOTxGH1Fj5qUElAese1TDNjzrTSPI4JQMcbt2Ipt6dOHgWDM
-WAWIYnFWaipNmDv0uXlFDMXO3b6mplnPZyJ+3tAegeT3PA95PJhscB8OiftqYHJV
-+EhmVTixmzsUcktSPjKbk4FwomkJyJYW7m5I6UClsXI2YqrEXToK5xHzajAdKclb
-MxLUHEMHVRiN/bcdRUplAL5ZIy3OBkziZdogJsNK6t8dTURUc8185QfpubsP2O88
-Ph2GFR8swKzltPuRaawBYfOey+ZA5mTM6D899tPi0EGJcOGthHo1pRRRQ0KiJhCm
-Sb8+QL+Q0v2fFiV6HG0Rj+1NZnVYdWfaipPkeN4WA7MNsHrvpDRq4fN2wLGj3vl4
-SHecd4i3wV8UhYfJhWVPcjwOvDIAsgl2CR3vSZgm+/dbNyYDeeofOWzppmVIbDtO
-3Ko5HwTOZDwF8IRqZL8x18T5Oz1IWKNadIwcttZHRspgiIsXcQmOnaIcS0ckHgNy
-ec0eEvXIMriOJXIJb9AIvtX0ge8XU39hnfCq5nl2ea/RPxiuviwnb1KIjtKWliXz
-HU2/nZdQSiVUAFpFOq8/MJaTOnxtu6vk70NRj7tEQfft97NyFSZAa6yyqNz8ZORU
-UbHSUJeoKJNPmBsxeXr/ZSTGi6T4J052ocDMdwves4Qdx2Eu1+2qID5+CDQosdDU
-iTzAaz5B6C8OOUZWIcxMoU0G2YQFgXZch5k+yUHZKbiqKBWFAHX/LDUR/RyY/JK0
-qPAFQUiJtF9pmNwBMSFe7bMyRNDiqW9VLu7epNyR/HzuW1rSIgUloWVM+mC5YAs8
-ujbuNB/yw7NaC8LsKSzODZ3ObhrEwFnvsXpjjcBnGBcAvu0icafmJM/q1FwBseF0
-tOASNYPcf6wOuULaWR6YWq7DA9PY90n12fwOJYMDugCjPGzKmEwKulGq5x77dFRP
-thZRBbY4IgVXF1AYJTCRPqTrorRgtyN7aVdjBTYBa480GXtYJgK0EqqpYkRDOg6D
-co+rtiVueymNf5xaoLi+ZRMim/c9MhuTRcjZnZ5+mejiCY75AYlMlvRu808BosqF
-3i05KM0+TBEZc5MIVUNoh6DHqdDaG+oLgEBXFMInwFhOxDVHgFYSwaJVi/NXKji2
-WFksoApn/PHo0/Q3vlCSpnHiScugLkvsRJGhjgL6MB0g2LvMxd8SJaIS+ls4cYZB
-LPYeN+FNhOSVeK5b5b5URtk8xDMPIk8SBp+zQY2lI3IfMpeLlVLt7ESZXKNDLs0J
-E6c930zkboHuDQG+qs7MPNi9eEwHJHny5tbdbZvxzHCHKZ8IBxtNAVVRhltK0lEG
-bguv/tXePqVVZApUnoL7ElzTcBSS2hu817YAtXOrOrVGLg0lbCqVsOCcMe/rhy5j
-Ci22wc5Blt+FAwHfM/lit00XKZft5GnMancwkQ2g2XpasDOsVMlbt5EsHvIIo/SS
-57O7ANkRnsOdzY6quYpD7l+WM7RNyiQ2mknURVBpQQ2RO0vZjKHI6SEulVHMUpWr
-ViRG7swROwcu/EylVliZ2qGWbBKmSpTyr5Cb8e9UqHER+/SOdSW4Yy19px1O+IjR
-7jzbf6pwe2SyO9A4cgXOR9tzD4wH7KW3xaM7lzauS3/pPXiaF6r1YxA30RWYTbpt
-ST+Eqx1X+NmGlR1Wib+Y9h+KOpeGQ2OypNTOU94Yb5IKVuEUwX0j+68X2PzyrNf/
-/nfpy6+D4a6S3E1JZd+mUhMYqrihxVBOJq8d+sK7D0Fhzb+XOMAe4LKl6fwFrrQR
-NXdK1AtQAew/tSZjIUyl4MhIqHNq27IplJAiUOGXxMxt5MSoji3r6yfk4XXly05G
-ejHq6w1G4nJ3/B6bt2VA2Cd/XDsE2poin7bv8IhXQkQhZt64LC5x2ntIiI5xAGig
-/5q1hTHYe+QXVqploLrKILJZ74qI8G1KMXFnM9TdG5zdwxSgyP6BedViwMe4fyG+
-ysyBO0wQXjOVxraGye5AT5HFZgZSeeizKyhd148ECj1YA/eZMLgoBe2kFl8ZHYSt
-xBXj2Wod1UCYI5hXUJMI7Jp2ZqZenrip0lbMuwcsYXx76Y/VXtW8LD5+gUx8bpmg
