fix: provide ssl engine with advisory peer and algorithm info

CHANGELOG.md

@@ -1,3 +1,6 @@
+## 6.3.2
+  - Fix: provide SSL engine with advisory peer and algorithm information [207](https://github.com/logstash-plugins/logstash-input-tcp/issues/207)
+
 ## 6.3.1
   - Fixes a regression in which the ssl_subject was missing for SSL-secured connections in server mode [#199](https://github.com/logstash-plugins/logstash-input-tcp/pull/199)
 

Rakefile

@@ -6,10 +6,11 @@ end
 
 task :vendor => :install_jars
 
+Rake::Task["test"].clear
 task :test do
   require 'rspec'
   require 'rspec/core/runner'
   Rake::Task[:install_jars].invoke
-  sh './gradlew test'
-  exit(RSpec::Core::Runner.run(Rake::FileList['spec/**/*_spec.rb']))
+  sh(%{./gradlew test}) { |ok,res| exit(res) unless ok }
+  exit(RSpec::Core::Runner.run(%w(--format documentation).concat(Rake::FileList['spec/**/*_spec.rb'])))
 end

spec/inputs/tcp_spec.rb

@@ -90,7 +90,7 @@ def get_port
         aggregate_failures("event #{i}") do
           expect(event.get("message")).to eq("#{i} ☹")
           expect(event.get(ecs_select[disabled: "host", v1: "[@metadata][input][tcp][source][name]"])).to eq("localhost").or eq("ip6-localhost")
-          expect(event.get(ecs_select[disabled: "[@metadata][ip_address]", v1: "[@metadata][input][tcp][source][ip]"])).to eq('127.0.0.1')
+          expect(event.get(ecs_select[disabled: "[@metadata][ip_address]", v1: "[@metadata][input][tcp][source][ip]"])).to eq('127.0.0.1').or eq("0:0:0:0:0:0:0:1")
         end
       end
     end

spec/spec_helper.rb

@@ -91,7 +91,7 @@ def build_certificate(root_ca, root_key, name, password=nil)
     key = ( root_key.nil? ? OpenSSL::PKey::RSA.new(2048) : root_key )
     options = { :serial => 2, :subject => "/DC=org/DC=ruby-lang/CN=Ruby#{name}", :key => key, :issuer => root_ca.subject}
     cert = new_certificate(options)
-    add_ca_extensions(cert, nil, root_ca)
+    add_ca_extensions(cert, nil, root_ca, %w(IP:127.0.0.1 IP:0:0:0:0:0:0:0:1))
     if password
       key_text = key.to_pem(OpenSSL::Cipher::AES256.new(:CFB), password)
       [ cert.sign(key, OpenSSL::Digest::SHA256.new), key, key_text ]
@@ -120,7 +120,7 @@ def new_certificate(options)
     cert
   end
 
-  def add_ca_extensions(certificate, subject=nil, issuer=nil)
+  def add_ca_extensions(certificate, subject=nil, issuer=nil, san_list=[])
     factory = OpenSSL::X509::ExtensionFactory.new
     factory.subject_certificate = (subject.nil? ? certificate : subject)
     factory.issuer_certificate  = (issuer.nil?  ? certificate : issuer)
@@ -129,6 +129,7 @@ def add_ca_extensions(certificate, subject=nil, issuer=nil)
     certificate.add_extension(factory.create_extension("keyUsage","keyCertSign, cRLSign, digitalSignature", true))
     certificate.add_extension(factory.create_extension("subjectKeyIdentifier","hash",false))
     certificate.add_extension(factory.create_extension("authorityKeyIdentifier","keyid:always",false))
+    certificate.add_extension(factory.create_extension('subjectAltName', san_list.join(','))) unless san_list.empty?
   end
 
 end

src/main/java/org/logstash/tcp/InputLoop.java

@@ -12,11 +12,14 @@
 import io.netty.channel.socket.SocketChannel;
 import io.netty.channel.socket.nio.NioServerSocketChannel;
 import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslHandler;
 import io.netty.util.concurrent.Future;
 import io.netty.util.concurrent.GenericFutureListener;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
 import java.io.Closeable;
 import java.io.IOException;
 import java.net.InetSocketAddress;
@@ -134,7 +137,7 @@ protected void initChannel(final SocketChannel channel) throws Exception {
 
             // if SSL is enabled, the SSL handler must be added to the pipeline first
             if (sslContext != null) {
-                channel.pipeline().addLast(SSL_HANDLER, sslContext.newHandler(channel.alloc()));
+                channel.pipeline().addLast(SSL_HANDLER, newSslHandler(channel));
             }
 
             channel.pipeline().addLast(new DecoderAdapter(localCopy, logger));
@@ -145,6 +148,22 @@ protected void initChannel(final SocketChannel channel) throws Exception {
             }
         }
 
+        private SslHandler newSslHandler(final SocketChannel socketChannel) {
+            final InetSocketAddress remoteAddress = socketChannel.remoteAddress();
+            final String peerHost = remoteAddress.getHostString();
+            final int peerPort = remoteAddress.getPort();
+            final SslHandler sslHandler = sslContext.newHandler(socketChannel.alloc(), peerHost, peerPort);
+
+            final SSLEngine engine = sslHandler.engine();
+            engine.setUseClientMode(false);
+
+            final SSLParameters sslParameters = engine.getSSLParameters();
+            sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+            engine.setSSLParameters(sslParameters);
+
+            return sslHandler;
+        }
+
         @Override
         public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
             logger.error("Error in Netty input handler: " + cause);

version

@@ -1 +1 @@
-6.3.1
+6.3.2