logstash
logstash copied to clipboard
elastic
[Meta] Support TLS 1.3
TLS v1.3 is available since Java 8u262-b10 (AdoptOpenJDK) or 8u261-b12 in the Oracle build.
https://java.com/en/jre-jdk-cryptoroadmap.html
Logstash 7.15/16 ships with Java 11 and 8.0 will even drop support for Java 8 -> TLS v1.3 could be assumed available.
This issue intends to track all the work towards being confident that Logstash supports TLS v1.3.
Core
-
[ ] Secured LS API endpoint should support TLSv1.3
- atm this is blocked by Puma providing 1.3 support under JRuby
-
[x] using the vendor-ed JDK LS should default to enabling TLSv1.2 and TLSv1.3 in the Java SSL engine
Dependencies
- [x] confirm Manticore (Apache HttpClient 4.x) works as expected against TLSv1.3
- [x] JRuby-OpenSSL lacks support for TLSv1.3 (initial support available in 0.12.1) scope unknown -> need to review Ruby OpenSSL + C-OpenSSL changes
- [x] extra JOSSL support to be able to select Java cipher names for an SSL context
to allow easy
cipher_suites => ...support for low level plugins such as the tcp input (requested feature) - [x] Puma does not support TLSv1.3 using it's MiniSSL JRuby implementation scope should be relatively simple
Plugins
-
[x] ES output - https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1055 - should work out-of-the box against ES when secured or even restricted to 1.3 only
- [x] integration tests against ES using
xpack.security.http.ssl.supported_protocols: TLSv1.3 - [x] (optional) support for
ssl_supported_protocolsoption (default=> ['TLSv1.2', 'TLSv1.3']) would be nice if the naming prefix would align with planned TLS configuration unification
- [x] integration tests against ES using
-
[x] ES input - https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/162 - should work out-of-the box against ES when secured or even restricted to 1.3 only
- [x] integration tests against ES using
xpack.security.http.ssl.supported_protocols: TLSv1.3should be working -> ~~testing relies on using the Elasticsearch transport Ruby http adapter (need TLSv1.3 in JOpenSSL)~~ - [ ] ~~(optional) enabled protocol version configuration~~ does not make much sense given only
ca_fileTLS configuration is supported atm
- [x] integration tests against ES using
-
[x] ES filter - should work out-of-the box against ES when secured or even restricted to 1.3 only https://github.com/logstash-plugins/logstash-filter-elasticsearch/pull/154
- [x] integration tests against ES using
xpack.security.http.ssl.supported_protocols: TLSv1.3 - [ ] ~~(optional) enabled protocol version configuration~~ does not make much sense given only
ca_fileTLS setting
- [x] integration tests against ES using
-
[x] HTTP mixin https://github.com/logstash-plugins/logstash-mixin-http_client/pull/40
-
[x] HTTP output https://github.com/logstash-plugins/logstash-output-http/pull/131
- [x] (optional) enabled protocol version configuration
-
[x] HTTP Poller input - Manticore based (HTTP mixin) https://github.com/logstash-plugins/logstash-input-http_poller/pull/133
- [x] (optional) enabled protocol version configuration
-
[x] HTTP filter - Manticore based (HTTP mixin) https://github.com/logstash-plugins/logstash-filter-http/pull/38
- [x] (optional) enabled protocol version configuration
-
[x] TCP input - Netty based for server mode, JOpenSSL in client mode (blocked by JRuby-OpenSSL 1.3 support) https://github.com/logstash-plugins/logstash-input-tcp/pull/198
- [x] need a new configuration option e.g.
ssl_supported_protocols - [x] ~~plugin is lacking TLS tests~~
- [x] support for configuring TLS
ssl_cipher_suites
- [x] need a new configuration option e.g.
-
[x] HTTP input https://github.com/logstash-plugins/logstash-input-http/pull/146
- [x] expose TLSv1.3 in min/max version configuration (consider deprecating the min/max options)
- [x] new configuration option (
ssl_supported_protocols) in favor oftls_min_version/tls_max_versionhttps://github.com/logstash-plugins/logstash-input-http/pull/151 - [x] plugin is lacking TLS tests (testing depends on Manticore)
-
[x] TCP output - using JOpenSSL (blocked by JRuby-OpenSSL TLS 1.3 support) https://github.com/logstash-plugins/logstash-output-tcp/pull/47
- [x] need a new configuration option
- [x] TLSv1.3 testing
- [x] (extra) ~~support for configuring TLS cipher_suites (similar to Beats input)~~
-
[x] Beats input - Netty based - does only enable TLS 1.2 review plugin for TLS 1.3 https://github.com/logstash-plugins/logstash-input-beats/pull/447
- [x] need a new configuration option
ssl_supported_protocols(Beats namingssl.supported_protocols) https://github.com/logstash-plugins/logstash-input-beats/pull/450 - [x]
cipher_suitessetting should account for TLS 1.3 suite names - [x] ~~consider abandoning the
cipher_suitesdefault on recent LS (Java >= 11) to rely on Java defaults~~ - [x] TLS 1.3 (integration) testing
- [x] need a new configuration option
Hello, looking at the status of this issue it seems TLS 1.3 is still not supported by Logstash, but I found an old PR (June 2020) where TLS 1.3 is mentioned.
Could you please confirm if it's supported or not? I come here from the Beats input documentation page that says max TLS version supported is 1.2, but I'm not sure is correct.
Thanks!
@endorama the story is in general that TLS 1.3 support depends plugin by plugin and also the JDK used (in case of old LS versions or running on older Java 8 versions).
for Beats, unfortunately, the tls_max_version parameter is hard-coded to 1.2 thus it does not adapt to enabling 1.3 despite the underlying Java SSL engine having the support (likely relates to the cipher_suites parameter which also needs revisiting). part of this meta issue we plan to look into getting Beats ready for TLS 1.3 - work is done plugin by plugin, hopefully Beats will be completed within the next few weeks.
@tsaarni thanks for the effort, whatever progress you're able to do I can built upon, what might server as an example to some extent is what we did in TCP input ... as to how much existing Beats option we'll deprecate in favor of a naming similar to the TCP input added options is undecided at this point.