-Hlr5gGeLe/eu5tdILB5K+kgYlWfQJ0+N/8f/G1JZRh3TOTEi4bO8alEeC4rSo+TE
-ZnFGmdpwG91+RTL2xLLxWXV+R9h3M0p2m3iCkAdEA7Fjj7JmUWs7bm0ZJNClfevi
-2t5V/Vjxu1Pm7eMihO9+HKYSfpeFFWK4Yhin7lIm3bNLm5js8O2Ro8JI0V5DZ6d3
-L01pbXqp+wbE4rwNzftY4KR1TWZThl4kaJEvbw6s7Hpco/1avqYtozwN60o/0kh5
-zqXNU6vPGFUKffksCABkkYiZAXWIqsu7Kfqox21O+k1HPHmwwfxr1VgqDXaynTag
-6jKP2yvUZMJjfFOOh7TpJdY6CTYRBwCoOSA8DbBYSgbfmpR8s2ldtG6zzbZt4dxI
-IV6L9ahGCLIZ+WwLpQ0Oupa1YAFYXQonm6Yj3SidFJzb57wYHoqvPnH54UKOVjsR
-U7T/t77NFl3Vo9f6IcbZ5+Rxx/EG0Qq2lt+xE69Y+Jp9mgVimyNg9Z4Mdq3h/KKy
+LbCmLGC8BAWKYUt+fYIIxUC5rh3D7CFN8LXjjGIYMVRs2seMqhCNJjtdLQ6poin5
+H6W/c5+VXzzsgczFgZnQecoqWgqg4FoTZSacVVx/waekkdua9zjPReastV+7AcBG
+MJJi8lYEIv+qacqxEzDJSis7XO0YXp2OBqUtfcaT5PunJ1bj5SQnqf7k1hb193bZ
+C03MhZ6HdblY6IKvslqV5VWU38gPN0F6JN5/7vLgZyExYjTA1wkzdJXCzKAEwlfU
+vF5/AKDGFpQAYMTnPwszpeUj+wyuAwaxt8uNkVFrfVIf+eaPqX1OStEAIiRNZerl
+dTsKxLdYBBJz6G9wZLz+bWNpFsvS9gG1LlvMsycnwrfmwWTidmS8nDdLVfja2/XH
+LXvwSnI+NHtnQ/R+duMZpJrqQljBZAZsyzW8Eyjaqi1ybwi50J/pwsX/J0jVQly/
+Gr8A/SDfr1qJ82SQUfi0ZGoKVXaSJ31pPKBy9LpDGFZS7rFJsL/Aysd2lhyF/Tj1
+kG60MAxFjfoRsNhBWj7pm/13hVlidwNrmhbzrnsFPuWDVWFYq71oljJ+YLlbljLB
+L6rnQXr2iy+y3W03lryAsxtCrcJ6Sa+9EUNp55loGhK3EXCXnhNr3B1SfxGCXbAv
+GI2h1RRbn/Pnht17pkiXsajE8vESWLqzZj6gtmYmMHQ+GY5l8SHTTMhV2DpYZFfE
+nnUxyPOlXnm2uegQRf/ee8kKeUQZl9Bs2ZyniE0uzRGZqhQLlJCwYhOmEYFsv5kk
+vD1Go4N2NqbMOipCFHbnm3IvG1rOBYtqHzHLwycsJw+2f1Dyu5T9GlEcJL7GeCWO
+muY4Gjx7p84N1wwJ/IN4BRjkMD0qAXbKg9cnh/nDSaFgMez6jiaR+lJGV/srfpwB
+6bDOpRN/RarjRcQGVEfkP/UqJVWU8ZwnNqar5202WGSXI9HUYTQapVCh2NvBdYOS
+VV+Ah2qE48s3qI95h80Ix0G7Or7ALJbSn6d190frUnXOUOye4+4MB3w+G0kGTQq8
+w+pjqrSAGLA3yobrPki374X3ZMdYbdggDHn3pl/NvQVHZ4FRmYXyUVZfckV/7w0C
+t1wBqh83ZM3XusivAy0/g6/124Xe2jkl6B0aNlAtxj3VTMBJNjLRIpoX5hR6TZq8
+cHRvWaIOif8oOn6Q6PIGtpsAjejZ0jUPuvPHUwuYSYFUk/WH09k8tXD/ZZnoKZWV
+xqrx3cBCKjoBu9HnPsPoQ6sedaM/L/i3osW7GBSMt2GApOqDoKQ70Ya6TSmbnDYv
+roYy/R5vDqzTGK0gUyLNNCNhpuzEXjjaCwXegJ/GYl3mwcB8o5y1insyqfc0JPy1
+oF0tYxw62Ovx9Udg9Ib94q0BQDhi5L55QZYKQAAz4+CW71aG30ETw32EtnUMnB4f
+2cswibLj7JhER/4pjOoKHF47wLJtlWlaceFvGWzno8uSY74qaRQHslwNHwx61I2q
+rhsbD1wsvyEkxlIdSIlyUf8yj5LXWNMoixFppqh4VY4OAINxkNBEaJRzU6aMKn1n
+Btvg2OePOvebCvJRvWousIgB2brZ5ioU336Tjb0uDeHIPF51+o78wtaS+jK084Bu
 -----END RSA PRIVATE KEY-----

