Feat: TLSv1.3 support (#146)

Co-authored-by: Rob Bavey <rob.bavey@elastic.co>

Author: kares

CHANGELOG.md

@@ -1,3 +1,6 @@
+## 3.5.0
+ - Feat: TLSv1.3 support [#146](https://github.com/logstash-plugins/logstash-input-http/pull/146)
+
 ## 3.4.5
  - Build: do not package log4j-api dependency [#149](https://github.com/logstash-plugins/logstash-input-http/pull/149).
    Logstash provides the log4j framework and the dependency is not needed except testing and compiling.

VERSION

@@ -1 +1 @@
-3.4.5
+3.5.0

docs/index.asciidoc

@@ -134,9 +134,11 @@ and no codec for the request's content-type is found
 ===== `cipher_suites` 
 
   * Value type is <<array,array>>
-  * Default value is `java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca`
+  * Default value is `[TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]`
 
 The list of ciphers suite to use, listed by priorities.
+The default values applies for OpenJDK 11.0.14 and higher, for older versions the list does not include suites
+not supported by the JDK, such as the ChaCha20 family of ciphers.
 
 [id="plugins-{type}s-{plugin}-ecs_compatibility"]
 ===== `ecs_compatibility`
@@ -357,7 +359,7 @@ Time in milliseconds for an incomplete ssl handshake to timeout
   * There is no default value for this setting.
 
 SSL key to use.
-NOTE: This key need to be in the PKCS8 format, you can convert it with https://www.openssl.org/docs/man1.1.0/apps/pkcs8.html[OpenSSL]
+NOTE: This key need to be in the PKCS8 format, you can convert it with https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs8.html[OpenSSL]
 for more information.
 
 [id="plugins-{type}s-{plugin}-ssl_key_passphrase"]
@@ -396,19 +398,19 @@ Number of threads to use for both accepting connections and handling requests
 ===== `tls_max_version` 
 
   * Value type is <<number,number>>
-  * Default value is `1.2`
+  * Default value is `1.3`
 
-The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
-1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+The maximum TLS version allowed for the encrypted connections.
+The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
 
 [id="plugins-{type}s-{plugin}-tls_min_version"]
 ===== `tls_min_version` 
 
   * Value type is <<number,number>>
-  * Default value is `1`
+  * Default value is `1.2`
 
-The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
-1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+The minimum TLS version allowed for the encrypted connections.
+The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
 
 [id="plugins-{type}s-{plugin}-user"]
 ===== `user` 

lib/logstash/inputs/http.rb

@@ -87,11 +87,11 @@ class LogStash::Inputs::Http < LogStash::Inputs::Base
   config :ssl_handshake_timeout, :validate => :number, :default => 10000
 
   # The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
-  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
   config :tls_min_version, :validate => :number, :default => TLS.min.version
 
   # The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
-  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
+  # 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3
   config :tls_max_version, :validate => :number, :default => TLS.max.version
 
   # The list of ciphers suite to use, listed by priorities.

lib/logstash/inputs/http/tls.rb

@@ -18,7 +18,8 @@ def <=>(other)
     TLS_PROTOCOL_OPTIONS = [
       TLSOption.new("TLSv1", 1),
       TLSOption.new("TLSv1.1", 1.1),
-      TLSOption.new("TLSv1.2", 1.2)
+      TLSOption.new("TLSv1.2", 1.2),
+      TLSOption.new("TLSv1.3", 1.3)
     ]
 
     def self.min

logstash-input-http.gemspec

@@ -2,7 +2,7 @@ HTTP_INPUT_VERSION = File.read(File.expand_path(File.join(File.dirname(__FILE__)
 
 Gem::Specification.new do |s|
   s.name = 'logstash-input-http'
-  s.version         = HTTP_INPUT_VERSION
+  s.version = HTTP_INPUT_VERSION
   s.licenses = ['Apache License (2.0)']
   s.summary = "Receives events over HTTP or HTTPS"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

spec/fixtures/certs/generate.sh

@@ -0,0 +1,40 @@
+# warning: do not use the certificates produced by this tool in production.
+# This is for testing purposes only
+set -e
+
+rm -rf generated
+mkdir generated
+cd generated
+
+echo "GENERATED CERTIFICATES FOR TESTING ONLY." >> ./README.txt
+echo "DO NOT USE THESE CERTIFICATES IN PRODUCTION" >> ./README.txt
+
+# certificate authority
+openssl genrsa -out root.key 4096
+openssl req -new -x509 -days 1826 -extensions ca -key root.key -out root.crt -subj "/C=LS/ST=NA/L=Http Input/O=Logstash/CN=root" -config ../openssl.cnf
+
+# server certificate from root
+openssl genrsa -out server_from_root.key 4096
+openssl req -new -key server_from_root.key -out server_from_root.csr -subj "/C=LS/ST=NA/L=Http Input/O=Logstash/CN=server" -config ../openssl.cnf
+openssl x509 -req -extensions server_cert -extfile ../openssl.cnf -days 1096 -in server_from_root.csr -CA root.crt -CAkey root.key -set_serial 03 -out server_from_root.crt
+
+# client certificate from root
+openssl genrsa -out client_from_root.key 4096
+openssl req -new -key client_from_root.key -out client_from_root.csr -subj "/C=LS/ST=NA/L=Http Input/O=Logstash/CN=client" -config ../openssl.cnf
+openssl x509 -req -extensions client_cert -extfile ../openssl.cnf -days 1096 -in client_from_root.csr -CA root.crt -CAkey root.key -set_serial 04 -out client_from_root.crt
+
+# verify :allthethings
+openssl verify -CAfile root.crt server_from_root.crt
+
+# create pkcs8 versions of all keys
+openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in client_from_root.key -out client_from_root.key.pkcs8
+openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in server_from_root.key -out server_from_root.key.pkcs8
+
+# create pkcs12 keystores (pass:12345678)
+openssl pkcs12 -export -in client_from_root.crt -inkey client_from_root.key -out client_from_root.p12 -name "client_from_root" -passout 'pass:12345678'
+
+# use java keytool to convert all pkcs12 keystores to jks-format keystores (pass:12345678)
+keytool -importkeystore -srckeystore client_from_root.p12 -srcstoretype pkcs12 -srcstorepass 12345678 -destkeystore client_from_root.jks -deststorepass 12345678 -alias client_from_root
+
+# cleanup csr, we don't need them
+rm -rf *.csr

spec/fixtures/certs/generated/README.txt

@@ -0,0 +1,2 @@
+GENERATED CERTIFICATES FOR TESTING ONLY.
+DO NOT USE THESE CERTIFICATES IN PRODUCTION

spec/fixtures/certs/generated/client_from_root.crt

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGATCCA+mgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJMUzEL
+MAkGA1UECAwCTkExEzARBgNVBAcMCkh0dHAgSW5wdXQxETAPBgNVBAoMCExvZ3N0
+YXNoMQ0wCwYDVQQDDARyb290MB4XDTIxMTEyNDEwMjEzMloXDTI0MTEyNDEwMjEz
+MlowUzELMAkGA1UEBhMCTFMxCzAJBgNVBAgMAk5BMRMwEQYDVQQHDApIdHRwIElu
+cHV0MREwDwYDVQQKDAhMb2dzdGFzaDEPMA0GA1UEAwwGY2xpZW50MIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzz7tc52SXN84bP8/009HnfkDMGhqvNgi
+oO+kza7PT1O7jcA3i0hh1r2N4xUIllc3cSvcfFK/sw8mAFPGE6lMIPAWHnsFipd1
+6rrk7jIVEgBE7ZUYuqWRRQ7ULV1a3LTxCn7XUrtk1bbrLgPRcoUev81L19AQZQ6R
+DGv9MyFE2X71lvchj09eLh4RcR7/5Myj6ODtz5mYOIn8hqAaYCa6Zu0A54WbQd4p
+xc/iuEQqpUJNcXdVJyNAzhDQq/oMImWgWs/nuMIrCV0WXttGsOnztxsftytsNtnP
+SOBuULhRdDrkV16u7zMftANBWdoWIcdbc6ipr17ZrqySmioSWHk5YcsRwP6Em9Hq
+SHgNXSDkb3+TPQX/XG2cmaPI+a8yTvgV1igMbzDYEznfqOhNG/28jTGo36iMt+R1
+ZrDWoIxRqSKq7WAiGmnKZKiy4xV4Ze3zekx7xse/S/OxmWvOCYN0+aLFgxNuizX5
+PpY6PhwJ/+I5JpbH2pXwuPsFMAyt5vwmcrS6k7O3vvUml7mwHQVQTqrNEvPHDwxe
+H6n2LiW7Bbana12rkdMU5mXwBMMTVz1sjOZnzM1M+JEoce3UXfGuflhG7amOhPJf
+Aj7vMR6kilzATFjmx1hdqqHzNARkeuxLhUzpdgKnk3nEmYPKx1MB7Y4FvpSEoTPV
+K3rPkMHQm6UCAwEAAaOB4TCB3jAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF
+oDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRp
+ZmljYXRlMB0GA1UdDgQWBBTXHNdFAtzeVD56PI6/Mu/wVzDCyzAfBgNVHSMEGDAW
+gBSn18dv3u0R/O/LDPC7h+wHlcpFqDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwIGCCsGAQUFBwMEMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAA
+ATANBgkqhkiG9w0BAQsFAAOCAgEAE23qZ7HfFubCXYCzGxTq+zzMAId5rUn8Cnav
+9eEGdofjkRRHJnW1yM8AmblbwxM8fs6SrQtujhGNFWEsGuXDoFFG6ID06eFsC1yC
+RpKme0PRsKruBn8Na5Z2jeZ0SWKvW+1ZlvosMhQQh6QaNf7VTNVizJD+J34QxFeH
+N66/Fh8/sh0ZooFy791japEtec8HJIBHNPrJprqYnzosKTRnYSLJpiCP9ksordMS
+rTHWGDRnUXu1ggWanopt5wZfICG92gi8rROEk4fwFUy93E+WEzv8XCXpRxZqhdJf
+V+jPoUHo4ZOnM8uFna5Y/o+DiVOdPXgn9xspe5qhEvU8upsvKRVNlfAXVGWjiG13
+ZdR3PvGITplFhNkBAuPIf1Z/xTF0e8JzQSSC2CtThGuCJz9uSB6zpnxjODKxAqFX
+IbbH8Tnf8q6nEJm0RbMOyAc/HvX2eei1TV1XD9StL/M/2n0bCn/+s4peT4/qOy2T
+zqQYTe45RknishUiMiv00//W5LNImjb0THHxQ1kQxi7Tlk0dZ5CPUjMfBVCt+Gdo
+EQMjeGjvjfRvKtGzhtMDmkA3Oc8iOiaaR7mSU+ZjslDlRYnPKicbls673ttL3rx8
+R//PwWeZcBWkbowOYNJnjaiySpoO3WVEGMA8mUw4SEtlga6760cN4+e4pKnzo1sR
+P1W1gRQ=
+-----END CERTIFICATE-----