Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

logstash logshipper TLS denial of service #7650

Closed
jmschmaus opened this issue Jul 11, 2017 · 3 comments
Closed

logstash logshipper TLS denial of service #7650

jmschmaus opened this issue Jul 11, 2017 · 3 comments

Comments

@jmschmaus
Copy link

jmschmaus commented Jul 11, 2017
edited
Loading

Logstash 5.3 uses jruby-openssl 0.9.16 for SSL/TLS. jruby-openssl SSLSocket.java does SSL handshake. SSLSocket will not return until the SSL handshake is complete. Logstash will not do another accept on the TLS socket until SSL handshake is complete. If a non-TLS client connects to logstash's TLS port, the port is hung and unusable for any other clients.

For all general issues, please provide the following details for fast resolution:

  • Version: 5.3.0
  • Operating System: CentOS 6
  • Config File (if you have sensitive info, please remove it): Please see below for TLS configuration
  • Sample Data:
  • Steps to Reproduce:
  1. Configure ssl for logshipper tcp input:

input {
...
tcp {
host => "0.0.0.0"
type => "tcp_json_event"
port => "10059"
ssl_enable => true # This needs to be true for the other ssl parameters to be considered
ssl_verify => false # Don't validate the cert against the CA. Useful for self signed certs
ssl_cert => "ssl cert" # SSL Cert
ssl_key => "ssl key"
ssl_extra_chain_certs => "trusted cert" # CA certs
codec => json_lines{
charset => "ISO-8859-1"
}
..

  1. Verify TLS operation via openssl s_client -connect localhost:10059

  2. Open non-TLS connection to port 10059, configured for TLS:
    nc localhost 10059

  3. Verify SSL handshake no longer operational (step (2)).
@jakelandis
Copy link
Contributor

@jmschmaus - Thanks for the issue report and steps to reproduce.

I agree this is an issue that should be addressed, and would fall under the TCP input plugin. Would you mind moving the issue over to https://github.com/logstash-plugins/logstash-input-tcp/issues ?

@jmschmaus jmschmaus mentioned this issue Jul 12, 2017
Open
@jmschmaus
Copy link
Author

jmschmaus commented Jul 12, 2017 via email

@jakelandis
Copy link
Contributor

@jmschmaus - Perfect thanks!

Closing in favor of logstash-plugins/logstash-input-tcp#77

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jakelandis @jmschmaus