Feat: add support for TLSv1.3 (#447)

Signed-off-by: Tero Saarni <[email protected]>

Author: tsaarni

CHANGELOG.md

@@ -1,3 +1,6 @@
+## 6.3.0
+ - Added support for TLSv1.3. [#447](https://github.com/logstash-plugins/logstash-input-beats/pull/447)
+
 ## 6.2.6
   - Update guidance regarding the private key format and encoding [#445](https://github.com/logstash-plugins/logstash-input-beats/pull/445)
 

VERSION

@@ -1 +1 @@
-6.2.6
+6.3.0

docs/index.asciidoc

@@ -199,9 +199,10 @@ Flag to determine whether to add `host` field to event using the value supplied
 ===== `cipher_suites`
 
   * Value type is <<array,array>>
-  * Default value is `java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca`
+  * Default value is `java.lang.String[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca`
 
 The list of ciphers suite to use, listed by priorities.
+The default values applies for OpenJDK 11.0.14 and higher, for older versions the list does not include suites not supported by the JDK, such as the ChaCha20 family of ciphers.
 
 [id="plugins-{type}s-{plugin}-client_inactivity_timeout"]
 ===== `client_inactivity_timeout`
@@ -360,10 +361,10 @@ This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer
 ===== `tls_max_version`
 
   * Value type is <<number,number>>
-  * Default value is `1.2`
+  * Default value is `1.3`
 
 The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
-1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
 
 [id="plugins-{type}s-{plugin}-tls_min_version"]
 ===== `tls_min_version`
@@ -372,12 +373,11 @@ The maximum TLS version allowed for the encrypted connections. The value must be
   * Default value is `1`
 
 The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
-1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
 
 
 
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]
 
 :default_codec!:
-

lib/logstash/inputs/beats/tls.rb

@@ -18,7 +18,8 @@ def <=>(other)
     TLS_PROTOCOL_OPTIONS = [
       TLSOption.new("TLSv1", 1),
       TLSOption.new("TLSv1.1", 1.1),
-      TLSOption.new("TLSv1.2", 1.2)
+      TLSOption.new("TLSv1.2", 1.2),
+      TLSOption.new("TLSv1.3", 1.3)
     ]
 
     def self.min

lib/tasks/test.rake

@@ -4,9 +4,9 @@ VENDOR_PATH = File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "ve
 
 #TODO: Figure out better means to keep this version in sync
 if OS_PLATFORM == "linux"
-  FILEBEAT_URL = "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.4-linux-x86_64.tar.gz"
+  FILEBEAT_URL = "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.0-linux-x86_64.tar.gz"
 elsif OS_PLATFORM == "darwin"
-  FILEBEAT_URL = "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.4-darwin-x86_64.tar.gz"
+  FILEBEAT_URL = "https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.0-darwin-x86_64.tar.gz"
 end
 
 LSF_URL = "https://download.elastic.co/logstash-forwarder/binaries/logstash-forwarder_#{OS_PLATFORM}_amd64"

spec/inputs/beats/tls_spec.rb

@@ -10,8 +10,8 @@
   end
 
   it "returns the maximum supported tls" do
-    expect(subject.max.version).to eq(1.2)
-    expect(subject.max.name).to eq("TLSv1.2")
+    expect(subject.max.version).to eq(1.3)
+    expect(subject.max.name).to eq("TLSv1.3")
   end
 
   describe ".get_supported" do

spec/integration/filebeat_spec.rb

@@ -37,7 +37,7 @@
   let(:filebeat_config) do
     {
       "filebeat" => {
-        "prospectors" => [{ "paths" => [log_file],  "type" => "log" }],
+        "inputs" => [{ "paths" => [log_file],  "type" => "log" }],
         "scan_frequency" => "1s"
       },
       "output" => {
@@ -174,6 +174,34 @@
           end
         end
 
+        context "with TLSv1.3 client" do
+          let(:filebeat_config) do
+            super().merge({
+              "output" => {
+                "logstash" => {
+                  "hosts" => ["#{host}:#{port}"],
+                  "ssl" => {
+                    "certificate_authorities" => certificate_authorities,
+                    "versions" => ["TLSv1.3"],
+                  }
+                }
+              },
+              "logging" => { "level" => "debug" }
+              })
+          end
+          include_examples "send events"
+
+          context "when TLSv1.3 enforced in plugin" do
+            let(:input_config) {
+              super().merge({
+                "tls_min_version" => "1.3"
+              })
+            }
+
+            include_examples "send events"
+          end
+        end
+
         # Refactor this to use Flores's PKI instead of openssl command line
         # see: https://github.com/jordansissel/ruby-flores/issues/7
         context "with a passphrase" do

spec/support/file_helpers.rb

@@ -19,7 +19,7 @@ def self.included(base)
   end
 
   def write_to_tmp_file(content)
-    file = Stud::Temporary.file
+    file = Stud::Temporary.file("test-logstash-input-beats", "w+", 0600)
     file.write(content.to_s)
     file.close
     file.path

