logstash icon indicating copy to clipboard operation
logstash copied to clipboard

[META] CA Trusted Fingerprint

Open yaauie opened this issue 2 years ago • 0 comments

In order to accelerate the getting-started experience with self-secured Elasticsearch clusters, eliminate the requirement to side-load specifically-formatted CA files to disk by allow users to provide the fingerprint of their Certificate Authority to establish trust.

To do this, we introduce a common ca_trusted_fingerprint for the plugins and core-features that communicate with Elasticsearch that can be populated with a hex-encoded SHA256 fingerprint of a Certificate Authority that will treat a matching certificate presented during SSL negotiation as a trust anchor.

Acceptance Criteria

The Logstash core features that communicate with Elasticsearch (Monitoring, Central Management) and the various plugins that do so (Input, Filter, Output) have a common ca_trusted_fingerprint option that when populated with one or more SHA256 fingerprints as copy/pasted from either Elasticsearch or the command-line openssl utility will treat a valid unexpired certificate matching the fingerprint as a trust anchor for establishing SSL/TLS.

Design & Implementation

  • Logstash core provides a utility that, given a fingerprint, produces an Apache HTTP TrustStrategy that can be used by the Apache HTTP client libraries (including Manticore) to bypass the Trust Manager when a certificate with a matching fingerprint is presented on the chain.
    • Failure to find a matching fingerprint falls through to the TrustManager as-configured by the plugin.
    • A matching unexpired certificate on the chain is treated as a trust anchor for the connection, and the chain between the server's certificate and the fingerprint-matching anchor is validated as usual.
    • The provided fingerprint is case-insensitive, hex-encoded, colon-optional, SHA-256 fingerprint of a trustworthy Certificate Authority in DER encoding (f1432265...b7646526 or F1:43:22:65...B7:64:65:26) so that the fingerprint can be copy/pasted from common sources.
  • The Logstash Input, Output, and Filter plugins present a new ca_trusted_fingerprint option that can be used as in addition to to their respective mishmash of truststore, cacert and ca_file options. When used in this manner, on a Logstash that provides the above-mentioned utility, these plugins can establish a connection to Elasticsearch IFF the valid certificate chain presented contains a valid CA whose fingerprint matches the provided value OR is otherwise trusted by the as-configured trust manager.
    • When ca_trusted_fingerprint is specified on a Logstash that does not provide this utility, the plugin initializer rejects the configuration helpfully.
    • When the above-mentioned utility cannot produce a TrustStrategy during plugin startup (such as when the fingerprint does not match a supported format), it is a configuration error. To do this, the plugins do not rely on the feature in core directly but instead rely on a shared loose-dependency support adapter.
  • When Logstash's core features Monitoring or Central Management are similarly configured with ${namespace}.elasticsearch.ssl.ca_trusted_fingerprint, a connection to Elasticsearch can be established IFF the certificate chain presented contains a CA whose fingerprint matches the provided value OR is otherwise trusted by the as-configured trust manager.

Cloud

Because Elastic Cloud uses certificates chained from a publicly-trusted root certificate authority, SSL/TLS configuration is already simple and does not require custom trust configuration. There are no required changes.

Implementation Progress

Phase 1 (8.3)

  • [x] Core Utility https://github.com/elastic/logstash/pull/14120
  • [x] Plugins
    • [x] Support Adapter https://github.com/logstash-plugins/logstash-mixin-ca_trusted_fingerprint_support/pull/1
    • [x] Elasticsearch Output Plugin https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1074
    • [x] Elasticsearch Input Plugin https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/178
    • [x] Elasticsearch Filter Plugin https://github.com/logstash-plugins/logstash-filter-elasticsearch/pull/158

Phase 2 (8.4)

  • [x] Core Features https://github.com/elastic/logstash/pull/14155
    • [x] Central Management
    • [x] Monitoring

yaauie avatar May 25 '22 15:05 yaauie