[FIPS] Test that libbeat ES client will not connect to ES with invalid TLS certificate

[ycombinator]

Proposed commit message

This PR adds a new test, TestConnectionTLS, that fakes an Elasticsearch HTTPS server that returns a TLS certificate that's been created with a key length of < 2048 bits, making it invalid for FIPS-compliant use.

If running in FIPS mode, the test asserts that the Beat's connection to Elasticsearch will fail with a TLS error.
If not running in FIPS mode, the test asserts that the Beat's connection to Elasticsearch will succeed.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

None; this PR just adds a new unit test.

How to test this PR locally

In a non-FIPS environment:

$ go test ./libbeat/esleg/eslegclient/... -v -test.run TestConnectionTLS -test.count 1
=== RUN   TestConnectionTLS
    logger.go:146: 2025-07-02T17:38:22.328-0700	INFO	TestConnectionTLS.esclientleg	logp/logger.go:212	elasticsearch url: https://127.0.0.1:56871
    logger.go:146: 2025-07-02T17:38:22.329-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	ES Ping(url=https://127.0.0.1:56871)
    logger.go:146: 2025-07-02T17:38:22.330-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	Completed dialing successfully	{"network.transport": "tcp", "server.address": "127.0.0.1:56871"}
    logger.go:146: 2025-07-02T17:38:22.331-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	Ping status code: 200
    logger.go:146: 2025-07-02T17:38:22.331-0700	INFO	TestConnectionTLS.esclientleg	logp/logger.go:212	Attempting to connect to Elasticsearch version 9.2.0-SNAPSHOT (default)
--- PASS: TestConnectionTLS (0.00s)
PASS
ok  	github.com/elastic/beats/v7/libbeat/esleg/eslegclient	0.398s

In a FIPS environment, i.e. with the Microsoft Go fork installed and with the OpenSSL FIPS provider installed:

$ GOEXPERIMENT=systemcrypto go test --tags=requirefips ./libbeat/esleg/eslegclient/... -v -test.run TestConnectionTLS -test.count 1
=== RUN   TestConnectionTLS
    logger.go:146: 2025-07-02T17:36:54.162-0700	INFO	TestConnectionTLS.esclientleg	logp/logger.go:212	elasticsearch url: https://127.0.0.1:39835
    logger.go:146: 2025-07-02T17:36:54.162-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	ES Ping(url=https://127.0.0.1:39835)
    logger.go:146: 2025-07-02T17:36:54.164-0700	ERROR	TestConnectionTLS.esclientleg	logp/logger.go:222	Error dialing remote error: tls: internal error{"network.transport": "tcp", "server.address": "127.0.0.1:39835"}
        github.com/elastic/elastic-agent-libs/logp.(*Logger).Errorf
        	/home/shaunak/go/pkg/mod/github.com/elastic/elastic-agent-libs@v0.20.0/logp/logger.go:222
        github.com/elastic/elastic-agent-libs/transport/httpcommon.(*HTTPTransportSettings).RoundTripper.LoggingDialer.func2
        	/home/shaunak/go/pkg/mod/github.com/elastic/elastic-agent-libs@v0.20.0/transport/logging.go:39
        github.com/elastic/elastic-agent-libs/transport.DialerFunc.DialContext
        	/home/shaunak/go/pkg/mod/github.com/elastic/elastic-agent-libs@v0.20.0/transport/transport.go:44
        net/http.(*Transport).customDialTLS
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1470
        net/http.(*Transport).dialConn
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1756
        net/http.(*Transport).dialConnFor
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1615
        net/http.(*Transport).startDialConnForLocked.func1
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1597
    logger.go:146: 2025-07-02T17:36:54.164-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	Ping request failed with: Get "https://127.0.0.1:39835": remote error: tls: internal error
--- PASS: TestConnectionTLS (0.00s)
PASS
ok  	github.com/elastic/beats/v7/libbeat/esleg/eslegclient	0.020s

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[ycombinator]

CI, specifically the Libbeat: Ubuntu x86_64 Unit Tests with requirefips build tag step, is failing on the test written in this PR:

=== Failed
--
  | === FAIL: libbeat/esleg/eslegclient TestConnectionTLS (0.01s)
  | logger.go:146: 2025-07-03T01:29:28.223Z	INFO	TestConnectionTLS.esclientleg	logp/logger.go:212	elasticsearch url: https://127.0.0.1:46361
  | logger.go:146: 2025-07-03T01:29:28.224Z	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	ES Ping(url=https://127.0.0.1:46361)
  | logger.go:146: 2025-07-03T01:29:28.227Z	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	Completed dialing successfully	{"network.transport": "tcp", "server.address": "127.0.0.1:46361"}
  | logger.go:146: 2025-07-03T01:29:28.227Z	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	Ping status code: 200
  | logger.go:146: 2025-07-03T01:29:28.227Z	INFO	TestConnectionTLS.esclientleg	logp/logger.go:212	Attempting to connect to Elasticsearch version 9.2.0-SNAPSHOT (default)
  | connection_fips_test.go:73:
  | Error Trace:	/opt/buildkite-agent/builds/bk-agent-prod-gcp-1751506014588605207/elastic/beats-libbeat/libbeat/esleg/eslegclient/connection_fips_test.go:73
  | Error:      	An error is expected but got nil.
  | Test:       	TestConnectionTLS

This test passes locally for me when I run it on a FIPS-configured VM.

$ GOEXPERIMENT=systemcrypto go test --tags=requirefips ./libbeat/esleg/eslegclient/... -v -test.run TestConnectionTLS -test.count 1
=== RUN   TestConnectionTLS
    logger.go:146: 2025-07-03T09:11:15.725-0700	INFO	TestConnectionTLS.esclientleg	logp/logger.go:212	elasticsearch url: https://127.0.0.1:46507
    logger.go:146: 2025-07-03T09:11:15.726-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	ES Ping(url=https://127.0.0.1:46507)
2025/07/03 09:11:15 http: TLS handshake error from 127.0.0.1:34092: tls: failed to sign handshake: EVP_PKEY_sign_init failed
openssl error(s):
error:1C800069:Provider routines::invalid key length
	providers/common/securitycheck.c:65
    logger.go:146: 2025-07-03T09:11:15.727-0700	ERROR	TestConnectionTLS.esclientleg	logp/logger.go:222	Error dialing remote error: tls: internal error{"network.transport": "tcp", "server.address": "127.0.0.1:46507"}
        github.com/elastic/elastic-agent-libs/logp.(*Logger).Errorf
        	/home/shaunak/go/pkg/mod/github.com/elastic/elastic-agent-libs@v0.20.0/logp/logger.go:222
        github.com/elastic/elastic-agent-libs/transport/httpcommon.(*HTTPTransportSettings).RoundTripper.LoggingDialer.func2
        	/home/shaunak/go/pkg/mod/github.com/elastic/elastic-agent-libs@v0.20.0/transport/logging.go:39
        github.com/elastic/elastic-agent-libs/transport.DialerFunc.DialContext
        	/home/shaunak/go/pkg/mod/github.com/elastic/elastic-agent-libs@v0.20.0/transport/transport.go:44
        net/http.(*Transport).customDialTLS
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1470
        net/http.(*Transport).dialConn
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1756
        net/http.(*Transport).dialConnFor
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1615
        net/http.(*Transport).startDialConnForLocked.func1
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1597
    logger.go:146: 2025-07-03T09:11:15.727-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	Ping request failed with: Get "https://127.0.0.1:46507": remote error: tls: internal error
--- PASS: TestConnectionTLS (0.00s)
PASS
ok  	github.com/elastic/beats/v7/lib

I believe this test fails in CI because we're running it on the same VM we use for all other tests, not on a FIPS-configured VM:

beats/.buildkite/libbeat/pipeline.libbeat.yml

Line 102 in 0b1170f

image: "${IMAGE_UBUNTU_X86_64}"

[belimawr]

Aside from the failing tests: LGTM.

I'll wait for CI to be green before a final approval.

@ycombinator, just to understand, what is your plan here? Update Beats to use FIPS-enabled VMs before merging this PR? If so, would this be part of this PR?

[ycombinator]

@ycombinator, just to understand, what is your plan here? Update Beats to use FIPS-enabled VMs before merging this PR? If so, would this be part of this PR?

@michel-laterman has put up #45199 to use FIPS-enabled VMS for the FIPS unit tests in Beats. Once that PR is merged, I'll rebase this PR here on main, and then the test introduced in this PR should start passing in CI. I updated this PR's description to reflect the dependency.

[michel-laterman]

@belimawr, @AndersonQ, could you please review?

[belimawr]

LGMT

The certificate will expire in 5 years, if you want you could generate them every test like we do in elastic-agent-libs: https://github.com/elastic/elastic-agent-libs/blob/main/transport/tlscommontest/test_helper.go so we'll never have to update the tests to renew certificates.