Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

regenerate certs #13021

Merged
merged 1 commit into from
Jul 26, 2019
Merged

regenerate certs #13021

merged 1 commit into from
Jul 26, 2019

Conversation

ph
Copy link
Contributor

@ph ph commented Jul 22, 2019
edited

Fix issue about about weak certs.

Error Message
[SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:2815)
Stacktrace
Traceback (most recent call last):
  File "/usr/lib/python2.7/unittest/case.py", line 329, in run
    testMethod()
  File "/go/src/github.com/elastic/beats/filebeat/tests/system/test_tcp_tls.py", line 203, in test_tcp_over_tls_mutual_auth_succeed
    context.load_cert_chain(certfile=CLIENT2, keyfile=CLIENTKEY2)
SSLError: [SSL: CA_MD_TOO_WEAK] ca md too weak (_ssl.c:2815)

It appear the certificate were generated with an older version of openssl and openssl 1.1 have changed the default and is more strict now. I presume it was updated on the CI box.

Fixes: #13009

@ph ph mentioned this pull request Jul 22, 2019
Closed
@ph
Copy link
Contributor Author

ph commented Jul 23, 2019

While fixing the TLS issue I found a race:

15:59:00 ?   	github.com/elastic/beats/filebeat/scripts/generator/fileset	[no test files]
15:59:01 command [go test -race -cover -coverprofile /tmp/gotestcover-237561254 github.com/elastic/beats/filebeat/inputsource/tcp]: exit status 1
15:59:01 ==================
15:59:01 WARNING: DATA RACE
15:59:01 Read at 0x00c0004d2a20 by goroutine 12:
15:59:01   github.com/elastic/beats/filebeat/inputsource/tcp.(*splitHandler).Close()
15:59:01       /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/filebeat/label/linux-immutable/src/github.com/elastic/beats/filebeat/inputsource/tcp/client.go:127 +0x7a
15:59:01   github.com/elastic/beats/filebeat/inputsource/tcp.(*Server).Stop()
15:59:01       /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/filebeat/label/linux-immutable/src/github.com/elastic/beats/filebeat/inputsource/tcp/server.go:142 +0x202
15:59:01   github.com/elastic/beats/filebeat/inputsource/tcp.TestReceiveEventsAndMetadata.func1()
15:59:01       /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/filebeat/label/linux-immutable/src/github.com/elastic/beats/filebeat/inputsource/tcp/server_test.go:201 +0xa04
15:59:01   testing.tRunner()
15:59:01       /var/lib/jenkins/.gvm/versions/go1.12.7.linux.amd64/src/testing/testing.go:865 +0x163
15:59:01 
15:59:01 Previous write at 0x00c0004d2a20 by goroutine 10:
15:59:01   github.com/elastic/beats/filebeat/inputsource/tcp.(*splitHandler).Handle()
15:59:01       /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/filebeat/label/linux-immutable/src/github.com/elastic/beats/filebeat/inputsource/tcp/client.go:80 +0x6d
15:59:01   github.com/elastic/beats/filebeat/inputsource/tcp.(*Server).run.func1()
15:59:01       /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/filebeat/label/linux-immutable/src/github.com/elastic/beats/filebeat/inputsource/tcp/server.go:120 +0x339
15:59:01 
15:59:01 Goroutine 12 (running) created at:
15:59:01   testing.(*T).Run()
15:59:01       /var/lib/jenkins/.gvm/versions/go1.12.7.linux.amd64/src/testing/testing.go:916 +0x65a
15:59:01   github.com/elastic/beats/filebeat/inputsource/tcp.TestReceiveEventsAndMetadata()
15:59:01       /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/filebeat/label/linux-immutable/src/github.com/elastic/beats/filebeat/inputsource/tcp/server_test.go:157 +0x1979
15:59:01   testing.tRunner()
15:59:01       /var/lib/jenkins/.gvm/versions/go1.12.7.linux.amd64/src/testing/testing.go:865 +0x163
15:59:01 
15:59:01 Goroutine 10 (running) created at:
15:59:01   github.com/elastic/beats/filebeat/inputsource/tcp.(*Server).run()
15:59:01       /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/filebeat/label/linux-immutable/src/github.com/elastic/beats/filebeat/inputsource/tcp/server.go:111 +0x220
15:59:01   github.com/elastic/beats/filebeat/inputsource/tcp.(*Server).Start.func1()
15:59:01       /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/filebeat/label/linux-immutable/src/github.com/elastic/beats/filebeat/inputsource/tcp/server.go:85 +0x80
15:59:01 ==================
15:59:01 --- FAIL: TestReceiveEventsAndMetadata (1.63s)
15:59:01     --- FAIL: TestReceiveEventsAndMetadata/MaxReadBufferReachedUserConfigured (0.02s)
15:59:01         testing.go:809: race detected during execution of test
15:59:01     testing.go:809: race detected during execution of test
15:59:01 FAIL

