Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #16019 to 7.x: [Agent] Allow CA cert pinning on the Elasticsearch output or any code that user tlscommon.TLSConfig builder. #16675

Merged
merged 1 commit into from
Feb 28, 2020
Merged

Cherry-pick #16019 to 7.x: [Agent] Allow CA cert pinning on the Elasticsearch output or any code that user tlscommon.TLSConfig builder. #16675

merged 1 commit into from
Feb 28, 2020

Conversation

ph
Copy link
Contributor

@ph ph commented Feb 27, 2020
edited
Loading

Cherry-pick of PR #16019 to 7.x branch. Original message:

What does this PR do?

When multiples CA are presents on the system we cannot ensure that a
specific one was used to validate the chain exposed by the server.
This PRs adds a ca_sha256 option to the tlscommon.TLSConfig that is used by all
the code that has to create a TCP client with TLS support.

When the option is set, it will hook a new callback in the validation
chains that will inspect the verified and validated chains by Go to
ensure that a certificate in the chains matches the provided pin.

A usage example for the Elasticsearch output.

output.elasticsearch:
  hosts: [127.0.0.1:9200]
  ssl.ca_sha256: <base64_encoded_sha256>

You can generate the pin using the openssl binary with the
following command:

openssl x509 -in ca.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

OpenSSL's documentation

You will need to start Elasticsearch with the following options

xpack.security.enabled: true
indices.id_field_data.enabled: true
xpack.license.self_generated.type: trial
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/pki/localhost/localhost.key"
xpack.security.http.ssl.certificate: /etc/pki/localhost/localhost.crt"
xpack.security.http.ssl.certificate_authorities: /etc/pki/ca/ca.crt"

This pull request also includes a new service in the docker-compose.yml
that will start a new Elasticsearch server with TLS and security
configured.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works

Author's Checklist

  • Need to modify the configuration reference.
  • Need to add the documentation.

How to test this PR locally

There are multiple ways to tests this, you can use the elasticsearch_ssl service defined in the docker-compose file that will start a configured Elasticsearch with TLS and the right CA/Certificate configured.

Or you can generate a CA and a server certificate using the elasticsearch-certutil, make sure to export them in the PEM format.

In both case you can use the following openssl command to generate the pin from the CA.

openssl x509 -in ca.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

And use the following output configuration:

output.elasticsearch:
  hosts: [127.0.0.1:9200]
  username: <username>
  password: <password>
  ssl.ca_sha256: <base64_encoded_sha1>
  ssl.certificate_authorities: <path_to_ca>

Related issues

@ph
[Agent] Allow CA cert pinning on the Elasticsearch output or any code…
db40fac 
… that user tlscommon.TLSConfig builder. (elastic#16019)

* Add a sha256 pin for the CA Certificate

When multiples CA are presents on the system we cannot ensure that a
specific one was used to validates the chains exposer by the server.
This PRs adds a `ca_sha256` option to the `tlscommon.TLSConfig` that is used by all
the code that has to create a TCP client with TLS support.

When the option is set, it will hook a new callback in the validation
chains that will inspect the verified and validated chains by Go to
ensure that a lets a certificate in the chains match the provided
sha256.

Usage example for the Elasticsearch output.

```
output.elasticsearch:
  hosts: [127.0.0.1:9200]
  ssl.ca_sha256: <base64_encoded_sha1>
```

You can generate the pin using the **openssl** binary with the
following command:

```
openssl x509 -in ca.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```

OpenSSL's [documentation](https://www.openssl.org/docs/manmaster/man1/dgst.html)

You will need to start Elasticsearch with the following options

```yaml
xpack.security.enabled: true
indices.id_field_data.enabled: true
xpack.license.self_generated.type: trial
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/pki/localhost/localhost.key"
xpack.security.http.ssl.certificate: /etc/pki/localhost/localhost.crt"
xpack.security.http.ssl.certificate_authorities: /etc/pki/ca/ca.crt"
```

This pull request also include a new service in the docker-compose.yml
that will start a new Elasticsearch server with TLS and security
configured.

(cherry picked from commit 0d9f03e)
@ph ph requested review from a team as code owners February 27, 2020 19:57
@ph ph requested review from urso and ruflin February 27, 2020 20:04
@ph ph self-assigned this Feb 27, 2020
@ph ph merged commit ffea1dd into elastic:7.x Feb 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaiyan-sheng kaiyan-sheng kaiyan-sheng approved these changes

@urso urso Awaiting requested review from urso

@ruflin ruflin Awaiting requested review from ruflin

Assignees

@ph ph

Labels
backport review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ph @kaiyan-sheng