renaming config and adding more documentation

elastic · Dec 6, 2021 · 3f62b2f · 3f62b2f
1 parent c247f6f
commit 3f62b2f
Show file tree

Hide file tree

Showing 18 changed files with 121 additions and 112 deletions.
diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml
@@ -516,7 +516,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true
@@ -653,7 +653,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # The number of times to retry publishing an event after a publishing failure.
   # After the specified number of retries, the events are typically dropped.
@@ -859,7 +859,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true
@@ -1028,7 +1028,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
 
 # -------------------------------- File Output ---------------------------------
@@ -1320,7 +1320,7 @@ setup.kibana:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
 
 # ================================== Logging ===================================
@@ -1523,7 +1523,7 @@ logging.files:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true

diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml
@@ -1449,7 +1449,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true
@@ -1586,7 +1586,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # The number of times to retry publishing an event after a publishing failure.
   # After the specified number of retries, the events are typically dropped.
@@ -1792,7 +1792,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true
@@ -1961,7 +1961,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
 
 # -------------------------------- File Output ---------------------------------
@@ -2253,7 +2253,7 @@ setup.kibana:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
 
 # ================================== Logging ===================================
@@ -2456,7 +2456,7 @@ logging.files:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true

diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml
@@ -662,7 +662,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true
@@ -799,7 +799,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # The number of times to retry publishing an event after a publishing failure.
   # After the specified number of retries, the events are typically dropped.
@@ -1005,7 +1005,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true
@@ -1174,7 +1174,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
 
 # -------------------------------- File Output ---------------------------------
@@ -1466,7 +1466,7 @@ setup.kibana:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
 
 # ================================== Logging ===================================
@@ -1669,7 +1669,7 @@ logging.files:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true

diff --git a/libbeat/_meta/config/ssl.reference.yml.tmpl b/libbeat/_meta/config/ssl.reference.yml.tmpl
@@ -54,4 +54,4 @@
 # A root CA HEX encoded fingerprint used to trust and pin this certificate.
 # This enables compatibility with Elasticserach self signed certificates as well as trusting
 # and pinning any other self-signed certificate.
-#ssl.es_ca_fingerprint: ""
+#ssl.ca_trusted_fingerprint: ""
diff --git a/libbeat/common/transport/tlscommon/config.go b/libbeat/common/transport/tlscommon/config.go
@@ -30,16 +30,16 @@ var warnOnce sync.Once
 
 // Config defines the user configurable options in the yaml file.
 type Config struct {
-	Enabled          *bool                   `config:"enabled" yaml:"enabled,omitempty"`
-	VerificationMode TLSVerificationMode     `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
-	Versions         []TLSVersion            `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
-	CipherSuites     []CipherSuite           `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
-	CAs              []string                `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
-	Certificate      CertificateConfig       `config:",inline" yaml:",inline"`
-	CurveTypes       []tlsCurveType          `config:"curve_types" yaml:"curve_types,omitempty"`
-	Renegotiation    TlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
-	CASha256         []string                `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
-	ESCAFingerprint  string                  `config:"es_ca_fingerprint" yaml:"es_ca_fingerprint,omitempty"`
+	Enabled              *bool                   `config:"enabled" yaml:"enabled,omitempty"`
+	VerificationMode     TLSVerificationMode     `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
+	Versions             []TLSVersion            `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
+	CipherSuites         []CipherSuite           `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
+	CAs                  []string                `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
+	Certificate          CertificateConfig       `config:",inline" yaml:",inline"`
+	CurveTypes           []tlsCurveType          `config:"curve_types" yaml:"curve_types,omitempty"`
+	Renegotiation        TlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
+	CASha256             []string                `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
+	CATrustedFingerprint string                  `config:"ca_trusted_fingerprint" yaml:"ca_trusted_fingerprint,omitempty"`
 }
 
 // LoadTLSConfig will load a certificate from config with all TLS based keys
@@ -83,15 +83,15 @@ func LoadTLSConfig(config *Config) (*TLSConfig, error) {
 
 	// return config if no error occurred
 	return &TLSConfig{
-		Versions:         config.Versions,
-		Verification:     config.VerificationMode,
-		Certificates:     certs,
-		RootCAs:          cas,
-		CipherSuites:     config.CipherSuites,
-		CurvePreferences: curves,
-		Renegotiation:    tls.RenegotiationSupport(config.Renegotiation),
-		CASha256:         config.CASha256,
-		ESCAFingerprint:  config.ESCAFingerprint,
+		Versions:             config.Versions,
+		Verification:         config.VerificationMode,
+		Certificates:         certs,
+		RootCAs:              cas,
+		CipherSuites:         config.CipherSuites,
+		CurvePreferences:     curves,
+		Renegotiation:        tls.RenegotiationSupport(config.Renegotiation),
+		CASha256:             config.CASha256,
+		CATrustedFingerprint: config.CATrustedFingerprint,
 	}, nil
 }
 

diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go
@@ -77,10 +77,9 @@ type TLSConfig struct {
 	// the server certificate.
 	CASha256 []string
 
