From 44c0f2985423caea1b104581276357faf95fca48 Mon Sep 17 00:00:00 2001 From: Adrian Lopez Date: Thu, 26 Oct 2017 23:42:47 +0200 Subject: [PATCH] TLS client certificate Add options to be able to login to ES using client certificates. Also an option to ignore checking certificate validity. --- lib/logstash/inputs/elasticsearch.rb | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/lib/logstash/inputs/elasticsearch.rb b/lib/logstash/inputs/elasticsearch.rb index 65227e1..7608995 100644 --- a/lib/logstash/inputs/elasticsearch.rb +++ b/lib/logstash/inputs/elasticsearch.rb @@ -111,9 +111,18 @@ class LogStash::Inputs::Elasticsearch < LogStash::Inputs::Base # SSL config :ssl, :validate => :boolean, :default => false + # SSL verify certificate + config :ssl_verify, :validate => :boolean, :default => true + # SSL Certificate Authority file in PEM encoded format, must also include any chain certificates as necessary config :ca_file, :validate => :path + # SSL Client Certificate file in PEM encoded format + config :client_cert_file, :validate => :path + + # SSL Client Key file in PEM encoded format + config :client_key_file, :validate => :path + def register require "elasticsearch" @@ -140,8 +149,18 @@ def register @hosts end - if @ssl && @ca_file - transport_options[:ssl] = { :ca_file => @ca_file } + if @ssl + transport_options[:ssl] = {:verify => @ssl_verify} + + if @ca_file + transport_options[:ssl][:ca_file] = @ca_file + end + if @client_cert_file + transport_options[:ssl][:client_cert] = OpenSSL::X509::Certificate.new(File.read(@client_cert_file)) + end + if @client_key_file + transport_options[:ssl][:client_key] = OpenSSL::PKey::RSA.new(File.read(@client_key_file)) + end end @client = Elasticsearch::Client.new(:hosts => hosts, :transport_options => transport_options)