src/main/java/org/logstash/beats/Runner.java

@@ -33,7 +33,7 @@ static public void main(String[] args) throws Exception {
 
 
             SslContextBuilder sslBuilder = new SslContextBuilder(sslCertificate, sslKey, null)
-                    .setProtocols(new String[] { "TLSv1.2" })
+                    .setProtocols(new String[] { "TLSv1.2", "TLSv1.3" })
                     .setCertificateAuthorities(certificateAuthorities);
             SslHandlerProvider sslHandlerProvider = new SslHandlerProvider(sslBuilder.buildContext(), 10000);
             server.setSslHandlerProvider(sslHandlerProvider);

src/main/java/org/logstash/netty/SslContextBuilder.java

@@ -19,7 +19,9 @@
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 /**
  * Created by ph on 2016-05-27.
@@ -38,22 +40,36 @@ public enum SslClientVerifyMode {
     private File sslCertificateFile;
     private SslClientVerifyMode verifyMode = SslClientVerifyMode.FORCE_PEER;
 
-    private long handshakeTimeoutMilliseconds = 10000;
+    static final Set<String> SUPPORTED_CIPHERS = new HashSet<>(Arrays.asList(
+        ((SSLServerSocketFactory) SSLServerSocketFactory.getDefault()).getSupportedCipherSuites()
+    ));
 
     /*
     Mordern Ciphers List from
     https://wiki.mozilla.org/Security/Server_Side_TLS
     */
-    private final static String[] DEFAULT_CIPHERS = new String[] {
+    private final static String[] DEFAULT_CIPHERS;
+    static {
+        String[] defaultCipherCandidates = new String[] {
+            // Modern compatibility
+            "TLS_AES_128_GCM_SHA256", // TLS 1.3
+            "TLS_AES_256_GCM_SHA384", // TLS 1.3
+            "TLS_CHACHA20_POLY1305_SHA256", // TLS 1.3 (since Java 11.0.14)
+            // Intermediate compatibility
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", // (since Java 11.0.14)
+            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", // (since Java 11.0.14)
             "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            // Backward compatibility
             "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
-    };
+        };
+        DEFAULT_CIPHERS = Arrays.stream(defaultCipherCandidates).filter(SUPPORTED_CIPHERS::contains).toArray(String[]::new);
+    }
 
     /*
       Reduced set of ciphers available when JCE Unlimited Strength Jurisdiction Policy is not installed.
@@ -65,10 +81,8 @@ public enum SslClientVerifyMode {
             "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
     };
 
-    private String[] supportedCiphers = ((SSLServerSocketFactory)SSLServerSocketFactory
-            .getDefault()).getSupportedCipherSuites();
     private String[] ciphers = DEFAULT_CIPHERS;
-    private String[] protocols = new String[] { "TLSv1.2" };
+    private String[] protocols = new String[] { "TLSv1.2", "TLSv1.3" };
     private String[] certificateAuthorities;
     private String passPhrase;
 
@@ -92,10 +106,10 @@ public SslContextBuilder setProtocols(String[] protocols) {
     }
 
     public SslContextBuilder setCipherSuites(String[] ciphersSuite) throws IllegalArgumentException {
-        for(String cipher : ciphersSuite) {
-            if(Arrays.asList(supportedCiphers).contains(cipher)) {
-                logger.debug("Cipher is supported: {}", cipher);
-            }else{
+        for (String cipher : ciphersSuite) {
+            if (SUPPORTED_CIPHERS.contains(cipher)) {
+                logger.debug("{} cipher is supported", cipher);
+            } else {
                 if (!isUnlimitedJCEAvailable()) {
                     logger.warn("JCE Unlimited Strength Jurisdiction Policy not installed");
                 }
@@ -108,7 +122,7 @@ public SslContextBuilder setCipherSuites(String[] ciphersSuite) throws IllegalAr
     }
 
     public static String[] getDefaultCiphers(){
-        if (isUnlimitedJCEAvailable()){
+        if (isUnlimitedJCEAvailable()) {
             return DEFAULT_CIPHERS;
         } else {
             logger.warn("JCE Unlimited Strength Jurisdiction Policy not installed - max key length is 128 bits");
@@ -146,7 +160,7 @@ public SslContext buildContext() throws Exception {
         io.netty.handler.ssl.SslContextBuilder builder = io.netty.handler.ssl.SslContextBuilder.forServer(sslCertificateFile, sslKeyFile, passPhrase);
 
         if (logger.isDebugEnabled()) {
-            logger.debug("Available ciphers: " + Arrays.toString(supportedCiphers));
+            logger.debug("Available ciphers: " + SUPPORTED_CIPHERS);
             logger.debug("Ciphers:  " + Arrays.toString(ciphers));
         }