Skip to content

Commit 2e58a05

Browse files
authored
Make client_auth optional by default. (#2284)
1 parent e306757 commit 2e58a05

7 files changed

Lines changed: 37 additions & 35 deletions

File tree

_meta/beat.yml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -75,11 +75,10 @@ apm-server:
7575
# Configure curve types for ECDHE based cipher suites
7676
#curve_types: []
7777

78-
# Configure which types of client authentication are supported.
79-
# Options are `none`, `optional`, and `required`.
80-
# It is strongly recommended to always set to `required`
81-
# Default is `required`.
82-
#client_authentication: "required"
78+
# Configure which type of client authentication is supported.
79+
# Options are `none`, `optional`, and `required`. Default is `optional`.
80+
#client_authentication: "optional"
81+
8382

8483
#rum:
8584
# To enable real user monitoring (RUM) support set this to true.

apm-server.docker.yml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -75,11 +75,10 @@ apm-server:
7575
# Configure curve types for ECDHE based cipher suites
7676
#curve_types: []
7777

78-
# Configure which types of client authentication are supported.
79-
# Options are `none`, `optional`, and `required`.
80-
# It is strongly recommended to always set to `required`
81-
# Default is `required`.
82-
#client_authentication: "required"
78+
# Configure which type of client authentication is supported.
79+
# Options are `none`, `optional`, and `required`. Default is `optional`.
80+
#client_authentication: "optional"
81+
8382

8483
#rum:
8584
# To enable real user monitoring (RUM) support set this to true.

apm-server.yml

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -75,11 +75,10 @@ apm-server:
7575
# Configure curve types for ECDHE based cipher suites
7676
#curve_types: []
7777

78-
# Configure which types of client authentication are supported.
79-
# Options are `none`, `optional`, and `required`.
80-
# It is strongly recommended to always set to `required`
81-
# Default is `required`.
82-
#client_authentication: "required"
78+
# Configure which type of client authentication is supported.
79+
# Options are `none`, `optional`, and `required`. Default is `optional`.
80+
#client_authentication: "optional"
81+
8382

8483
#rum:
8584
# To enable real user monitoring (RUM) support set this to true.

beater/beater_test.go

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,6 @@ import (
3232
"testing"
3333
"time"
3434

35-
"github.com/elastic/beats/libbeat/common/transport/tlscommon"
36-
3735
"github.com/gofrs/uuid"
3836
"github.com/stretchr/testify/assert"
3937
"github.com/stretchr/testify/require"
@@ -43,6 +41,7 @@ import (
4341
"github.com/elastic/apm-server/tests/loader"
4442
"github.com/elastic/beats/libbeat/beat"
4543
"github.com/elastic/beats/libbeat/common"
44+
"github.com/elastic/beats/libbeat/common/transport/tlscommon"
4645
"github.com/elastic/beats/libbeat/outputs"
4746
pubs "github.com/elastic/beats/libbeat/publisher"
4847
"github.com/elastic/beats/libbeat/publisher/pipeline"
@@ -78,9 +77,10 @@ func TestBeatConfig(t *testing.T) {
7877
"capture_personal_data": true,
7978
"secret_token": "1234random",
8079
"ssl": map[string]interface{}{
81-
"enabled": true,
82-
"key": "1234key",
83-
"certificate": "1234cert",
80+
"enabled": true,
81+
"key": "1234key",
82+
"certificate": "1234cert",
83+
"client_authentication": "none",
8484
},
8585
"concurrent_requests": 15,
8686
"expvar": map[string]interface{}{
@@ -130,7 +130,7 @@ func TestBeatConfig(t *testing.T) {
130130
TLS: &tlscommon.ServerConfig{
131131
Enabled: &truthy,
132132
Certificate: outputs.CertificateConfig{Certificate: "1234cert", Key: "1234key"},
133-
ClientAuth: 4},
133+
ClientAuth: 0},
134134
AugmentEnabled: true,
135135
Expvar: &ExpvarConfig{
136136
Enabled: &truthy,
@@ -238,7 +238,7 @@ func TestBeatConfig(t *testing.T) {
238238
TLS: &tlscommon.ServerConfig{
239239
Enabled: &truthy,
240240
Certificate: outputs.CertificateConfig{Certificate: "", Key: ""},
241-
ClientAuth: 4},
241+
ClientAuth: 3},
242242
AugmentEnabled: true,
243243
Expvar: &ExpvarConfig{
244244
Enabled: &truthy,

beater/config.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,19 @@ type InstrumentationConfig struct {
143143

144144
func NewConfig(version string, ucfg *common.Config) (*Config, error) {
145145
c := defaultConfig(version)
146+
147+
if ucfg.HasField("ssl") {
148+
ssl, err := ucfg.Child("ssl", -1)
149+
if err != nil {
150+
return nil, err
151+
}
152+
if !ssl.HasField("client_authentication") {
153+
if err := ucfg.SetString("ssl.client_authentication", -1, "optional"); err != nil {
154+
return nil, err
155+
}
156+
}
157+
}
158+
146159
if err := ucfg.Unpack(c); err != nil {
147160
return nil, errors.Wrap(err, "Error processing configuration")
148161
}

changelogs/6.8.asciidoc

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,6 @@ https://github.com/elastic/apm-server/compare/v6.7.2\...v6.8.0[View commits]
2323

2424
https://github.com/elastic/apm-server/compare/v6.8.0\...v6.8.1[View commits]
2525

26-
[float]
27-
==== Bug fixes
28-
- Require client authentication by default when `apm-server.ssl.enabled` is true {pull}2224[2224].
29-
3026
[float]
3127
==== Added
32-
- Support more SSL config options for agent/server communication {pull}2224[2224].
28+
- Support more SSL config options for agent/server communication {pull}2224[2224],{pull}2281[2281].

tests/system/test_access.py

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -193,8 +193,7 @@ def test_https_server_validation_fails(self):
193193

194194

195195
class TestSSLEnabledOptionalClientVerificationTest(TestSecureServerBaseTest):
196-
def ssl_overrides(self):
197-
return {"ssl_client_authentication": "optional"}
196+
# no ssl_overrides necessary as `optional` is default
198197

199198
def test_https_no_certificate_ok(self):
200199
r = self.send_http_request(verify=self.ca_cert)
@@ -212,7 +211,8 @@ def test_https_auth_cert_ok(self):
212211

213212

214213
class TestSSLEnabledRequiredClientVerificationTest(TestSecureServerBaseTest):
215-
# no ssl_overrides necessary as `required` is default
214+
def ssl_overrides(self):
215+
return {"ssl_client_authentication": "required"}
216216

217217
@raises(SSLError)
218218
def test_https_no_cert_fails(self):
@@ -230,9 +230,6 @@ def test_https_auth_cert_ok(self):
230230

231231

232232
class TestSSLDefaultSupportedProcotolsTest(TestSecureServerBaseTest):
233-
def ssl_overrides(self):
234-
return {"ssl_client_authentication": "none"}
235-
236233
def test_tls_v1_0(self):
237234
self.ssl_connect(protocol=ssl.PROTOCOL_TLSv1)
238235

@@ -245,8 +242,7 @@ def test_tls_v1_2(self):
245242

246243
class TestSSLSupportedProcotolsTest(TestSecureServerBaseTest):
247244
def ssl_overrides(self):
248-
return {"ssl_client_authentication": "none",
249-
"ssl_supported_protocols": ["TLSv1.2"]}
245+
return {"ssl_supported_protocols": ["TLSv1.2"]}
250246

251247
@raises(ssl.SSLError)
252248
def test_tls_v1_1(self):

0 commit comments

Comments
 (0)