Add the client verify option mode back in

logstash-plugins · Jun 17, 2016 · 73f8986 · 73f8986
1 parent dfc1761
commit 73f8986
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 9 deletions.
diff --git a/lib/logstash/inputs/beats.rb b/lib/logstash/inputs/beats.rb
@@ -143,7 +143,10 @@ def create_server
         .setCipherSuites(normalized_ciphers)
 
       if client_authentification?
-        require "pry";binding.pry
+        if @ssl_verify_mode.upcase == "FORCE_PEER"
+            ssl_builder.setVerifyMode(org.logstash.netty.SslSimpleBuilder::SslClientVerifyMode::FORCE_PEER)
+        end
+
         ssl_builder.setCertificateAuthorities(@ssl_certificate_authorities.first)
       end
       server.enableSSL(ssl_builder)

diff --git a/spec/integration/filebeat_spec.rb b/spec/integration/filebeat_spec.rb
@@ -176,9 +176,6 @@
             include_examples "send events"
           end
 
-
-          # Doesnt work because of this issues in `jruby-openssl`
-          # https://github.com/jruby/jruby-openssl/issues/84
           context "intermediate create server and client certificate" do
             include_context "Intermediate CA"
 

diff --git a/src/main/java/org/logstash/beats/Server.java b/src/main/java/org/logstash/beats/Server.java
@@ -17,6 +17,7 @@
 import org.apache.logging.log4j.Logger;
 import org.logstash.netty.SslSimpleBuilder;
 import javax.net.ssl.SSLException;
+import java.security.NoSuchAlgorithmException;
 import java.util.concurrent.TimeUnit;
 
 
@@ -110,7 +111,7 @@ public BeatsInitializer(Server s) {
             idleExecutorGroup = new DefaultEventExecutorGroup(DEFAULT_IDLESTATEHANDLER_THREAD);
         }
 
-        public void initChannel(SocketChannel socket) throws SSLException {
+        public void initChannel(SocketChannel socket) throws SSLException, NoSuchAlgorithmException {
             ChannelPipeline pipeline = socket.pipeline();
 
             pipeline.addLast(LOGGER_HANDLER, loggingHandler);

diff --git a/src/main/java/org/logstash/netty/SslSimpleBuilder.java b/src/main/java/org/logstash/netty/SslSimpleBuilder.java
@@ -20,13 +20,21 @@
  * Created by ph on 2016-05-27.
  */
 public class SslSimpleBuilder {
+    public static enum SslClientVerifyMode {
+        VERIFY_PEER,
+        FORCE_PEER,
+    }
     public static Logger logger = LogManager.getLogger(SslSimpleBuilder.class.getName());
+
+
     private InputStream sslKeyFile;
     private InputStream sslCertificateFile;
+    private SslClientVerifyMode verifyMode = SslClientVerifyMode.FORCE_PEER;
 
     /*
     Mordern Ciphers List from
     https://wiki.mozilla.org/Security/Server_Side_TLS
+    This list require the OpenSSl engine for netty.
     */
     public final static String[] DEFAULT_CIPHERS = new String[] {
             "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38",
@@ -41,7 +49,6 @@ public class SslSimpleBuilder {
     private String[] ciphers;
     private String[] protocols = new String[] { "TLSv1.2" };
     private String certificateAuthorities;
-    private String verifyMode;
     private String passPhrase;
 
     public SslSimpleBuilder(String sslCertificateFilePath, String sslKeyFilePath, String pass) throws FileNotFoundException {
@@ -72,7 +79,7 @@ public SslSimpleBuilder setCertificateAuthorities(String cert) {
         return this;
     }
 
-    public SslSimpleBuilder setVerifyMode(String mode) {
+    public SslSimpleBuilder setVerifyMode(SslClientVerifyMode mode) {
         verifyMode = mode;
         return this;
     }
@@ -94,7 +101,6 @@ public SslHandler build(ByteBufAllocator bufferAllocator) throws SSLException, N
         if(requireClientAuth()) {
             logger.debug("Certificate Authorities: " + certificateAuthorities);
             builder.trustManager(new File(certificateAuthorities));
-            TrustManagerFactory trustManager = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
         }
 
         SslContext context = builder.build();
@@ -108,8 +114,16 @@ public SslHandler build(ByteBufAllocator bufferAllocator) throws SSLException, N
 
 
         if(requireClientAuth()) {
+            // server is doing the handshake
             engine.setUseClientMode(false);
-            engine.setNeedClientAuth(true);
+
+            if(verifyMode == SslClientVerifyMode.FORCE_PEER) {
+                // Explicitely require a client certificate
+                engine.setNeedClientAuth(true);
+            } else if(verifyMode == SslClientVerifyMode.VERIFY_PEER) {
+                // If the client supply a client certificate we will verify it.
+                engine.setWantClientAuth(true);
+            }
         }
 
         return sslHandler;