Merge branch 'v3.0.5-nordix' into structured-data

Author: tsaarni

CHANGELOG.md

@@ -1,6 +1,13 @@
-## Unreleased
+## 3.0.5-nordix-3
   - Added support for RFC5424 structured data.
 
+## 3.0.5-nordix-2
+  - The SNI (Server Name Indication) extension is now used when connecting to syslog server with TLS and `host` is set to FQDN (Fully Qualified Domain Name).
+
+## 3.0.5-nordix-1
+  - Add support for CRL to check for the server certificate is revocation status.
+  - Support loading of PKCS8 EC private keys.
+
 ## 3.0.5
   - Docs: Set the default_codec doc attribute.
 

docs/index.asciidoc

@@ -58,6 +58,8 @@ This plugin supports the following configuration options plus the <<plugins-{typ
 | <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
 | <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
 | <<plugins-{type}s-{plugin}-ssl_verify>> |<<boolean,boolean>>|No
+| <<plugins-{type}s-{plugin}-ssl_crl>> |a valid filesystem path|No
+| <<plugins-{type}s-{plugin}-ssl_crl_check_all>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-use_labels>> |<<boolean,boolean>>|No
 | <<plugins-{type}s-{plugin}-structured_data>> |<<string,string>>|No
 |=======================================================================
@@ -226,6 +228,24 @@ SSL key passphrase
 
 Verify the identity of the other end of the SSL connection against the CA.
 
+[id="plugins-{type}s-{plugin}-ssl_crl"]
+===== `ssl_crl`
+
+  * Value type is <<path,path>>
+  * There is no default value for this setting.
+
+SSL CRL path for checking the revocation status of the server certificate.
+File may contain one or more PEM encoded CRLs.
+
+[id="plugins-{type}s-{plugin}-ssl_crl_check_all"]
+===== `ssl_crl_check_all`
+
+  * Value type is <<boolean,boolean>>
+  * Default value is `false`
+
+If this option is set to false, only the certificate at the end of the certificate chain will be subject to validation by CRL.
+If set to true the complete chain is validated. CRLs must be available from all CAs.
+
 [id="plugins-{type}s-{plugin}-use_labels"]
 ===== `use_labels` 
 

lib/logstash/outputs/syslog.rb

@@ -81,6 +81,12 @@ class LogStash::Outputs::Syslog < LogStash::Outputs::Base
   # SSL key passphrase
   config :ssl_key_passphrase, :validate => :password, :default => nil
 
+  # CRL file or bundle of CRLs
+  config :ssl_crl, :validate => :path
+
+  # Check CRL for only leaf certificate (false) or require CRL check for the complete chain (true)
+  config :ssl_crl_check_all, :validate => :boolean, :default => false
+
   # use label parsing for severity and facility levels
   # use priority field if set to false
   config :use_labels, :validate => :boolean, :default => true
@@ -135,7 +141,7 @@ def register
       @ssl_context = setup_ssl
     end
 
-    if @codec.instance_of? LogStash::Codecs::Plain
+    if @codec.class.to_s == "LogStash::Codecs::Plain"
       if @codec.config["format"].nil?
         @codec = LogStash::Codecs::Plain.new({"format" => @message})
       end
@@ -218,6 +224,8 @@ def connect
       socket = TCPSocket.new(@host, @port)
       if ssl?
         socket = OpenSSL::SSL::SSLSocket.new(socket, @ssl_context)
+        # Use SNI extension
+        socket.hostname = @host
         begin
           socket.connect
         rescue OpenSSL::SSL::SSLError => ssle
@@ -232,11 +240,13 @@ def connect
     socket
   end
 
+  CRL_END_TAG = "\n-----END X509 CRL-----\n"
+
   def setup_ssl
     require "openssl"
     ssl_context = OpenSSL::SSL::SSLContext.new
     ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
-    ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase)
+    ssl_context.key = OpenSSL::PKey::read(File.read(@ssl_key),@ssl_key_passphrase)
     if @ssl_verify
       cert_store = OpenSSL::X509::Store.new
       # Load the system default certificate path to the store
@@ -246,6 +256,14 @@ def setup_ssl
       else
         cert_store.add_file(@ssl_cacert)
       end
+      if @ssl_crl
+        # copy the behavior of X509_load_crl_file() which supports loading bundles of CRLs.
+        File.read(@ssl_crl).split(CRL_END_TAG).each do |crl|
+          crl << CRL_END_TAG
+          cert_store.add_crl(OpenSSL::X509::CRL.new(crl))
+        end
+        cert_store.flags = @ssl_crl_check_all ? OpenSSL::X509::V_FLAG_CRL_CHECK|OpenSSL::X509::V_FLAG_CRL_CHECK_ALL : OpenSSL::X509::V_FLAG_CRL_CHECK
+      end
       ssl_context.cert_store = cert_store
       ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
     end