-	// ESCAFingerprint is the CA certificate pin, in HEX form, from Elasticsearch self
-	// generated CA cartificate. We use that to trust self-signed certificates generated
-	// by Elasticsearch
-	ESCAFingerprint string `config:"es_ca_fingerprint" yaml:"es_ca_fingerprint,omitempty"`
+	// CATrustedFingerprint is the CA certificate pin, in HEX form, from a self
+	// generated CA cartificate.
+	CATrustedFingerprint string `config:"ca_trusted_fingerprint" yaml:"ca_trusted_fingerprint,omitempty"`
 
 	// time returns the current time as the number of seconds since the epoch.
 	// If time is nil, TLS uses time.Now.
@@ -159,8 +158,8 @@ func (c *TLSConfig) BuildServerConfig(host string) *tls.Config {
 	return config
 }
 
-func trustESRootCA(cfg *TLSConfig, peerCerts []*x509.Certificate) error {
-	fingerprint, err := hex.DecodeString(cfg.ESCAFingerprint)
+func trustRootCA(cfg *TLSConfig, peerCerts []*x509.Certificate) error {
+	fingerprint, err := hex.DecodeString(cfg.CATrustedFingerprint)
 	if err != nil {
 		return fmt.Errorf("decode fingerprint: %w", err)
 	}
@@ -190,8 +189,8 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error {
 	switch cfg.Verification {
 	case VerifyFull:
 		return func(cs tls.ConnectionState) error {
-			if cfg.ESCAFingerprint != "" {
-				if err := trustESRootCA(cfg, cs.PeerCertificates); err != nil {
+			if cfg.CATrustedFingerprint != "" {
+				if err := trustRootCA(cfg, cs.PeerCertificates); err != nil {
 					return err
 				}
 			}
@@ -212,8 +211,8 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error {
 		}
 	case VerifyCertificate:
 		return func(cs tls.ConnectionState) error {
-			if cfg.ESCAFingerprint != "" {
-				if err := trustESRootCA(cfg, cs.PeerCertificates); err != nil {
+			if cfg.CATrustedFingerprint != "" {
+				if err := trustRootCA(cfg, cs.PeerCertificates); err != nil {
 					return err
 				}
 			}
@@ -231,8 +230,8 @@ func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error {
 	case VerifyStrict:
 		if len(cfg.CASha256) > 0 {
 			return func(cs tls.ConnectionState) error {
-				if cfg.ESCAFingerprint != "" {
-					if err := trustESRootCA(cfg, cs.PeerCertificates); err != nil {
+				if cfg.CATrustedFingerprint != "" {
+					if err := trustRootCA(cfg, cs.PeerCertificates); err != nil {
 						return err
 					}
 				}

diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc
@@ -219,6 +219,16 @@ NOTE: This check is not a replacement for the normal SSL validation, but it adds
 If this option is used with  `verification_mode` set to `none`, the check will always fail because
 it will not receive any verified chains.
 
+[float]
+[[_ca_trusted_fingerprint]]
+==== `ca_trusted_fingerprint`
+This configures a certificate pin that you can use to trust and pin a
+root CA without providing the certificate under
+`certificate_authorities`
+
+The pin is the HEX encoded SHA-256 of the certificate.
+
+
 [discrete]
 [[ssl-client-config]]
 === Client configuration options

diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml
@@ -1359,7 +1359,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true
@@ -1496,7 +1496,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # The number of times to retry publishing an event after a publishing failure.
   # After the specified number of retries, the events are typically dropped.
@@ -1702,7 +1702,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true
@@ -1871,7 +1871,7 @@ output.elasticsearch:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
 
 # -------------------------------- File Output ---------------------------------
@@ -2163,7 +2163,7 @@ setup.kibana:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
 
 # ================================== Logging ===================================
@@ -2366,7 +2366,7 @@ logging.files:
   # A root CA HEX encoded fingerprint used to trust and pin this certificate.
   # This enables compatibility with Elasticserach self signed certificates as well as trusting
   # and pinning any other self-signed certificate.
-  #ssl.es_ca_fingerprint: ""
+  #ssl.ca_trusted_fingerprint: ""
 
   # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set.
   #kerberos.enabled: true