@ph
Copy link
Contributor Author

ph commented Jul 23, 2019

I am addressing the race in another PR, this PR fix the flaky test.

@ph
Copy link
Contributor Author

ph commented Jul 23, 2019

Jenkins test this please

@ph ph mentioned this pull request Jul 23, 2019
Merged
ph added a commit to ph/beats that referenced this pull request Jul 23, 2019
@ph
Fix a race condition in the TCP input
6367711 
Pass the `net.Conn` object when creating the client instead of passing it to the
`Handle()` method that keep a reference to it. By doing this we do not
have to worry about read or write race over the internal field. The
client still need a reference to the connection when the out of bound
call to `Close()` is executed to make sure we are getting out of a
`Read()` call early.

Tested with :

```
while true; do go test -v -race; done
```

Found in elastic#13021
@ph
Copy link
Contributor Author

ph commented Jul 23, 2019

rebasing.. issues with seccomp capabilities?

@ph
Copy link
Contributor Author

ph commented Jul 24, 2019

jenkins test this please, restarted because of github issue :(

@ph ph marked this pull request as ready for review July 25, 2019 12:10
@ph ph requested a review from a team as a code owner July 25, 2019 12:10
@ph ph changed the title [WIP] regenerate certs regenerate certs Jul 25, 2019
@ph ph added Filebeat Filebeat review needs_backport PR is waiting to be backported to other branches. labels Jul 25, 2019
@ph
Copy link
Contributor Author

ph commented Jul 25, 2019

as @mikemadden42 pointed out this affect 7.3 branch too and would need to be backported.

@ph
Copy link
Contributor Author

ph commented Jul 25, 2019
edited

@kaiyan-sheng since you have opened the original issues and skipped the test can you review this?

@ph ph merged commit cffc5a5 into elastic:master Jul 26, 2019
ph added a commit to ph/beats that referenced this pull request Jul 26, 2019
@ph
regenerate certs (elastic#13021)
48e8265 
(cherry picked from commit cffc5a5)
ph added a commit to ph/beats that referenced this pull request Jul 26, 2019
@ph
regenerate certs (elastic#13021)
440b0bc 
(cherry picked from commit cffc5a5)
ph added a commit to ph/beats that referenced this pull request Jul 26, 2019
@ph
regenerate certs (elastic#13021)
4d996a0 
(cherry picked from commit cffc5a5)
mikemadden42 pushed a commit that referenced this pull request Jul 26, 2019
@ph @mikemadden42
regenerate certs (#13021) (#13086)
2b81d66 
(cherry picked from commit cffc5a5)
ph added a commit that referenced this pull request Jul 26, 2019
@ph
regenerate certs (#13021) (#13084)
32d7e15 
(cherry picked from commit cffc5a5)
ph added a commit that referenced this pull request Jul 26, 2019
@ph
regenerate certs (#13021) (#13085)
c298e28 
(cherry picked from commit cffc5a5)
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@ph
regenerate certs (elastic#13021) (elastic#13085)
5a11d04 
(cherry picked from commit bc3bb8e)
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@ph
regenerate certs (elastic#13021) (elastic#13084)
9364c82 
(cherry picked from commit bc3bb8e)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@urso urso urso approved these changes

Assignees
No one assigned
Labels
Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Flaky test] filebeat test_tcp_tls.py ca md too weak
2 participants
@ph @urso