data/spec/fixtures/plaintext/instance.crt

@@ -1,29 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIFCTCCAvGgAwIBAgIUEfdmTh/66Nb7eEdKJ/b0HxO46S8wDQYJKoZIhvcNAQEL
-BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDQyNDE1MDUzMFoXDTI2MDQy
-NDE1MDUzMFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF
-AAOCAg8AMIICCgKCAgEApPKmPu7+6UxegJTzmS672REWIo+YtCK0I+Wxb4/SYwBo
-9zbeGPYzs5PDA8kc8slWHsXuItjsRe5aPwtXjgmySpdQJN+RafO+F5r2nDnNftPs
-oSqINJChKxfGAW+kNWDPU7gJWIujReBBrAojouPxSKsVmldtQONwS6aOJ397iPYH
-d17eoqlKtQbCSwoNFTj+QkAeZRtbuwyfuwqdv1srn5HAaLMcJfXJ++1J400GLacw
-Zk54HlPsPfFp092fMh0S2rkUc8ksSF3Ak5vJEgKIu3yYv3Exttvv5C1Hw5i0T1fk
-26TEpsDkM3v+rJROLWZegolmyOOwPz+5OxhwCf806qatWbqQACBbS/Dpgd9wjeDO
-cyunucN5zSjRYkRY0otsMOIFAfLumZJBOOJz2J1PkyfE1u38tHTBQ/EGFB/T60IN
-6IE4xLCV3dlxM29ezEg7Lc+tzgMFWtWmMUlJP0HT8KUkBIyjaNl7PAgwrZvL9clQ
-5ppLbU2A3e4HDE4PCqjfUq7ZEbgB0kiyvTb8LkOXRqu/jvQt3Askm6WnHGggCLY9
-MYRzOkYOtCJn8zS/RY4KWrciOJYc8ieKoJ96oHc/gWkeIsL5eZ0RDUmwXbNqff8K
-Ol2lx/UceoY89qoLBsTcD3Gdq4hKP5opEpsOPrTQA52Os01pEEJx4oB8tkLC00EC
-AwEAAaNTMFEwHQYDVR0OBBYEFJLCl1hNHzoaJG4yaZTY0tRkBqt3MB8GA1UdIwQY
-MBaAFJLCl1hNHzoaJG4yaZTY0tRkBqt3MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggIBAGyxaUWK/Xhc8ZZ1TlJ8yz7RCN/wtRdB/Cw+6XIH9pJ86YEm
-oSmdYj+2hJ650qjAh1rqjoACxcCAIWlBfrG14pVnDdKOVQwX+NZjRZv3V4fRdqSs
-DgzOLbdZcocL97S42b6qPhlpkiTlQ4Z6nzeB4HjzVln+0bAb9ykFxnyicCHyCPg5
-rSO5eiLGq/eXQOblBpb/xqOSsiRq6VHBFfOjjFDE2eOiYT5kuZvOWNgHUz/4e2TN
-7WXNB3eJgNfmttXsQnNMK7G5J7rYlnOSg7bTCZFFbcGKf2CILKxDn4KCv/ZWeeBc
-bAuAaGAJTO+DLZlah2Yn0bpkmvpsLZ6NmZr9T+BV0xa17Q8VEgd9tensxnmp0gf/
-xC+kapL6pMu+2VJHQ0V9K32h3hongddofKczL1ztvKhISIVYM+vPwxS9VdXEwUxz
-HTqu9hP5TBQCHR5cAKBwz3+haWA6iq8rCEXoDgwHgwYARQI6C6f8AVbU9OWLt5Nt
-RwpJYMYpJhIOyuuRpaCIKAyBaST87MOj6dB31mlZQtXUFJ2ZYNmpZlCwoS1BWj8m
-gHsv5vqPVHUq0lvxamNPJyGLfv+lckxXQcepMdjl2qLkAQJFYNMwOy9fFVZXOt3k
-N5J4xyJ3nD50j/y9KeM3s7pDHENyIQtstJ3kMyCaD97SSlcXxTlinYOp2SIl
+MIIDIjCCAgqgAwIBAgIURM555Ac4/c8UOP5fB12+1bo+b7owDQYJKoZIhvcNAQEL
+BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
+cmF0ZWQgQ0EwHhcNMjIwMzIxMDc1NTA4WhcNMjUwMzIwMDc1NTA4WjATMREwDwYD
+VQQDEwhpbnN0YW5jZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI0s
+sYPGWeca0YMIVATxnEA/+WFL/eWWcbaX5JeaJA+g6WxMs2B6FEMfaSxauGrHZJWt
+YNP1s0pptzJEPAZyx3Tkv8oNtSai3rpOocY3ebE/SWXlQd7xHWvy+w5ls1LRHINU
+pEnMZhjdHqXFjIipmsAXihzU/BrHkWGfddco88YuaMgtWbLIqQr/oHyd2F6KgQby
+HPSD35hCYvLQiHEY7vIntA6A9mYSdbZg0ZvI+QGEvZmhYXZjKOy7Vfg8p1zmfbIn
+XdddCOkBp5gXDu8aRxigaQAi3Y+ESnVPxDr62+VEzCdmd/PCW8blHfvE9bTgqjYm
+gH01PAoqQewkuxclufECAwEAAaNNMEswHQYDVR0OBBYEFNIW9layQi7V2kbYjwIu
+NWT0QXOdMB8GA1UdIwQYMBaAFEyJvLXizLXiGu8sBnIcIS001ArxMAkGA1UdEwQC
+MAAwDQYJKoZIhvcNAQELBQADggEBAAOnGIKiJxEc684Y6w1WpRftiD8VnkzE+A8n
+uVXJibZzEKqxMWZ83A4lTugG+vKpOj1+8hcYUdXhIo2Qt92ArIOr2S7awdkMeoRq
+eIKPElC9/8mm3572kdlqBuiT12bA2oD4zrI2hS0HV21DMLAxoorzLqn0TjMnnpm3
+J1KLJzzMSRtiUtwiLXG4tx2ThXfTwcJmsRMQqZW/mFajEVs0jafUAeBH7hZoZX8o
+7e0O3TCQ5JWW3/xeGK/JnAZ1IyA6jQU/J5LbGgPVu0FBGmVn3PhtwYASrdXWzK4s
+ncofcBHflmi8dkiKHVWNnOTdZdzkApYo59/eq4iDESR8YNgOCKA=
 -----END CERTIFICATE-----

