Configure SSL
editConfigure SSL
editYou can specify SSL options when you configure:
- outputs that support SSL
- Heartbeat monitors that support SSL
Example output config with SSL enabled:
output.elasticsearch.hosts: ["https://192.168.1.42:9200"] output.elasticsearch.ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] output.elasticsearch.ssl.certificate: "/etc/pki/client/cert.pem" output.elasticsearch.ssl.key: "/etc/pki/client/cert.key"
Also see Secure communication with Logstash.
Example Kibana endpoint config with SSL enabled:
setup.kibana.host: "https://192.0.2.255:5601" setup.kibana.ssl.enabled: true setup.kibana.ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] setup.kibana.ssl.certificate: "/etc/pki/client/cert.pem" setup.kibana.ssl.key: "/etc/pki/client/cert.key"
Example monitor with SSL enabled:
heartbeat.monitors: - type: tcp schedule: '@every 5s' hosts: ["myhost"] ports: [80, 9200, 5044] ssl: certificate_authorities: ['/etc/ca.crt'] supported_protocols: ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
Configuration options
editYou can specify the following options in the ssl
section of the heartbeat.yml
config file:
enabled
editThe enabled
setting can be used to disable the ssl configuration by setting
it to false
. The default value is true
.
SSL settings are disabled if either enabled
is set to false
or the
ssl
section is missing.
certificate_authorities
editThe list of root certificates for server verifications. If certificate_authorities
is empty or not set, the trusted certificate authorities of the host system are used.
By default you can specify a list of file that +heartbeat will read, but you can also embed a certificate directly in the YAML
configuration:
certificate_authorities: - | -----BEGIN CERTIFICATE----- MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk sxSmbIUfc2SGJGCJD4I= -----END CERTIFICATE-----
certificate: "/etc/pki/client/cert.pem"
editThe path to the certificate for SSL client authentication. If the certificate is not specified, client authentication is not available. The connection might fail if the server requests client authentication. If the SSL server does not require client authentication, the certificate will be loaded, but not requested or used by the server.
When this option is configured, the key
option is also required.
The certificate option support embedding of the certificate:
certificate: | -----BEGIN CERTIFICATE----- MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk sxSmbIUfc2SGJGCJD4I= -----END CERTIFICATE-----
key: "/etc/pki/client/cert.key"
editThe client certificate key used for client authentication. This option is required if certificate
is specified.
The key option support embedding of the private key:
key: | -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA 5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K 0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc nygO9KTJuUiBrLr0AHEnqko= -----END PRIVATE KEY-----
key_passphrase
editThe passphrase used to decrypt an encrypted key stored in the configured key
file.
supported_protocols
editList of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions
not configured, the connection will be dropped during or after the handshake. The
setting is a list of allowed protocol versions:
SSLv3
, TLSv1
for TLS version 1.0, TLSv1.0
, TLSv1.1
, TLSv1.2
, and
TLSv1.3
.
The default value is [TLSv1.1, TLSv1.2, TLSv1.3]
.
verification_mode
editControls the verification of certificates. Valid values are:
-
full
, which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate. -
certificate
, which verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification. -
none
, which performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after very careful consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged.
The default value is full
.
cipher_suites
editThe list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended). Note that TLS 1.3 cipher suites are not individually configurable in Go, so they are not included in this list.
The following cipher suites are available:
Cypher | Notes |
---|---|
ECDHE-ECDSA-AES-128-CBC-SHA |
|
ECDHE-ECDSA-AES-128-CBC-SHA256 |
TLS 1.2 only. Disabled by default. |
ECDHE-ECDSA-AES-128-GCM-SHA256 |
TLS 1.2 only. |
ECDHE-ECDSA-AES-256-CBC-SHA |
|
ECDHE-ECDSA-AES-256-GCM-SHA384 |
TLS 1.2 only. |
ECDHE-ECDSA-CHACHA20-POLY1305 |
TLS 1.2 only. |
ECDHE-ECDSA-RC4-128-SHA |
Disabled by default. RC4 not recommended. |
ECDHE-RSA-3DES-CBC3-SHA |
|
ECDHE-RSA-AES-128-CBC-SHA |
|
ECDHE-RSA-AES-128-CBC-SHA256 |
TLS 1.2 only. Disabled by default. |
ECDHE-RSA-AES-128-GCM-SHA256 |
TLS 1.2 only. |
ECDHE-RSA-AES-256-CBC-SHA |
|
ECDHE-RSA-AES-256-GCM-SHA384 |
TLS 1.2 only. |
ECDHE-RSA-CHACHA20-POLY1205 |
TLS 1.2 only. |
ECDHE-RSA-RC4-128-SHA |
Disabled by default. RC4 not recommended. |
RSA-3DES-CBC3-SHA |
|
RSA-AES-128-CBC-SHA |
|
RSA-AES-128-CBC-SHA256 |
TLS 1.2 only. Disabled by default. |
RSA-AES-128-GCM-SHA256 |
TLS 1.2 only. |
RSA-AES-256-CBC-SHA |
|
RSA-AES-256-GCM-SHA384 |
TLS 1.2 only. |
RSA-RC4-128-SHA |
Disabled by default. RC4 not recommended. |
Here is a list of acronyms used in defining the cipher suites:
- 3DES: Cipher suites using triple DES
- AES-128/256: Cipher suites using AES with 128/256-bit keys.
- CBC: Cipher using Cipher Block Chaining as block cipher mode.
- ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
- ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
- GCM: Galois/Counter mode is used for symmetric key cryptography.
- RC4: Cipher suites using RC4.
- RSA: Cipher suites using RSA.
- SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.
curve_types
editThe list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
The following elliptic curve types are available:
- P-256
- P-384
- P-521
- X25519
renegotiation
editThis configures what types of TLS renegotiation are supported. The valid options
are never
, once
, and freely
. The default value is never.
-
never
- Disables renegotiation. -
once
- Allows a remote server to request renegotiation once per connection. -
freely
- Allows a remote server to repeatedly request renegotiation.
ca_sha256
editThis configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.
The pin is a base64 encoded string of the SHA-256 of the certificate.
This check is not a replacement for the normal SSL validation, but it adds additional validation.
If this option is used with verification_mode
set to none
, the check will always fail because
it will not receive any verified chains.