Add support TLS renegotiation

CHANGELOG.asciidoc

@@ -61,6 +61,7 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di
 - Changed the hashbang used in the beat helper script from `/bin/bash` to `/usr/bin/env bash`. {pull}5051[5051]
 - Changed beat helper script to use `exec` when running the beat. {pull}5051[5051]
 - Fix reloader error message to only print on actual error {pull}5066[5066]
+- Add support for enabling TLS renegotiation. {issue}4386[4386]
 
 *Auditbeat*
 

auditbeat/auditbeat.reference.yml

@@ -281,6 +281,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 
 #----------------------------- Logstash output ---------------------------------
 #output.logstash:
@@ -357,6 +361,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Kafka output ----------------------------------
 #output.kafka:
   # Boolean flag to enable or disable the output module.
@@ -489,6 +497,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Redis output ----------------------------------
 #output.redis:
   # Boolean flag to enable or disable the output module.
@@ -586,6 +598,9 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
 
 #------------------------------- File output -----------------------------------
 #output.file:

filebeat/filebeat.reference.yml

@@ -701,6 +701,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 
 #----------------------------- Logstash output ---------------------------------
 #output.logstash:
@@ -777,6 +781,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Kafka output ----------------------------------
 #output.kafka:
   # Boolean flag to enable or disable the output module.
@@ -909,6 +917,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Redis output ----------------------------------
 #output.redis:
   # Boolean flag to enable or disable the output module.
@@ -1006,6 +1018,9 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
 
 #------------------------------- File output -----------------------------------
 #output.file:

heartbeat/heartbeat.reference.yml

@@ -430,6 +430,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 
 #----------------------------- Logstash output ---------------------------------
 #output.logstash:
@@ -506,6 +510,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Kafka output ----------------------------------
 #output.kafka:
   # Boolean flag to enable or disable the output module.
@@ -638,6 +646,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Redis output ----------------------------------
 #output.redis:
   # Boolean flag to enable or disable the output module.
@@ -735,6 +747,9 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
 
 #------------------------------- File output -----------------------------------
 #output.file:

libbeat/_meta/config.reference.yml

@@ -216,6 +216,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 
 #----------------------------- Logstash output ---------------------------------
 #output.logstash:
@@ -292,6 +296,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Kafka output ----------------------------------
 #output.kafka:
   # Boolean flag to enable or disable the output module.
@@ -424,6 +432,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Redis output ----------------------------------
 #output.redis:
   # Boolean flag to enable or disable the output module.
@@ -521,6 +533,9 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
 
 #------------------------------- File output -----------------------------------
 #output.file:

libbeat/docs/shared-ssl-config.asciidoc

@@ -157,3 +157,12 @@ The following elliptic curve types are available:
 * P-384
 * P-521
 
+[float]
+==== `renegotiation`
+
+This configures what types of TLS renegotiation are supported. The valid options
+are `never`, `once`, and `freely`. The default value is never.
+
+* `never` - Disables renegotiation.
+* `once` - Allows a remote server to request renegotiation once per connection.
+* `freely` - Allows a remote server to repeatedly request renegotiation.

libbeat/outputs/tls.go

@@ -36,6 +36,7 @@ type TLSConfig struct {
 	CAs              []string                      `config:"certificate_authorities"`
 	Certificate      CertificateConfig             `config:",inline"`
 	CurveTypes       []tlsCurveType                `config:"curve_types"`
+	Renegotiation    tlsRenegotiationSupport       `config:"renegotiation"`
 }
 
 type CertificateConfig struct {
@@ -48,6 +49,8 @@ type tlsCipherSuite uint16
 
 type tlsCurveType tls.CurveID
 
+type tlsRenegotiationSupport tls.RenegotiationSupport
+
 var tlsCipherSuites = map[string]tlsCipherSuite{
 	"ECDHE-ECDSA-AES-128-CBC-SHA":    tlsCipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA),
 	"ECDHE-ECDSA-AES-128-GCM-SHA256": tlsCipherSuite(tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256),
@@ -74,6 +77,12 @@ var tlsCurveTypes = map[string]tlsCurveType{
 	"P-521": tlsCurveType(tls.CurveP521),
 }
 
