From fe9af3945acfef76cedb8fe3aff4db15afac2c24 Mon Sep 17 00:00:00 2001
From: edmocosta <11836452+edmocosta@users.noreply.github.com>
Date: Wed, 31 May 2023 17:29:05 +0200
Subject: [PATCH 1/3] restore use of DefaultHostnameVerifier

---
 CHANGELOG.md                          | 3 +++
 lib/logstash/inputs/elasticsearch.rb  | 2 +-
 logstash-input-elasticsearch.gemspec  | 2 +-
 spec/inputs/elasticsearch_ssl_spec.rb | 6 +++---
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 23ea617..5a1f82b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 4.17.2
+  - Fixes a regression introduced in 4.17.0 which could prevent a connection from being established to Elasticsearch in some SSL configurations [#192](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/192)
+
 ## 4.17.1
   - Fix: scroll slice high memory consumption [#189](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/189)
 
diff --git a/lib/logstash/inputs/elasticsearch.rb b/lib/logstash/inputs/elasticsearch.rb
index 9d4ff77..e167060 100644
--- a/lib/logstash/inputs/elasticsearch.rb
+++ b/lib/logstash/inputs/elasticsearch.rb
@@ -521,7 +521,7 @@ def setup_client_ssl
                         "to make sure your data is secure set `ssl_verification_mode => full`"
           ssl_options[:verify] = :disable
         else
-          ssl_options[:verify] = :strict
+          ssl_options[:verify] = :default
       end
     end
 
diff --git a/logstash-input-elasticsearch.gemspec b/logstash-input-elasticsearch.gemspec
index b5de030..86d29f7 100644
--- a/logstash-input-elasticsearch.gemspec
+++ b/logstash-input-elasticsearch.gemspec
@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-input-elasticsearch'
-  s.version         = '4.17.1'
+  s.version         = '4.17.2'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Reads query results from an Elasticsearch cluster"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
diff --git a/spec/inputs/elasticsearch_ssl_spec.rb b/spec/inputs/elasticsearch_ssl_spec.rb
index 2189fd8..4ef3ac2 100644
--- a/spec/inputs/elasticsearch_ssl_spec.rb
+++ b/spec/inputs/elasticsearch_ssl_spec.rb
@@ -123,7 +123,7 @@
 
       it "should pass the flag to the ES client" do
         expect(::Elasticsearch::Client).to receive(:new) do |args|
-          expect(args[:ssl]).to match hash_including(:ssl => true, :verify => :strict)
+          expect(args[:ssl]).to match hash_including(:ssl => true, :verify => :default)
         end.and_return(es_client_double)
 
         subject.register
@@ -200,7 +200,7 @@
                                       :truststore => ssl_truststore_path,
                                       :truststore_type => "jks",
                                       :truststore_password => "foo",
-                                      :verify => :strict,
+                                      :verify => :default,
                                       :cipher_suites => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"],
                                       :protocols => ["TLSv1.3"],
                                     )
@@ -236,7 +236,7 @@
                                       :ca_file => ssl_certificate_authorities_path,
                                       :client_cert => ssl_certificate_path,
                                       :client_key => ssl_key_path,
-                                      :verify => :strict,
+                                      :verify => :default,
                                       :cipher_suites => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"],
                                       :protocols => ["TLSv1.3"],
                                     )

From c717a6bada9fb66c20e820d780d4bb84a4d07350 Mon Sep 17 00:00:00 2001
From: Edmo Vamerlatti Costa <11836452+edmocosta@users.noreply.github.com>
Date: Wed, 31 May 2023 17:59:59 +0200
Subject: [PATCH 2/3] Update PR link

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5a1f82b..897f63c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,5 @@
 ## 4.17.2
-  - Fixes a regression introduced in 4.17.0 which could prevent a connection from being established to Elasticsearch in some SSL configurations [#192](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/192)
+  - Fixes a regression introduced in 4.17.0 which could prevent a connection from being established to Elasticsearch in some SSL configurations [#193](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/193)
 
 ## 4.17.1
   - Fix: scroll slice high memory consumption [#189](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/189)

From 04b74c0d0e125dfb7e4904ee122f085f5f830992 Mon Sep 17 00:00:00 2001
From: Ry Biesemeyer <yaauie@users.noreply.github.com>
Date: Fri, 2 Jun 2023 08:22:46 -0700
Subject: [PATCH 3/3] Document why we are using :default instead of :strict

---
 lib/logstash/inputs/elasticsearch.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/logstash/inputs/elasticsearch.rb b/lib/logstash/inputs/elasticsearch.rb
index e167060..8c933ea 100644
--- a/lib/logstash/inputs/elasticsearch.rb
+++ b/lib/logstash/inputs/elasticsearch.rb
@@ -521,6 +521,8 @@ def setup_client_ssl
                         "to make sure your data is secure set `ssl_verification_mode => full`"
           ssl_options[:verify] = :disable
         else
+          # Manticore's :default maps to Apache HTTP Client's DefaultHostnameVerifier,
+          # which is the modern STRICT verifier that replaces the deprecated StrictHostnameVerifier
           ssl_options[:verify] = :default
       end
     end