From f96dad3c80eb27dfd9a76fc5bb555946a7375f2a Mon Sep 17 00:00:00 2001 From: Edmo Vamerlatti Costa <11836452+edmocosta@users.noreply.github.com> Date: Fri, 2 Jun 2023 18:01:09 +0200 Subject: [PATCH] fix: restore use of DefaultHostnameVerifier (#193) * Document why we are using :default instead of :strict Co-authored-by: Ry Biesemeyer --- CHANGELOG.md | 3 +++ lib/logstash/inputs/elasticsearch.rb | 4 +++- logstash-input-elasticsearch.gemspec | 2 +- spec/inputs/elasticsearch_ssl_spec.rb | 6 +++--- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 23ea617..897f63c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## 4.17.2 + - Fixes a regression introduced in 4.17.0 which could prevent a connection from being established to Elasticsearch in some SSL configurations [#193](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/193) + ## 4.17.1 - Fix: scroll slice high memory consumption [#189](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/189) diff --git a/lib/logstash/inputs/elasticsearch.rb b/lib/logstash/inputs/elasticsearch.rb index 9d4ff77..8c933ea 100644 --- a/lib/logstash/inputs/elasticsearch.rb +++ b/lib/logstash/inputs/elasticsearch.rb @@ -521,7 +521,9 @@ def setup_client_ssl "to make sure your data is secure set `ssl_verification_mode => full`" ssl_options[:verify] = :disable else - ssl_options[:verify] = :strict + # Manticore's :default maps to Apache HTTP Client's DefaultHostnameVerifier, + # which is the modern STRICT verifier that replaces the deprecated StrictHostnameVerifier + ssl_options[:verify] = :default end end diff --git a/logstash-input-elasticsearch.gemspec b/logstash-input-elasticsearch.gemspec index b5de030..86d29f7 100644 --- a/logstash-input-elasticsearch.gemspec +++ b/logstash-input-elasticsearch.gemspec @@ -1,7 +1,7 @@ Gem::Specification.new do |s| s.name = 'logstash-input-elasticsearch' - s.version = '4.17.1' + s.version = '4.17.2' s.licenses = ['Apache License (2.0)'] s.summary = "Reads query results from an Elasticsearch cluster" s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program" diff --git a/spec/inputs/elasticsearch_ssl_spec.rb b/spec/inputs/elasticsearch_ssl_spec.rb index 2189fd8..4ef3ac2 100644 --- a/spec/inputs/elasticsearch_ssl_spec.rb +++ b/spec/inputs/elasticsearch_ssl_spec.rb @@ -123,7 +123,7 @@ it "should pass the flag to the ES client" do expect(::Elasticsearch::Client).to receive(:new) do |args| - expect(args[:ssl]).to match hash_including(:ssl => true, :verify => :strict) + expect(args[:ssl]).to match hash_including(:ssl => true, :verify => :default) end.and_return(es_client_double) subject.register @@ -200,7 +200,7 @@ :truststore => ssl_truststore_path, :truststore_type => "jks", :truststore_password => "foo", - :verify => :strict, + :verify => :default, :cipher_suites => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"], :protocols => ["TLSv1.3"], ) @@ -236,7 +236,7 @@ :ca_file => ssl_certificate_authorities_path, :client_cert => ssl_certificate_path, :client_key => ssl_key_path, - :verify => :strict, + :verify => :default, :cipher_suites => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"], :protocols => ["TLSv1.3"], )