+var tlsRenegotiationSupportTypes = map[string]tlsRenegotiationSupport{
+	"never":  tlsRenegotiationSupport(tls.RenegotiateNever),
+	"once":   tlsRenegotiationSupport(tls.RenegotiateOnceAsClient),
+	"freely": tlsRenegotiationSupport(tls.RenegotiateFreelyAsClient),
+}
+
 func (c *TLSConfig) Validate() error {
 	hasCertificate := c.Certificate.Certificate != ""
 	hasKey := c.Certificate.Key != ""
@@ -144,6 +153,7 @@ func LoadTLSConfig(config *TLSConfig) (*transport.TLSConfig, error) {
 		RootCAs:          cas,
 		CipherSuites:     cipherSuites,
 		CurvePreferences: curves,
+		Renegotiation:    tls.RenegotiationSupport(config.Renegotiation),
 	}, nil
 }
 
@@ -289,3 +299,13 @@ func (ct *tlsCurveType) Unpack(s string) error {
 	*ct = t
 	return nil
 }
+
+func (r *tlsRenegotiationSupport) Unpack(s string) error {
+	t, found := tlsRenegotiationSupportTypes[s]
+	if !found {
+		return fmt.Errorf("invalid tls renegotiation type '%v'", s)
+	}
+
+	*r = t
+	return nil
+}

libbeat/outputs/tls_test.go

@@ -85,6 +85,7 @@ func TestValuesSet(t *testing.T) {
     supported_protocols: [TLSv1.1, TLSv1.2]
     curve_types:
       - P-521
+    renegotiation: freely
   `)
 
 	if err != nil {
@@ -100,6 +101,9 @@ func TestValuesSet(t *testing.T) {
 		[]transport.TLSVersion{transport.TLSVersion11, transport.TLSVersion12},
 		cfg.Versions)
 	assert.Len(t, cfg.CurveTypes, 1)
+	assert.Equal(t,
+		tls.RenegotiateFreelyAsClient,
+		tls.RenegotiationSupport(cfg.Renegotiation))
 }
 
 func TestApplyEmptyConfig(t *testing.T) {
@@ -169,6 +173,10 @@ func TestCertificateFails(t *testing.T) {
 			"unknown curve type",
 			"curve_types: ['unknown curve type']",
 		},
+		{
+			"unknown renegotiation type",
+			"renegotiation: always",
+		},
 	}
 
 	for i, test := range tests {

libbeat/outputs/transport/tls.go

@@ -39,6 +39,10 @@ type TLSConfig struct {
 	// Types of elliptic curves that will be used in an ECDHE handshake. If empty,
 	// the implementation will choose a default.
 	CurvePreferences []tls.CurveID
+
+	// Renegotiation controls what types of renegotiation are supported.
+	// The default, never, is correct for the vast majority of applications.
+	Renegotiation tls.RenegotiationSupport
 }
 
 type TLSVersion uint16

metricbeat/metricbeat.reference.yml

@@ -660,6 +660,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 
 #----------------------------- Logstash output ---------------------------------
 #output.logstash:
@@ -736,6 +740,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Kafka output ----------------------------------
 #output.kafka:
   # Boolean flag to enable or disable the output module.
@@ -868,6 +876,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Redis output ----------------------------------
 #output.redis:
   # Boolean flag to enable or disable the output module.
@@ -965,6 +977,9 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
 
 #------------------------------- File output -----------------------------------
 #output.file:

packetbeat/packetbeat.reference.yml

@@ -668,6 +668,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 
 #----------------------------- Logstash output ---------------------------------
 #output.logstash:
@@ -744,6 +748,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Kafka output ----------------------------------
 #output.kafka:
   # Boolean flag to enable or disable the output module.
@@ -876,6 +884,10 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
 #------------------------------- Redis output ----------------------------------
 #output.redis:
   # Boolean flag to enable or disable the output module.
@@ -973,6 +985,9 @@ output.elasticsearch:
   # Configure curve types for ECDHE based cipher suites
   #ssl.curve_types: []
 
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
 
 #------------------------------- File output -----------------------------------
 #output.file: