fix: restore use of poorly-named DefaultHostnameVerifier (elastic#1139)

The legacy and out-of-date `StrictHostnameVerifier` from Apache HTTP Client
is deprecated with guidance to use the `DefaultHostnameVerifier`, which is
in fact a strict but modern verifier that can handle modern identity claims

CHANGELOG.md

@@ -1,3 +1,6 @@
+## 11.15.7
+  - Fixes a regression introduced in 11.14.0 which could prevent a connection from being established to Elasticsearch in some SSL configurations [#1138](https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/1138)
+
 ## 11.15.6
   - Fix: avoid to reject a batch when the Elasticsearch connection is alive and the processing should continue [#1132](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1132).
 

lib/logstash/outputs/elasticsearch/http_client_builder.rb

@@ -144,12 +144,14 @@ def self.setup_ssl(logger, params)
       ssl_verification_mode = params["ssl_verification_mode"]
       unless ssl_verification_mode.nil?
         case ssl_verification_mode
-          when 'none'
-            logger.warn "You have enabled encryption but DISABLED certificate verification, " +
-                          "to make sure your data is secure set `ssl_verification_mode => full`"
-            ssl_options[:verify] = :disable
-          else
-            ssl_options[:verify] = :strict
+        when 'none'
+          logger.warn "You have enabled encryption but DISABLED certificate verification, " +
+                        "to make sure your data is secure set `ssl_verification_mode => full`"
+          ssl_options[:verify] = :disable
+        else
+          # Manticore's :default maps to Apache HTTP Client's DefaultHostnameVerifier,
+          # which is the modern STRICT verifier that replaces the deprecated StrictHostnameVerifier
+          ssl_options[:verify] = :default
         end
       end
 

logstash-output-elasticsearch.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-output-elasticsearch'
-  s.version         = '11.15.6'
+  s.version         = '11.15.7'
   s.licenses        = ['apache-2.0']
   s.summary         = "Stores logs in Elasticsearch"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

spec/unit/outputs/elasticsearch_ssl_spec.rb

@@ -55,7 +55,7 @@
 
       it "should pass the flag to the ES client" do
         expect(::Manticore::Client).to receive(:new) do |args|
-          expect(args[:ssl]).to match hash_including(:enabled => true, :verify => :strict)
+          expect(args[:ssl]).to match hash_including(:enabled => true, :verify => :default)
         end.and_return(manticore_double)
 
         subject.register
@@ -132,7 +132,7 @@
                                       :truststore => ssl_truststore_path,
                                       :truststore_type => "jks",
                                       :truststore_password => "foo",
-                                      :verify => :strict,
+                                      :verify => :default,
                                       :cipher_suites => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"],
                                       :protocols => ["TLSv1.3"],
                                     )
@@ -168,7 +168,7 @@
                                       :ca_file => ssl_certificate_authorities_path,
                                       :client_cert => ssl_certificate_path,
                                       :client_key => ssl_key_path,
-                                      :verify => :strict,
+                                      :verify => :default,
                                       :cipher_suites => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"],
                                       :protocols => ["TLSv1.3"],
                                     )