Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove SSL3 support from libbeat and its documentation. #30071

Merged
merged 2 commits into from
Jan 28, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Change Docker base image from CentOS 7 to Ubuntu 20.04 {pull}29681[29681]
- Enrich kubernetes metadata with node annotations. {pull}29605[29605]
- Allign kubernetes configuration settings. {pull}29908[29908]
- Remove legacy support for SSLv3. {pull}30071[30071]

*Auditbeat*

Expand Down
22 changes: 9 additions & 13 deletions libbeat/common/transport/tlscommon/versions_default.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,14 +26,13 @@ import (

// Define all the possible TLS version.
const (
TLSVersionSSL30 TLSVersion = tls.VersionSSL30
TLSVersion10 TLSVersion = tls.VersionTLS10
TLSVersion11 TLSVersion = tls.VersionTLS11
TLSVersion12 TLSVersion = tls.VersionTLS12
TLSVersion13 TLSVersion = tls.VersionTLS13
TLSVersion10 TLSVersion = tls.VersionTLS10
TLSVersion11 TLSVersion = tls.VersionTLS11
TLSVersion12 TLSVersion = tls.VersionTLS12
TLSVersion13 TLSVersion = tls.VersionTLS13

// TLSVersionMin is the min TLS version supported.
TLSVersionMin = TLSVersionSSL30
TLSVersionMin = TLSVersion10

// TLSVersionMax is the max TLS version supported.
TLSVersionMax = TLSVersion13
Expand All @@ -55,8 +54,6 @@ var TLSDefaultVersions = []TLSVersion{
}

var tlsProtocolVersions = map[string]TLSVersion{
"SSLv3": TLSVersionSSL30,
"SSLv3.0": TLSVersionSSL30,
"TLSv1": TLSVersion10,
"TLSv1.0": TLSVersion10,
"TLSv1.1": TLSVersion11,
Expand All @@ -77,9 +74,8 @@ func (pv TLSVersionDetails) String() string {
}

var tlsInverseLookup = map[TLSVersion]TLSVersionDetails{
TLSVersionSSL30: TLSVersionDetails{Version: "3.0", Protocol: "ssl", Combined: "SSLv3"},
TLSVersion10: TLSVersionDetails{Version: "1.0", Protocol: "tls", Combined: "TLSv1.0"},
TLSVersion11: TLSVersionDetails{Version: "1.1", Protocol: "tls", Combined: "TLSv1.1"},
TLSVersion12: TLSVersionDetails{Version: "1.2", Protocol: "tls", Combined: "TLSv1.2"},
TLSVersion13: TLSVersionDetails{Version: "1.3", Protocol: "tls", Combined: "TLSv1.3"},
TLSVersion10: TLSVersionDetails{Version: "1.0", Protocol: "tls", Combined: "TLSv1.0"},
TLSVersion11: TLSVersionDetails{Version: "1.1", Protocol: "tls", Combined: "TLSv1.1"},
TLSVersion12: TLSVersionDetails{Version: "1.2", Protocol: "tls", Combined: "TLSv1.2"},
TLSVersion13: TLSVersionDetails{Version: "1.3", Protocol: "tls", Combined: "TLSv1.3"},
}
18 changes: 7 additions & 11 deletions libbeat/common/transport/tlscommon/versions_legacy.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,12 @@ package tlscommon
import "crypto/tls"

const (
TLSVersionSSL30 TLSVersion = tls.VersionSSL30
TLSVersion10 TLSVersion = tls.VersionTLS10
TLSVersion11 TLSVersion = tls.VersionTLS11
TLSVersion12 TLSVersion = tls.VersionTLS12
TLSVersion10 TLSVersion = tls.VersionTLS10
TLSVersion11 TLSVersion = tls.VersionTLS11
TLSVersion12 TLSVersion = tls.VersionTLS12

// TLSVersionMin is the min TLS version supported.
TLSVersionMin = TLSVersionSSL30
TLSVersionMin = TLSVersion10

// TLSVersionMax is the max TLS version supported.
TLSVersionMax = TLSVersion12
Expand All @@ -51,17 +50,14 @@ var TLSDefaultVersions = []TLSVersion{
}

var tlsProtocolVersions = map[string]TLSVersion{
"SSLv3": TLSVersionSSL30,
"SSLv3.0": TLSVersionSSL30,
"TLSv1": TLSVersion10,
"TLSv1.0": TLSVersion10,
"TLSv1.1": TLSVersion11,
"TLSv1.2": TLSVersion12,
}

var tlsProtocolVersionsInverse = map[TLSVersion]string{
TLSVersionSSL30: "SSLv3",
TLSVersion10: "TLSv1.0",
TLSVersion11: "TLSv1.1",
TLSVersion12: "TLSv1.2",
TLSVersion10: "TLSv1.0",
TLSVersion11: "TLSv1.1",
TLSVersion12: "TLSv1.2",
}
5 changes: 0 additions & 5 deletions libbeat/common/transport/tlscommon/versions_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,6 @@ func TestTLSVersion(t *testing.T) {
0x0,
nil,
},
{
"SSLv3",
tls.VersionSSL30,
&TLSVersionDetails{Version: "3.0", Protocol: "ssl", Combined: "SSLv3"},
},
{
"TLSv1.0",
tls.VersionTLS10,
Expand Down
2 changes: 1 addition & 1 deletion libbeat/docs/shared-ssl-config.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ SSL settings are disabled if either `enabled` is set to `false` or the
List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions
not configured, the connection will be dropped during or after the handshake. The
setting is a list of allowed protocol versions:
`SSLv3`, `TLSv1` for TLS version 1.0, `TLSv1.0`, `TLSv1.1`, `TLSv1.2`, and
`TLSv1` for TLS version 1.0, `TLSv1.0`, `TLSv1.1`, `TLSv1.2`, and
`TLSv1.3`.

The default value is `[TLSv1.1, TLSv1.2, TLSv1.3]`.
Expand Down
3 changes: 1 addition & 2 deletions packetbeat/docs/packetbeat-options.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -1235,8 +1235,7 @@ Packetbeat intercepts the initial handshake in a TLS connection and extracts
useful information that helps operators diagnose problems and
strengthen the security of their network and systems. It does not
decrypt any information from the encapsulated protocol, nor does it reveal any
sensitive information such as cryptographic keys. TLS versions 1.0 to 1.3 and
SSL 3.0 are supported.
sensitive information such as cryptographic keys. TLS versions 1.0 to 1.3 are supported.

It works by intercepting the client and server "hello" messages, which contain
the negotiated parameters for the connection such as cryptographic ciphers and
Expand Down