logstash icon indicating copy to clipboard operation
logstash copied to clipboard
verified publisher icon elastic

Feat: extended secure API (truststore + TLS 1.3)

Open kares opened this issue 3 years ago • 0 comments

DRAFT: depends on Puma features not released yet: see https://github.com/elastic/logstash/issues/13406

Release notes

Logstash's API endpoint was extended with new SSL related settings, namely:

  • "api.ssl.truststore.path" to go along with "api.ssl.keystore.path" when trusted certificates are rather to be kept separately
  • "api.ssl.truststore.password" (an optional) password for the key store
  • "api.ssl.verification_mode" full (default) and none, similar to ES
  • "api.ssl.supported_protocols" with the ['TLSv1.3', 'TLSv1.2'] default

What does this PR do?

Extends the api.ssl name-space with extra options for user's convenience.

Also, the API atm only supports .p12 certificates, the tests using .jks did not do a good job of assuring that is the case, as all .jks files were actually PKCS#2 certificates. Thus the file suffix auto-detection could be considered a breaking change.

There's a few necessary extra bits:

  • https://github.com/elastic/logstash/pull/14259/commits/ff952e4e7093502226612cd16f1950a469c7f0ec
  • Puma's internals to redirect logging and avoid System.exit needed to be rewriten

Why is it important/What is the impact to the user?

Allows users to further/better fine tune their API endpoint security.

Checklist

  • [x] My code follows the style guidelines of this project
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] TODO I have made corresponding changes to the documentation
  • [ ] TODO I have made corresponding change to the default configuration files (and/or docker env variables)
  • [x] I have added tests that prove my fix is effective or that my feature works

Author's Checklist

  • [x] TLS 1.3 tests
  • [ ] p12 trust-store test variation
  • [ ] TODO investigate and reproduce whether Manticore client certificate auth works (this is the reason the integration specs with full verification switched to using curl)

:red_circle: all current (Ruby) unit spec as well integration test failures are due problems with git:sourcing the Puma gem. Bundler is not considering the -java version and at runtime the gem complains about it's extension not being built, switching to gem 'puma', path: ... locally works!

When Puma is released:

  • [ ] remove git source gem 'puma', github: 'kares/puma' from Gemfile.template
  • [ ] remove git source gem 'puma', github: 'kares/puma' from qa/integration/Gemfile

How to test this PR locally

...

Related issues

  • building on top of https://github.com/elastic/logstash/pull/13308
  • https://github.com/elastic/logstash/issues/13196
  • prerequisite https://github.com/elastic/logstash/pull/14302 (for WiP)

kares avatar Jun 15 '22 10:06 kares