Call tlscommon.SetInsecureDefaults (#42128)

* Call tlscommon.SetInsecureDefaults * Move SetInsecureDefaults call to GenRootCmdWithSettings
elastic · Dec 31, 2024 · 94b5691 · 94b5691
1 parent 33c1bd5
commit 94b5691
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 0 deletions.
diff --git a/libbeat/cmd/instance/beat_test.go b/libbeat/cmd/instance/beat_test.go
@@ -21,8 +21,10 @@ package instance
 
 import (
 	"bytes"
+	"crypto/tls"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/elastic/beats/v7/libbeat/cfgfile"
@@ -33,6 +35,7 @@ import (
 	"github.com/elastic/elastic-agent-client/v7/pkg/client"
 	"github.com/elastic/elastic-agent-libs/config"
 	"github.com/elastic/elastic-agent-libs/logp"
+	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
 	"github.com/elastic/go-ucfg/yaml"
 
 	"github.com/gofrs/uuid/v5"
@@ -476,6 +479,50 @@ func TestLogSystemInfo(t *testing.T) {
 	}
 }
 
+func TestTLSDefaultVersions(t *testing.T) {
+	b, err := NewBeat("mockbeat", "testidx", "0.9", false, nil)
+	require.NoError(t, err)
+
+	cfg, err := cfgfile.Load(filepath.Join("testdata", "tls.yml"), nil)
+	require.NoError(t, err)
+	err = cfg.Unpack(&b.Config)
+	require.NoError(t, err)
+	assert.True(t, b.Config.Output.IsSet())
+	sslCfg, err := b.Config.Output.Config().Child("ssl", -1)
+	require.NoError(t, err)
+	var common tlscommon.Config
+	err = sslCfg.Unpack(&common)
+	require.NoError(t, err)
+	tlsCfg, err := tlscommon.LoadTLSConfig(&common)
+	require.NoError(t, err)
+
+	c := tlsCfg.ToConfig()
+	assert.Equal(t, uint16(tls.VersionTLS11), c.MinVersion)
+	assert.Equal(t, uint16(tls.VersionTLS13), c.MaxVersion)
+}
+
+func TestTLSVersion10(t *testing.T) {
+	b, err := NewBeat("mockbeat", "testidx", "0.9", false, nil)
+	require.NoError(t, err)
+
+	cfg, err := cfgfile.Load(filepath.Join("testdata", "tls10.yml"), nil)
+	require.NoError(t, err)
+	err = cfg.Unpack(&b.Config)
+	require.NoError(t, err)
+	assert.True(t, b.Config.Output.IsSet())
+	sslCfg, err := b.Config.Output.Config().Child("ssl", -1)
+	require.NoError(t, err)
+	var common tlscommon.Config
+	err = sslCfg.Unpack(&common)
+	require.NoError(t, err)
+	tlsCfg, err := tlscommon.LoadTLSConfig(&common)
+	require.NoError(t, err)
+
+	c := tlsCfg.ToConfig()
+	assert.Equal(t, uint16(tls.VersionTLS10), c.MinVersion)
+	assert.Equal(t, uint16(tls.VersionTLS10), c.MaxVersion)
+}
+
 type mockManager struct {
 	enabled bool
 }

diff --git a/libbeat/cmd/instance/testdata/tls.yml b/libbeat/cmd/instance/testdata/tls.yml
@@ -0,0 +1,6 @@
+mockbeat:
+name: TestTLSVersions
+output.elasticsearch:
+    hosts: ["localhost:9200"]
+    ssl:
+      enabled: true
diff --git a/libbeat/cmd/instance/testdata/tls10.yml b/libbeat/cmd/instance/testdata/tls10.yml
@@ -0,0 +1,8 @@
+mockbeat:
+name: TestTLSVersions
+output.elasticsearch:
+    hosts: ["localhost:9200"]
+    ssl:
+      enabled: true
+      supported_protocols:
+        - TLSv1.0
diff --git a/libbeat/cmd/root.go b/libbeat/cmd/root.go
@@ -28,6 +28,7 @@ import (
 	"github.com/elastic/beats/v7/libbeat/cmd/instance"
 	"github.com/elastic/beats/v7/libbeat/licenser"
 	"github.com/elastic/beats/v7/libbeat/outputs/elasticsearch"
+	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
 )
 
 // BeatsRootCmd handles all application command line interface, parses user
@@ -47,6 +48,7 @@ type BeatsRootCmd struct {
 // run command, which will be called if no args are given (for backwards compatibility),
 // and beat settings
 func GenRootCmdWithSettings(beatCreator beat.Creator, settings instance.Settings) *BeatsRootCmd {
+	tlscommon.SetInsecureDefaults()
 	// Add global Elasticsearch license endpoint check.
 	// Check we are actually talking with Elasticsearch, to ensure that used features actually exist.
 	_, _ = elasticsearch.RegisterGlobalCallback(licenser.FetchAndVerify)