[7.17](backport #30331) libbeat/common/transport: fix log message abo…

…ut TLS (#32909)

This commit fixes the log message issued by the `test output` command.
Our current TLS verification relies on more than the value of
`tlsConfig.InsecureSkipVerify`, so the previous implementation would
log that TLS was disabled when it was not.

This commit fixes it by checking the value of `config.Verification`.

(cherry picked from commit 4eeb5a9)

Co-authored-by: Tiago Queiroz <tiago.queiroz@elastic.co>

CHANGELOG.next.asciidoc

@@ -32,6 +32,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Affecting all Beats*
 
+- Fix a logging bug when `ssl.verification_mode` was set to `full` or `certificate`, the command `test output` incorrectly logged that TLS was disabled. {pull}30331[30331]
 
 *Auditbeat*
 

libbeat/common/transport/tls.go

@@ -154,7 +154,21 @@ func tlsDialWith(
 		}
 	}
 
-	if tlsConfig.InsecureSkipVerify {
+	// config might be nil, so get the zero-value and then read what is in config.
+	// We assume that the zero-value is the default value
+	var verification tlscommon.TLSVerificationMode
+	if config != nil {
+		verification = config.Verification
+	}
+
+	// We only check the status of config.Verification (`ssl.verification_mode`
+	// in the configuration file) because we have a custom verification logic
+	// implemented by setting tlsConfig.VerifyConnection that runs regardless of
+	// the status of tlsConfig.InsecureSkipVerify.
+	// For verification modes VerifyFull and VerifyCeritifcate we set
+	// tlsConfig.InsecureSkipVerify to true, hence it's not an indicator of
+	// whether TLS verification is enabled or not.
+	if verification == tlscommon.VerifyNone {
 		d.Warn("security", "server's certificate chain verification is disabled")
 	} else {
 		d.Info("security", "server's certificate chain verification is enabled")