data/spec/fixtures/plaintext/instance.key

@@ -1,52 +1,27 @@
------BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCk8qY+7v7pTF6A
-lPOZLrvZERYij5i0IrQj5bFvj9JjAGj3Nt4Y9jOzk8MDyRzyyVYexe4i2OxF7lo/
-C1eOCbJKl1Ak35Fp874XmvacOc1+0+yhKog0kKErF8YBb6Q1YM9TuAlYi6NF4EGs
-CiOi4/FIqxWaV21A43BLpo4nf3uI9gd3Xt6iqUq1BsJLCg0VOP5CQB5lG1u7DJ+7
-Cp2/WyufkcBosxwl9cn77UnjTQYtpzBmTngeU+w98WnT3Z8yHRLauRRzySxIXcCT
-m8kSAoi7fJi/cTG22+/kLUfDmLRPV+TbpMSmwOQze/6slE4tZl6CiWbI47A/P7k7
-GHAJ/zTqpq1ZupAAIFtL8OmB33CN4M5zK6e5w3nNKNFiRFjSi2ww4gUB8u6ZkkE4
-4nPYnU+TJ8TW7fy0dMFD8QYUH9PrQg3ogTjEsJXd2XEzb17MSDstz63OAwVa1aYx
-SUk/QdPwpSQEjKNo2Xs8CDCtm8v1yVDmmkttTYDd7gcMTg8KqN9SrtkRuAHSSLK9
-NvwuQ5dGq7+O9C3cCySbpaccaCAItj0xhHM6Rg60ImfzNL9FjgpatyI4lhzyJ4qg
-n3qgdz+BaR4iwvl5nRENSbBds2p9/wo6XaXH9Rx6hjz2qgsGxNwPcZ2riEo/mikS
-mw4+tNADnY6zTWkQQnHigHy2QsLTQQIDAQABAoICAEGGKshBRH4E2l2VzhcB25ll
-Ejf0dyLHzmucKRo6NcciOJBL+XpNA0jI3+U3FQrVNCLRWcH6DhHRl4QHy2YfL/Y1
-mZ6sOSWvr8nMwz5YL+u73/o93RGUipGFxiB36vFRXcrSBtRn1BpD9ZKUDIf+qLDH
-VbOUG1B1iPxkU4AZQkesBFdFFofjXEwBPVl1yrCtjUNgGTLs5UmuwB0bIIMNgozG
-53ov/HSP6QbswjdLN7MXAUEC1vClQelxZyrElSLhLcY5U4iTV8X/iCqa7gr7ermP
-y1Xxb2BGiktIOYPXu3jxX3ZpQ71CTuSs0wRXfZ7HVa/hSTVwTWkytTBmistN2ATj
-n0246fT+JRkncXQIcActqIyzk7b3o0bqxRLx3vBRUsif1BB34l0+mkUvyQXlGJux
-XpCmbmA0BUDkUkLYFsHwBCEfmYXKM2ue5XB/nbqqK/UX7DrlrJSCh5eL8hpvWXEI
-WQGSscEbDKAAWsoCMZn2ZEhUUIv/W7TOX6ApB3oJZOiYNlhQjlygZPebETyXEvWD
-EN+4+Y7U2oKBF2iNfEcm0SOs/4mx6Sr7ifhXZ2Yue8WUcQ+sof/XERGPdWGb/Ye9
-rg8BHvc80bNnXmGZphSOOXKdWKPSZI25ApIZyrqayc661hLztOKfH5rEhMwHW1ke
-BSGka1EfvGovJ7JXqJvJAoIBAQDQAnLHbstyup+t7/UahnaAoI0YQ4IEbLwe7GUj
-nJyTT1h5pL+WSxsljxrQq6LwVSgmE0Ib260s5581E9SM/b0hE7qeUS+V0J7Y3ePk
