Skip to content

[8.19](backport #45158) [FIPS] Test that libbeat ES client will not connect to ES with invalid TLS certificate#45595

Merged
ycombinator merged 1 commit into
8.19from
mergify/bp/8.19/pr-45158
Jul 28, 2025
Merged

[8.19](backport #45158) [FIPS] Test that libbeat ES client will not connect to ES with invalid TLS certificate#45595
ycombinator merged 1 commit into
8.19from
mergify/bp/8.19/pr-45158

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify Bot commented Jul 28, 2025
edited by ycombinator
Loading

Proposed commit message

This PR adds a new test, TestConnectionTLS, that fakes an Elasticsearch HTTPS server that returns a TLS certificate that's been created with a key length of < 2048 bits, making it invalid for FIPS-compliant use.

If running in FIPS mode, the test asserts that the Beat's connection to Elasticsearch will fail with a TLS error.
If not running in FIPS mode, the test asserts that the Beat's connection to Elasticsearch will succeed.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

None; this PR just adds a new unit test.

How to test this PR locally

In a non-FIPS environment:

$ go test ./libbeat/esleg/eslegclient/... -v -test.run TestConnectionTLS -test.count 1
=== RUN   TestConnectionTLS
    logger.go:146: 2025-07-02T17:38:22.328-0700	INFO	TestConnectionTLS.esclientleg	logp/logger.go:212	elasticsearch url: https://127.0.0.1:56871
    logger.go:146: 2025-07-02T17:38:22.329-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	ES Ping(url=https://127.0.0.1:56871)
    logger.go:146: 2025-07-02T17:38:22.330-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	Completed dialing successfully	{"network.transport": "tcp", "server.address": "127.0.0.1:56871"}
    logger.go:146: 2025-07-02T17:38:22.331-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	Ping status code: 200
    logger.go:146: 2025-07-02T17:38:22.331-0700	INFO	TestConnectionTLS.esclientleg	logp/logger.go:212	Attempting to connect to Elasticsearch version 9.2.0-SNAPSHOT (default)
--- PASS: TestConnectionTLS (0.00s)
PASS
ok  	github.com/elastic/beats/v7/libbeat/esleg/eslegclient	0.398s

In a FIPS environment, i.e. with the Microsoft Go fork installed and with the OpenSSL FIPS provider installed:

$ GOEXPERIMENT=systemcrypto go test --tags=requirefips ./libbeat/esleg/eslegclient/... -v -test.run TestConnectionTLS -test.count 1
=== RUN   TestConnectionTLS
    logger.go:146: 2025-07-02T17:36:54.162-0700	INFO	TestConnectionTLS.esclientleg	logp/logger.go:212	elasticsearch url: https://127.0.0.1:39835
    logger.go:146: 2025-07-02T17:36:54.162-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	ES Ping(url=https://127.0.0.1:39835)
    logger.go:146: 2025-07-02T17:36:54.164-0700	ERROR	TestConnectionTLS.esclientleg	logp/logger.go:222	Error dialing remote error: tls: internal error{"network.transport": "tcp", "server.address": "127.0.0.1:39835"}
        github.com/elastic/elastic-agent-libs/logp.(*Logger).Errorf
        	/home/shaunak/go/pkg/mod/github.com/elastic/elastic-agent-libs@v0.20.0/logp/logger.go:222
        github.com/elastic/elastic-agent-libs/transport/httpcommon.(*HTTPTransportSettings).RoundTripper.LoggingDialer.func2
        	/home/shaunak/go/pkg/mod/github.com/elastic/elastic-agent-libs@v0.20.0/transport/logging.go:39
        github.com/elastic/elastic-agent-libs/transport.DialerFunc.DialContext
        	/home/shaunak/go/pkg/mod/github.com/elastic/elastic-agent-libs@v0.20.0/transport/transport.go:44
        net/http.(*Transport).customDialTLS
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1470
        net/http.(*Transport).dialConn
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1756
        net/http.(*Transport).dialConnFor
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1615
        net/http.(*Transport).startDialConnForLocked.func1
        	/home/shaunak/ms-go/go/src/net/http/transport.go:1597
    logger.go:146: 2025-07-02T17:36:54.164-0700	DEBUG	TestConnectionTLS.esclientleg	logp/logger.go:207	Ping request failed with: Get "https://127.0.0.1:39835": remote error: tls: internal error
--- PASS: TestConnectionTLS (0.00s)
PASS
ok  	github.com/elastic/beats/v7/libbeat/esleg/eslegclient	0.020s
```<hr>This is an automatic backport of pull request #45158 done by [Mergify](https://mergify.com).

@ycombinator @mergify
[FIPS] Test that libbeat ES client will not connect to ES with invali…
a6d9ef4 
…d TLS certificate (#45158)

Add a new test under libbeat, TestConnectionTLS, that fakes an Elasticsearch HTTPS server that returns a TLS certificate that's been created with a key length of < 2048 bits, making it invalid for FIPS-compliant use.

If running in FIPS mode, the test asserts that the Beat's connection to Elasticsearch will fail with a TLS error.
If not running in FIPS mode, the test asserts that the Beat's connection to Elasticsearch will succeed.

(cherry picked from commit 4db5493)
@mergify mergify Bot added the backport label Jul 28, 2025
@mergify mergify Bot requested a review from a team as a code owner July 28, 2025 15:53
@mergify mergify Bot requested review from faec and khushijain21 and removed request for a team July 28, 2025 15:53
@botelastic botelastic Bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 28, 2025
@github-actions github-actions Bot added :Testing Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team labels Jul 28, 2025
@botelastic botelastic Bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 28, 2025
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 28, 2025

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@ycombinator ycombinator merged commit 98f8cdc into 8.19 Jul 28, 2025
201 checks passed
@ycombinator ycombinator deleted the mergify/bp/8.19/pr-45158 branch July 28, 2025 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ycombinator ycombinator ycombinator approved these changes

@faec faec Awaiting requested review from faec faec is a code owner automatically assigned from elastic/elastic-agent-data-plane

@khushijain21 khushijain21 Awaiting requested review from khushijain21 khushijain21 is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@ycombinator ycombinator

Labels

backport Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team :Testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elasticmachine @ycombinator