elastic · andrewvc · Apr 27, 2020 · Apr 13, 2020 · Apr 13, 2020 · Apr 13, 2020
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -256,7 +256,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Heartbeat*
 
 - Allow a list of status codes for HTTP checks. {pull}15587[15587]
-
+- Add additional ECS compatible fields for TLS information. {pull}17687[17687]
 
 *Journalbeat*
 

@@ -18,6 +18,7 @@
 package hbtest
 
 import (
+	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"io"
@@ -29,6 +30,10 @@ import (
 	"strconv"
 	"strings"
 	"testing"
+	"time"
+
+	"github.com/elastic/beats/v7/heartbeat/monitors/active/dialchain/tlsmeta"
+	"github.com/elastic/beats/v7/libbeat/common"
 
 	"github.com/elastic/beats/v7/heartbeat/hbtestllext"
 
@@ -107,13 +112,19 @@ func ServerPort(server *httptest.Server) (uint16, error) {
 
 // TLSChecks validates the given x509 cert at the given position.
 func TLSChecks(chainIndex, certIndex int, certificate *x509.Certificate) validator.Validator {
-	return lookslike.MustCompile(map[string]interface{}{
-		"tls": map[string]interface{}{
-			"rtt.handshake.us":             isdef.IsDuration,
-			"certificate_not_valid_before": certificate.NotBefore,
-			"certificate_not_valid_after":  certificate.NotAfter,
-		},
-	})
+	expected := common.MapStr{}
+	// This function is well tested independently, so we just test that things match up here.
+	tlsmeta.AddTLSMetadata(expected, tls.ConnectionState{
+		Version:           tls.VersionTLS13,
+		HandshakeComplete: true,
+		CipherSuite:       tls.TLS_AES_128_GCM_SHA256,
+		ServerName:        certificate.Subject.CommonName,
+		PeerCertificates:  []*x509.Certificate{certificate},
+	}, time.Duration(1))
+
+	expected.Put("tls.rtt.handshake.us", isdef.IsDuration)
+
+	return lookslike.MustCompile(expected)
 }
 
 // BaseChecks creates a skima.Validator that represents the "monitor" field present

@@ -34,10 +34,12 @@
       fields:
         - name: certificate_not_valid_before
           type: date
-          description: Earliest time at which the connection's certificates are valid.
+          deprecated: 7.8.0
+          description: Deprecated in favor of `tls.server.not_before`. Earliest time at which the connection's certificates are valid.
         - name: certificate_not_valid_after
+          deprecated: 7.8.0
           type: date
-          description: Latest time at which the connection's certificates are valid.
+          description: Deprecated in favor of `tls.server.not_after`. Latest time at which the connection's certificates are valid.
         - name: rtt
           type: group
           description: >

@@ -19,27 +19,19 @@ package dialchain
 
 import (
 	cryptoTLS "crypto/tls"
-	"crypto/x509"
 	"fmt"
 	"net"
 	"time"
 
-	"github.com/elastic/beats/v7/heartbeat/look"
+	"github.com/elastic/beats/v7/heartbeat/monitors/active/dialchain/tlsmeta"
 	"github.com/elastic/beats/v7/libbeat/beat"
-	"github.com/elastic/beats/v7/libbeat/common"
 	"github.com/elastic/beats/v7/libbeat/common/transport"
 	"github.com/elastic/beats/v7/libbeat/common/transport/tlscommon"
 )
 
 // TLSLayer configures the TLS layer in a DialerChain.
-//
-// The layer will update the active event with:
-//
-//  {
-//    "tls": {
-//        "rtt": { "handshake": { "us": ... }}
-//    }
-//  }
+// The layer will update the active event with the TLS RTT and
+// crypto/cert details.
 func TLSLayer(cfg *tlscommon.TLSConfig, to time.Duration) Layer {
 	return func(event *beat.Event, next transport.Dialer) (transport.Dialer, error) {
 		var timer timer
@@ -58,56 +50,12 @@ func TLSLayer(cfg *tlscommon.TLSConfig, to time.Duration) Layer {
 			if !ok {
 				panic(fmt.Sprintf("TLS afterDial received a non-tls connection %t. This should never happen", conn))
 			}
-
-			// TODO: extract TLS connection parameters from connection object.
+			connState := tlsConn.ConnectionState()
 			timer.stop()
-			event.PutValue("tls.rtt.handshake", look.RTT(timer.duration()))
 
-			addCertMetdata(event.Fields, tlsConn.ConnectionState().PeerCertificates)
+			tlsmeta.AddTLSMetadata(event.Fields, connState, timer.duration())
 
 			return conn, nil
 		}), nil
 	}
 }
-
-func addCertMetdata(fields common.MapStr, certs []*x509.Certificate) {
-	// The behavior here might seem strange. We *always* set a notBefore, but only optionally set a notAfter.
-	// Why might we do this?
-	// The root cause is that the x509.Certificate type uses time.Time for these fields instead of *time.Time
-	// so we have no way to know if the user actually set these fields. The x509 RFC says that only one of the
-	// two fields must be set. Most tools (including openssl and go's certgen) always set both. BECAUSE WHY NOT
-	//
-	// In the wild, however, there are certs missing one of these two fields.
-	// So, what's the correct behavior here? We cannot know if a field was omitted due to the lack of nullability.
-	// So, in this case, we try to do what people will want 99.99999999999999999% of the time.
-	// People might set notBefore to go's zero date intentionally when creating certs. So, we always set that
-	// field, even if we find a zero value.
-	// However, it would be weird to set notAfter to the zero value. That could invalidate a cert that was intended
-	// to be valid forever. So, in that case, we treat the zero value as non-existent.
-	// This is why notBefore is a time.Time and notAfter is a *time.Time
-	var chainNotValidBefore time.Time
-	var chainNotValidAfter *time.Time
-
-	// We need the zero date later
-	var zeroTime time.Time
-
-	// Here we compute the minimal bounds during which this certificate chain is valid
-	// To do this correctly, we take the maximum NotBefore and the minimum NotAfter.
-	// This *should* always wind up being the terminal cert in the chain, but we should
-	// compute this correctly.
-	for _, cert := range certs {
-		if chainNotValidBefore.Before(cert.NotBefore) {
-			chainNotValidBefore = cert.NotBefore
-		}
-
-		if cert.NotAfter != zeroTime && (chainNotValidAfter == nil || chainNotValidAfter.After(cert.NotAfter)) {
-			chainNotValidAfter = &cert.NotAfter
-		}
-	}
-
-	fields.Put("tls.certificate_not_valid_before", chainNotValidBefore)
-
-	if chainNotValidAfter != nil {
-		fields.Put("tls.certificate_not_valid_after", *chainNotValidAfter)
-	}
-}