-xiCaCgP6gALyVhxtQGQsL+05DuaDQ8Vo3Z0J4kUoCbYPnLAmYNI5FZ0GTrHOi9JD
-Jh7u7jvIaNLaz9Fl8ebQU/0G4cT53HY+XMmlsm5n3ZJoFk14PAQiaQCSVZg8Ityk
-M37gkLZYncaRuRvfp8Z/DRM3Zjoim3y4QIR/SAv/q+Asaqb5HAMbSrWThcXyNkLu
-KGEs/xWnBAK2VIZr7XAVQYwxDgLZjowLmXgHb2vqsUJEPKQ/AoIBAQDLAN8Kp3Np
-5R6ZDKvDyvZ/CfHVyqfaKzrKVQg67qddOjpNTtnz08OkOCW4HrnknCr9+WJElBdn
-Q1eqPCngvWtxDxfh0Qzvkh1eiC90bgzks6OH4Ex98AYSX/+zX/B+TGalYtVlOstt
-6oz7JYwjgNPsoEkAbBwnGl/JTFEQ1UNuRmxDBP+bgJRbqt6zMOr3Ig94mDLKI6xm
-uxZLW6pSv12jXQPxsUQ/roUCrcFB0ry6PT7PEB3JxGAsJbZZE//QP9KZ8CAy+vR9
-N8jk/gzCQgkhca3DI9EeB79wP/DLjSwE5AVodL9SJfZX9pYmsj2JSk615a946ELT
-7AE4GrHaHKh/AoIBAQCxhiVnR4uistusmupYZQGl7V/9oT/JfvNegOogZnzKzCD6
-UDyijB7zAxsjlBhPfJ3zQORe2jEF7ffWWMJCQhuzqx7OFwPBnHa1J0pj6SPR01Jp
-6+6X3B4Or7HOdGjFFY5t4N0ODnUEBnR3IzKaSGOdnWxNA8ErrOXbHUGpxVMJH5Eu
-DShHTq2rj7QpgESmJvDxPdI8jvwZyhqn0lYtNzuOrcnphCvUt/BhAm/EQ565EUhO
-gPkDTTQYwRuLOyF3WmurNYBPz+BEsLxsy8daoPs4B0wvcqdc7AJwIRcmIpgsytcz
-3xxhd+nxGodZ3MNE6mxMOHgVPjlOPy2e8wFXM1oJAoIBAHu2bTat85zuP2ZgHXE1
-iGDFK7bxSLehLrPNfDWF6ULcUFl6m0KHpCu49+ur9feG4IBkcWl/on+Qv6UEAzVt
-2kNNQm2gm7SIJBPPBLR8uKjLfPY6UANTui+Kh2bGKeaeItPZVljZqs2yafZH3I5q
-XTxQNgzm1YVTAlrHgoOyo+RZUHLLYgZfJopyqEMlpZu0Cx+gCRu8/7yfeSe1lifV
-bXg4IEYzlHcGoRKP1z2I8vDAkD1aAf1LCpz84pKIqJY9vteHSegnncWNsIU0+YuM
-+MmD4LQSaMdXS2hZ3yH9R303hMAyncGvVuAmazzr1KqNOUiK0BPr34YMxnVtd0OH
-wXsCggEBAMHukcdldqhBwdSUMDlzqoUGBtHdA5KCbAbJTL0P1EvqVivinWsu0idR
-q4Nr+0y2SEsgWB0Io7BZcBRtXGFq08IkWV2PAcuEMNkXcOjZsPWEGxJxv7A0jhP1
-9Y6eSxlOJfbT7nKQAnY3sADOzzCDR+xKcUrckFNxaIIKRFgkTyRP137LGeCvti4M
-BFWjRfoaaDIJ6Fe8KfTz0Gds+oDQE5H9FzGaMSpY4OS9ERWmA+FVUBgGu8KYcZA8
-L71sA6CRBK04MsK3rKi+/5tQZHxrkLb3Ast5So7f8TbgJCe7fGo0jDcmwxlarN+K
-o22D2dsjujfyKKiKar1g0pjn2ouLyGI=
