diff --git a/libbeat/cfgfile/cfgfile.go b/libbeat/cfgfile/cfgfile.go index 14e38c5ab7d..2bd8b401995 100644 --- a/libbeat/cfgfile/cfgfile.go +++ b/libbeat/cfgfile/cfgfile.go @@ -29,6 +29,7 @@ import ( "github.com/elastic/beats/v7/libbeat/common/fleetmode" "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" ) // Evil package level globals @@ -68,6 +69,7 @@ func Initialize() { AddAllowedBackwardsCompatibleFlag("path.data") _ = config.ConfigOverwriteFlag(nil, overwrites, "path.logs", "path.logs", "", "Logs path") AddAllowedBackwardsCompatibleFlag("path.logs") + tlscommon.SetInsecureDefaults() }) } diff --git a/libbeat/cmd/instance/beat_test.go b/libbeat/cmd/instance/beat_test.go index ebfecf191c7..0f26e3bb6f0 100644 --- a/libbeat/cmd/instance/beat_test.go +++ b/libbeat/cmd/instance/beat_test.go @@ -21,8 +21,10 @@ package instance import ( "bytes" + "crypto/tls" "io/ioutil" "os" + "path/filepath" "testing" "github.com/elastic/beats/v7/libbeat/cfgfile" @@ -33,6 +35,7 @@ import ( "github.com/elastic/elastic-agent-client/v7/pkg/client" "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" "github.com/elastic/go-ucfg/yaml" "github.com/gofrs/uuid/v5" @@ -476,6 +479,50 @@ func TestLogSystemInfo(t *testing.T) { } } +func TestTLSDefaultVersions(t *testing.T) { + b, err := NewBeat("mockbeat", "testidx", "0.9", false, nil) + require.NoError(t, err) + + cfg, err := cfgfile.Load(filepath.Join("testdata", "tls.yml"), nil) + require.NoError(t, err) + err = cfg.Unpack(&b.Config) + require.NoError(t, err) + assert.True(t, b.Config.Output.IsSet()) + sslCfg, err := b.Config.Output.Config().Child("ssl", -1) + require.NoError(t, err) + var common tlscommon.Config + err = sslCfg.Unpack(&common) + require.NoError(t, err) + tlsCfg, err := tlscommon.LoadTLSConfig(&common) + require.NoError(t, err) + + c := tlsCfg.ToConfig() + assert.Equal(t, uint16(tls.VersionTLS11), c.MinVersion) + assert.Equal(t, uint16(tls.VersionTLS13), c.MaxVersion) +} + +func TestTLSVersion10(t *testing.T) { + b, err := NewBeat("mockbeat", "testidx", "0.9", false, nil) + require.NoError(t, err) + + cfg, err := cfgfile.Load(filepath.Join("testdata", "tls10.yml"), nil) + require.NoError(t, err) + err = cfg.Unpack(&b.Config) + require.NoError(t, err) + assert.True(t, b.Config.Output.IsSet()) + sslCfg, err := b.Config.Output.Config().Child("ssl", -1) + require.NoError(t, err) + var common tlscommon.Config + err = sslCfg.Unpack(&common) + require.NoError(t, err) + tlsCfg, err := tlscommon.LoadTLSConfig(&common) + require.NoError(t, err) + + c := tlsCfg.ToConfig() + assert.Equal(t, uint16(tls.VersionTLS10), c.MinVersion) + assert.Equal(t, uint16(tls.VersionTLS10), c.MaxVersion) +} + type mockManager struct { enabled bool } diff --git a/libbeat/cmd/instance/testdata/tls.yml b/libbeat/cmd/instance/testdata/tls.yml new file mode 100644 index 00000000000..8d2f8172853 --- /dev/null +++ b/libbeat/cmd/instance/testdata/tls.yml @@ -0,0 +1,6 @@ +mockbeat: +name: TestTLSVersions +output.elasticsearch: + hosts: ["localhost:9200"] + ssl: + enabled: true diff --git a/libbeat/cmd/instance/testdata/tls10.yml b/libbeat/cmd/instance/testdata/tls10.yml new file mode 100644 index 00000000000..033847dfee0 --- /dev/null +++ b/libbeat/cmd/instance/testdata/tls10.yml @@ -0,0 +1,8 @@ +mockbeat: +name: TestTLSVersions +output.elasticsearch: + hosts: ["localhost:9200"] + ssl: + enabled: true + supported_protocols: + - TLSv1.0