-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Agent] Allow CA cert pinning on the Elasticsearch output or any code that user tlscommon.TLSConfig builder. #16019
Merged
Commits on Feb 7, 2020
-
Add a sha256 pin for the CA Certificate
When multiples CA are presents on the system we cannot ensure that a specific one was used to validates the chains exposer by the server. This PRs adds a `ca_sha256` option to the `tlscommon.TLSConfig` that is used by all the code that has to create a TCP client with TLS support. When the option is set, it will hook a new callback in the validation chains that will inspect the verified and validated chains by Go to ensure that a lets a certificate in the chains match the provided sha256. Usage example for the Elasticsearch output. ``` output.elasticsearch: hosts: [127.0.0.1:9200] ssl.ca_sha256: <base64_encoded_sha1> ``` You can generate the pin using the **openssl** binary with the following command: ``` openssl x509 -in ca.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 ``` OpenSSL's [documentation](https://www.openssl.org/docs/manmaster/man1/dgst.html) You will need to start Elasticsearch with the following options ```yaml xpack.security.enabled: true indices.id_field_data.enabled: true xpack.license.self_generated.type: trial xpack.security.http.ssl.enabled: true xpack.security.http.ssl.key: /etc/pki/localhost/localhost.key" xpack.security.http.ssl.certificate: /etc/pki/localhost/localhost.crt" xpack.security.http.ssl.certificate_authorities: /etc/pki/ca/ca.crt" ``` This pull request also include a new service in the docker-compose.yml that will start a new Elasticsearch server with TLS and security configured.
Configuration menu - View commit details
-
Copy full SHA for 550e747 - Browse repository at this point
Copy the full SHA 550e747View commit details -
Configuration menu - View commit details
-
Copy full SHA for 73d4b3e - Browse repository at this point
Copy the full SHA 73d4b3eView commit details -
Configuration menu - View commit details
-
Copy full SHA for c265e50 - Browse repository at this point
Copy the full SHA c265e50View commit details -
Configuration menu - View commit details
-
Copy full SHA for 8f6ef0e - Browse repository at this point
Copy the full SHA 8f6ef0eView commit details -
Configuration menu - View commit details
-
Copy full SHA for 2dcd55f - Browse repository at this point
Copy the full SHA 2dcd55fView commit details -
Configuration menu - View commit details
-
Copy full SHA for d2a3407 - Browse repository at this point
Copy the full SHA d2a3407View commit details -
Configuration menu - View commit details
-
Copy full SHA for 529c475 - Browse repository at this point
Copy the full SHA 529c475View commit details -
Configuration menu - View commit details
-
Copy full SHA for b50df90 - Browse repository at this point
Copy the full SHA b50df90View commit details -
Configuration menu - View commit details
-
Copy full SHA for 59e075c - Browse repository at this point
Copy the full SHA 59e075cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 59ff4d0 - Browse repository at this point
Copy the full SHA 59ff4d0View commit details
Commits on Feb 10, 2020
-
Configuration menu - View commit details
-
Copy full SHA for e9604d2 - Browse repository at this point
Copy the full SHA e9604d2View commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.