------END PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAjSyxg8ZZ5xrRgwhUBPGcQD/5YUv95ZZxtpfkl5okD6DpbEyz
+YHoUQx9pLFq4asdkla1g0/WzSmm3MkQ8BnLHdOS/yg21JqLeuk6hxjd5sT9JZeVB
+3vEda/L7DmWzUtEcg1SkScxmGN0epcWMiKmawBeKHNT8GseRYZ911yjzxi5oyC1Z
+ssipCv+gfJ3YXoqBBvIc9IPfmEJi8tCIcRju8ie0DoD2ZhJ1tmDRm8j5AYS9maFh
+dmMo7LtV+DynXOZ9sidd110I6QGnmBcO7xpHGKBpACLdj4RKdU/EOvrb5UTMJ2Z3
+88JbxuUd+8T1tOCqNiaAfTU8CipB7CS7FyW58QIDAQABAoIBAD10dD4J7X72JLgm
+uvR//OXXM4cQXpFAAXZb/s2j8wi+on5bkUZxPjrOBKmjQF5zOC0UEW+TqJ2/EVmX
+bI3eD0eqgHbDqtUL12tA6Zlw8s+e3iO2Pgt/6K/iUTm+OebWUtQ012Osz9EJCNte
++MNRGaV/WccdTDWYJIhbsx+bmyrsxxW49rwvgxI26tpJYp0QEmwEiDqfc8kRFWgy
+xVSt8Rjwk418YdsYUIGrO6RsGkwsCOTJWUJpBOzLBKwj4do5l5fC2g1/MSlj7Odj
+0HH/riBmzBj/YcyMlkhfGU0Zj/OlDnz8FP5HhfpYsGxvrjOYJ49Cl4cu8r47wnFP
+nx4RMmUCgYEA4U9hOtp8oJ+Ztio/1I6bAb/hKLJ3LNeV46697/lTy6tSVmYJ1DGJ
+YU3P5wmOpjZC2xs22VyX/vgC1v5RT0Jg8CGgXukmMV1gQQch6gAQci9+ZJ4LRz9U
+++dXyKuUbqncx9ezFwddBr+jQuu6Wn2AHljEp7wZGaijxD2lsp4B8vcCgYEAoGd8
+w+hre2pGy5PKJPSoPp+9tNVJasXe3DM6ZYEZkd+96gStA+8UlSYe9hP+Taik7oUJ
+SYzELfyU8s+9XWozaa1T5PeyY8jIbEnUHWy8Uag4dHY7ooR+7b3iAD4RLfx3o2GP
+vJwP3i2FwklDbbyugVXZBfkSf2NJ4QidYIWzGFcCgYAD4MHjqW8LtLOIlyGSHwI7
+/Xl6ode7RdqmmJNcVgZDMyevpQH2TQP4UMaLS3bRFY4BB27iPt2+3bXuzWHI43OX
+rnx8JbcqkljdxamnxWiDDp42TSIUj9p+m3S/V3Suku3h4qyKcO4A97tvo28Jr69M
+1mpMGMi10FlBP25irKWL8QKBgQCZqKlnjrWwA24QROJnpoupeiMkIRH0m9rS/Kwb
+YqHZEQoALTyEwTnpaxxLxXlecYiWCZGNCLFCEG2rcQBJhZv8xxLQC8yzNDtzKQJu
+saRxYQG75ytXky94lebzLoIMmIcPVz13g9TblKZHKSHT9OUCdvewdhqXN8klLrh8
+J3gafwKBgQDcn/8lzfmbsKO/V9fzEbqUQJOJkwyf2adLFD+KlHM3+VAghnj70j05
+1XDkQ3LOgKrqPdC/HIGjjlkTn6vaieXltHguMg99nPpzj+LXrtN22ru2eTjjUNsD
++uB9N4kgUAR00xu60xkkOSK1TcudeL5uwejO2ul0tkDu1YGDvhXymA==
+-----END RSA PRIVATE KEY-----

