Skip to content

[8.x](backport #39405) [metricbeat] [helper] Fix http server helper SSL config #41157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pierrehilbert merged 1 commit into from
Oct 8, 2024
Merged

[8.x](backport #39405) [metricbeat] [helper] Fix http server helper SSL config #41157

pierrehilbert merged 1 commit into from
Oct 8, 2024

Conversation

@mergify
Copy link
Contributor

@mergify mergify bot commented Oct 7, 2024
edited by zube bot
Loading

Overview

The TLS config used in the metricbeat http server module uses a TLS config suitable for clients (BuildModuleClientConfig), not for servers. This makes it impossible to successfully connect to Prometheus remote_write using TLS since bad certificate is always returned.

Made some small unrelated changes to make golangci-lint happy. Added a reasonable ReadHeaderTimeout of 10 seconds. Replaced ioutil with io.

This was tested with openssl s_client and also directly with the remote_write data stream.

---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: 39C678F0ED9BBBFD657458330B59C50D3A9461C06B7727F5AAF667882F41BE5D
Session-ID-ctx:
Resumption PSK: 5C4509D103373B8036FE089AD2F79BFDC411A2B5C1439CE5852AF8F1184A9EA5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - d6 b1 2b 3f f0 69 ea 9a-68 e1 0c e4 24 87 e3 ec ..+?.i..h...$...
0010 - 64 ff 69 a4 4d 2e 88 52-03 64 52 63 91 bc 30 04 d.i.M..R.dRc..0.
0020 - 49 55 1d 1a 79 6c 2b 86-54 46 ae c0 58 95 07 d7 IU..yl+.TF..X...
0030 - c3 b4 f4 83 8c 76 c7 8a-19 5b f6 da 8a b7 55 7f .....v...[....U.
0040 - 42 52 e2 71 17 f1 9a 76-3a f3 1e 29 b5 6a e4 1e BR.q...v:..).j..
0050 - b7 ff 89 4d ef 34 ba 6d-9f 9f df 7a 86 96 c3 59 ...M.4.m...z...Y
0060 - 53 81 5a 17 c2 f6 7f a7-55 4d b1 94 d8 0f a7 69 S.Z.....UM.....i
0070 - c3 .

Start Time: 1712569088
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
800B0789E27F0000:error:0A000412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1600:SSL alert number 42

The NewHttpServer is also used by the http module.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

This is an automatic backport of pull request #39405 done by [Mergify](https://mergify.com).

@gpop63 @belimawr @mergify
[metricbeat] [helper] Fix http server helper SSL config (#39405)
db4d6f6 
* add changelog entry

* fix TLS config

* fix changelog pr id

* golangci-lint fixes

* mage check

* fix http server ssl test

* Update metricbeat/helper/server/http/http_test.go

Co-authored-by: Tiago Queiroz <[email protected]>

* fix changelog

---------

Co-authored-by: Tiago Queiroz <[email protected]>
(cherry picked from commit 6d4fbfc)
@mergify mergify bot requested a review from a team as a code owner October 7, 2024 18:01
@mergify mergify bot added the backport label Oct 7, 2024
@mergify mergify bot requested review from AndersonQ and belimawr and removed request for a team October 7, 2024 18:01
@mergify mergify bot assigned gpop63 Oct 7, 2024
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 7, 2024
@botelastic
Copy link

botelastic bot commented Oct 7, 2024

This pull request doesn't have a Team:<team> label.

@pierrehilbert pierrehilbert merged commit 3799f77 into 8.x Oct 8, 2024
@pierrehilbert pierrehilbert deleted the mergify/bp/8.x/pr-39405 branch October 8, 2024 07:15
@khushijain21 khushijain21 mentioned this pull request Jun 23, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pierrehilbert pierrehilbert pierrehilbert approved these changes

@AndersonQ AndersonQ Awaiting requested review from AndersonQ AndersonQ was automatically assigned from elastic/elastic-agent-data-plane

@belimawr belimawr Awaiting requested review from belimawr belimawr was automatically assigned from elastic/elastic-agent-data-plane

Assignees

@gpop63 gpop63

Labels

backport needs_team Indicates that the issue/PR needs a Team:* label

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pierrehilbert @gpop63