Skip to content

Commit

Permalink
[8.0](backport #29312) Add logs for ca_trusted_fingerprint workflow (#…
Browse files Browse the repository at this point in the history 
…29316)

* Add logs for ca_trusted_fingerprint workflow (#29312)

This commit adds logs to clearly show when Beats is trusting a
self-signed certificate through the fingerprint provided by
`ssl.ca_trusted_fingerprint`.

It also cleans up some struct tags on `tlscommon.TLSConfig`.

(cherry picked from commit db9b410)

Co-authored-by: Tiago Queiroz <tiago.queiroz@elastic.co>
  • Loading branch information
@mergify @belimawr
mergify[bot] and belimawr authored Dec 8, 2021
1 parent 56dafa2 commit a894da5
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions libbeat/common/transport/tlscommon/tls_config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ type TLSConfig struct {

// CATrustedFingerprint is the HEX encoded fingerprint of a CA certificate. If present in the chain
// this certificate will be added to the list of trusted CAs (RootCAs) during the handshake.
CATrustedFingerprint string `config:"ca_trusted_fingerprint" yaml:"ca_trusted_fingerprint,omitempty"`
CATrustedFingerprint string

// time returns the current time as the number of seconds since the epoch.
// If time is nil, TLS uses time.Now.
Expand Down Expand Up @@ -159,16 +159,19 @@ func (c *TLSConfig) BuildServerConfig(host string) *tls.Config {
}

func trustRootCA(cfg *TLSConfig, peerCerts []*x509.Certificate) error {
logger := logp.NewLogger("tls")
logger.Info("'ca_trusted_fingerprint' set, looking for matching fingerprints")
fingerprint, err := hex.DecodeString(cfg.CATrustedFingerprint)
if err != nil {
return fmt.Errorf("decode fingerprint: %w", err)
return fmt.Errorf("decode 'ca_trusted_fingerprint': %w", err)
}

for _, cert := range peerCerts {
// Compute digest for each certificate.
digest := sha256.Sum256(cert.Raw)

if bytes.Equal(digest[0:], fingerprint) {
logger.Info("CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certificate_authorities'")
// Make sure the fingerprint matches a CA certificate
if cert.IsCA {
if cfg.RootCAs == nil {
Expand All @@ -181,7 +184,7 @@ func trustRootCA(cfg *TLSConfig, peerCerts []*x509.Certificate) error {
}
}

logp.NewLogger("tls").Warn("no CA certificate matching the fingerprint")
logger.Warn("no CA certificate matching the fingerprint")
return nil
}

Expand Down

0 comments on commit a894da5

Please sign in to comment.