data/spec/outputs/tcp_spec.rb

@@ -24,6 +24,25 @@ describe LogStash::Outputs::Tcp do
 
   let(:event) { LogStash::Event.new('message' => 'foo bar') }
 
+  ['server', 'client'].each do |mode|
+    describe "handling obsolete settings for #{mode} mode" do
+      [{:name => 'ssl_cert', :replacement => 'ssl_certificate', :sample_value => "certificate_path"},
+       {:name => 'ssl_cacert', :replacement => 'ssl_certificate_authorities', :sample_value => "certificate_path"},
+       {:name => 'ssl_enable', :replacement => 'ssl_enabled', :sample_value => true},
+       {:name => 'ssl_verify', :replacement => 'ssl_client_authentication', :sample_value => 'peer'}].each do | obsolete_setting |
+        context "with obsolete #{obsolete_setting[:name]}" do
+          let (:deprecated_config) do
+            config.merge({'mode' => mode, obsolete_setting[:name] => obsolete_setting[:sample_value]})
+          end
+
+          it "should raise a config error with the appropriate message" do
+            expect { LogStash::Outputs::Tcp.new(deprecated_config).register }.to raise_error LogStash::ConfigurationError, /The setting `#{obsolete_setting[:name]}` in plugin `tcp` is obsolete and is no longer available. Use '#{obsolete_setting[:replacement]}'/i
+          end
+        end
+      end
+    end
+  end
+
   context 'failing to connect' do
 
     before { subject.register }
@@ -125,7 +144,7 @@ describe LogStash::Outputs::Tcp do
   context "client mode" do
     before { subject.register }
 
-    let(:config) { super().merge('mode' => 'client', 'host' => 'localhost') }
+    let(:config) { super().merge 'mode' => 'client' }
 
     it 'writes payload data' do
       Thread.start { sleep 0.25; subject.receive event }
@@ -214,7 +233,7 @@ describe LogStash::Outputs::Tcp do
 
       context 'with supported protocol' do
 
-        let(:config) { super().merge("ssl_supported_protocols" => ['TLSv1.2']) }
+        let(:config) { super().merge("ssl_supported_protocols" => ['TLSv1.2'], "ssl_verification_mode" => "none") }
 
         let(:server_min_version) { 'TLS1_2' }
 
@@ -229,48 +248,11 @@ describe LogStash::Outputs::Tcp do
           expect( read ).to end_with 'foo bar'
         end
 
-        context 'with ssl_verification_mode => full' do
-          let(:config) do
-            {
-              "mode" => "client",
-              "host" => "localhost",
-              "port" => port,
-              "ssl_enabled" => true,
-              "ssl_certificate_authorities" => crt_file,
-              "ssl_verification_mode" => "full",
-              "codec" => "plain"
-            }
-          end
-
-          context "with right host name" do
-            let(:config) { super().merge("host" => "localhost") }
-            it 'reads plain data' do
-              thread = Thread.start { sleep 0.25; subject.receive event }
-              socket = secure_server.accept
-              read = socket.sysread(100)
-              expect( read.size ).to be > 0
-              expect( read ).to end_with 'foo bar'
-            end
-          end
-
-          context "with wrong host name" do
-            let(:config) { super().merge("host" => "127.0.0.1") }
-            it 'closes the connection' do
-              thread = Thread.start do
-                sleep 0.25
-                expect { subject.connect }.to raise_error(OpenSSL::SSL::SSLError, /hostname "127.0.0.1" does not match the server certificate/)
-              end
-              secure_server.accept rescue nil # the other side will close the connection potentially causing a "Socket closed" error
-              thread.join
-            end
-          end
-        end
-
       end
 
       context 'with unsupported protocol (on server)' do
 
-        let(:config) { super().merge("ssl_supported_protocols" => ['TLSv1.1'], "reconnect_interval" => 1) }
+        let(:config) { super().merge("ssl_supported_protocols" => ['TLSv1.1']) }
 
         let(:server_min_version) { 'TLS1_2' }
 
@@ -278,16 +260,16 @@ describe LogStash::Outputs::Tcp do
         after { secure_server.close }
 
