From 331f6392c00ca0a1d2f16c5130410c14c07166ca Mon Sep 17 00:00:00 2001 From: Ahren Stevens-Taylor Date: Mon, 16 Oct 2017 12:24:14 +0100 Subject: [PATCH 1/2] Allow for non-mutual authenticated SSL connections --- lib/logstash/outputs/tcp.rb | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/lib/logstash/outputs/tcp.rb b/lib/logstash/outputs/tcp.rb index edf7d26..93397f8 100644 --- a/lib/logstash/outputs/tcp.rb +++ b/lib/logstash/outputs/tcp.rb @@ -42,6 +42,9 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base # The SSL CA certificate, chainfile or CA path. The system CA path is automatically included. config :ssl_cacert, :validate => :path + # Do not perform TLS Mutal Authentication, only require a certificate for the client (only with :mode=>"client") + config :ssl_mutual, :validate => :boolean, :default => true + # SSL certificate path config :ssl_cert, :validate => :path @@ -85,8 +88,11 @@ def setup_ssl require "openssl" @ssl_context = OpenSSL::SSL::SSLContext.new - @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert)) - @ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase) + + if @ssl_mutual + @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert)) + @ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase) + end if @ssl_verify @cert_store = OpenSSL::X509::Store.new # Load the system default certificate path to the store @@ -97,7 +103,11 @@ def setup_ssl @cert_store.add_file(@ssl_cacert) end @ssl_context.cert_store = @cert_store - @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT + if @ssl_mutual + @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT + else + @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER + end end end # def setup_ssl From 5782f82a1f4bd0e5eb0961cf621a805699a5dc82 Mon Sep 17 00:00:00 2001 From: Ahren Stevens-Taylor Date: Mon, 16 Oct 2017 12:24:14 +0100 Subject: [PATCH 2/2] Fix whitespacing --- lib/logstash/outputs/tcp.rb | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/lib/logstash/outputs/tcp.rb b/lib/logstash/outputs/tcp.rb index edf7d26..34711b8 100644 --- a/lib/logstash/outputs/tcp.rb +++ b/lib/logstash/outputs/tcp.rb @@ -42,6 +42,9 @@ class LogStash::Outputs::Tcp < LogStash::Outputs::Base # The SSL CA certificate, chainfile or CA path. The system CA path is automatically included. config :ssl_cacert, :validate => :path + # Do not perform TLS Mutal Authentication, only require a certificate for the client (only with :mode=>"client") + config :ssl_mutual, :validate => :boolean, :default => true + # SSL certificate path config :ssl_cert, :validate => :path @@ -85,8 +88,11 @@ def setup_ssl require "openssl" @ssl_context = OpenSSL::SSL::SSLContext.new - @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert)) - @ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase) + + if @ssl_mutual + @ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert)) + @ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase) + end if @ssl_verify @cert_store = OpenSSL::X509::Store.new # Load the system default certificate path to the store @@ -97,7 +103,11 @@ def setup_ssl @cert_store.add_file(@ssl_cacert) end @ssl_context.cert_store = @cert_store - @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT + if @ssl_mutual + @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT + else + @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER + end end end # def setup_ssl