         it 'fails (and loops retrying)' do
-          expect(subject.logger).to receive(:error).twice.with(/connect ssl failure/i, hash_including(message: /No appropriate protocol/i)).and_call_original
-          expect(subject.logger).to receive(:error).twice.with(/failed to connect/i, hash_including(exception: OpenSSL::SSL::SSLError)).and_call_original
+          expect(subject.logger).to receive(:error).with(/connect ssl failure/i, hash_including(message: /No appropriate protocol/i)).and_call_original
+          expect(subject.logger).to receive(:error).with(/failed to connect/i, hash_including(exception: OpenSSL::SSL::SSLError)).and_call_original
           expect(subject).to receive(:sleep).once.and_call_original
           expect(subject).to receive(:sleep).once.and_throw :TEST_DONE # to be able to abort the retry loop
 
           Thread.start { secure_server.accept rescue nil }
-          expect { sleep 0.25; subject.receive event }.to throw_symbol(:TEST_DONE)
+          expect { subject.receive event }.to throw_symbol(:TEST_DONE)
         end
 
-      end
+      end if LOGSTASH_VERSION > '7.0'
 
     end
 
@@ -314,7 +296,7 @@ describe LogStash::Outputs::Tcp do
     context "and protocol is TLSv1.3" do
       let(:key_file) { File.join(FIXTURES_PATH, 'plaintext/instance.key') }
       let(:crt_file) { File.join(FIXTURES_PATH, 'plaintext/instance.crt') }
-      let(:config) { super().merge("ssl_certificate" => crt_file, "ssl_key" => key_file) }
+      let(:config) { super().merge("ssl_certificate" => crt_file, "ssl_key" => key_file, "ssl_verification_mode" => "none") }
 
       let(:secure_server) do
         ssl_context = OpenSSL::SSL::SSLContext.new
@@ -411,16 +393,6 @@ describe LogStash::Outputs::Tcp do
         end
       end
 
-      context "with deprecated ssl_verify = true and no ssl_certificate_authorities" do
-        let(:config) { super().merge(
-          'ssl_verify' => true,
-          'ssl_certificate_authorities' => []
-        ) }
-
-        it "should register without errors" do
-          expect { subject.register }.to_not raise_error
-        end
-      end
 
       %w[required optional].each do |ssl_client_authentication|
         context "with ssl_client_authentication = `#{ssl_client_authentication}` and no ssl_certificate_authorities" do
@@ -446,53 +418,6 @@ describe LogStash::Outputs::Tcp do
       end
     end
 
-    context "with deprecated settings" do
-      let(:ssl_verify) { true }
-      let(:certificate_path) { File.join(FIXTURES_PATH, 'plaintext/instance.crt') }
-      let(:config) do
-        {
-          "host" => "127.0.0.1",
-          "port" => port,
-          "ssl_enable" => true,
-          "ssl_cert" => certificate_path,
-          "ssl_key" => File.join(FIXTURES_PATH, 'plaintext/instance.key'),
-          "ssl_verify" => ssl_verify
-        }
-      end
-
-      context "and mode is server" do
-        let(:config) { super().merge("mode" => 'server') }
-        [true, false].each do |verify|
-          context "and ssl_verify is #{verify}" do
-            let(:ssl_verify) { verify }
-
-            it "should set new configs variables" do
-              subject.register
-              expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true)
-              expect(subject.instance_variable_get(:@ssl_client_authentication)).to eql(verify ? 'required' : 'none')
-              expect(subject.instance_variable_get(:@ssl_certificate)).to eql(certificate_path)
-            end
-          end
-        end
-      end
-
-      context "and mode is client" do
-        let(:config) { super().merge("mode" => 'client') }
-        [true, false].each do |verify|
-          context "and ssl_verify is #{verify}" do
-            let(:ssl_verify) { verify }
-
-            it "should set new configs variables" do
-              subject.register
-              expect(subject.instance_variable_get(:@ssl_enabled)).to eql(true)
-              expect(subject.instance_variable_get(:@ssl_verification_mode)).to eql(verify ? 'full' : 'none')
-              expect(subject.instance_variable_get(:@ssl_certificate)).to eql(certificate_path)
-            end
-          end
-        end
-      end
-    end
-
     context "with ssl_client_authentication" do
       let(:config) do
         super().merge 'ssl_client_authentication' => 'required'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-output-tcp
 version: !ruby/object:Gem::Version
-  version: 6.2.2
+  version: 7.0.0
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-29 00:00:00.000000000 Z
+date: 2025-01-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -72,20 +72,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  name: logstash-mixin-normalize_config_support
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements: