From 8c81193ad5d47da323307eb726b9f584d1c1b5df Mon Sep 17 00:00:00 2001 From: Ry Biesemeyer Date: Thu, 10 Nov 2022 18:09:41 +0000 Subject: [PATCH] fix: provide ssl engine with advisory peer and algorithm info --- CHANGELOG.md | 3 +++ VERSION | 2 +- build.gradle | 2 +- .../plugins/inputs/http/HttpInitializer.java | 3 ++- .../inputs/http/util/SslHandlerProvider.java | 17 +++++++++++++---- 5 files changed, 20 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6084648..26ff073 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## 3.6.1 + - Fix: provide SSL engine with advisory peer and algorithm information [#159](https://github.com/logstash-plugins/logstash-input-http/issues/159) + ## 3.6.0 - Feat: review and deprecate ssl protocol/cipher related settings [#151](https://github.com/logstash-plugins/logstash-input-http/pull/151) diff --git a/VERSION b/VERSION index 40c341b..9575d51 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.6.0 +3.6.1 diff --git a/build.gradle b/build.gradle index 314ca74..7f78410 100644 --- a/build.gradle +++ b/build.gradle @@ -24,7 +24,7 @@ dependencies { testImplementation 'org.hamcrest:hamcrest-library:1.3' testImplementation "org.apache.logging.log4j:log4j-core:${log4jVersion}" - implementation 'io.netty:netty-all:4.1.65.Final' + implementation 'io.netty:netty-all:4.1.85.Final' compileOnly "org.apache.logging.log4j:log4j-api:${log4jVersion}" // provided by Logstash } diff --git a/src/main/java/org/logstash/plugins/inputs/http/HttpInitializer.java b/src/main/java/org/logstash/plugins/inputs/http/HttpInitializer.java index 27f2150..4062e6e 100644 --- a/src/main/java/org/logstash/plugins/inputs/http/HttpInitializer.java +++ b/src/main/java/org/logstash/plugins/inputs/http/HttpInitializer.java @@ -10,6 +10,7 @@ import io.netty.handler.ssl.SslHandler; import org.logstash.plugins.inputs.http.util.SslHandlerProvider; +import java.net.InetSocketAddress; import java.util.concurrent.ThreadPoolExecutor; /** @@ -34,7 +35,7 @@ protected void initChannel(SocketChannel socketChannel) throws Exception { ChannelPipeline pipeline = socketChannel.pipeline(); if(sslHandlerProvider != null) { - SslHandler sslHandler = sslHandlerProvider.getSslHandler(socketChannel.alloc()); + SslHandler sslHandler = sslHandlerProvider.getSslHandler(socketChannel); pipeline.addLast(sslHandler); } pipeline.addLast(new HttpServerCodec()); diff --git a/src/main/java/org/logstash/plugins/inputs/http/util/SslHandlerProvider.java b/src/main/java/org/logstash/plugins/inputs/http/util/SslHandlerProvider.java index 489ba4d..38e7029 100644 --- a/src/main/java/org/logstash/plugins/inputs/http/util/SslHandlerProvider.java +++ b/src/main/java/org/logstash/plugins/inputs/http/util/SslHandlerProvider.java @@ -1,12 +1,15 @@ package org.logstash.plugins.inputs.http.util; import io.netty.buffer.ByteBufAllocator; +import io.netty.channel.socket.SocketChannel; import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslHandler; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import javax.net.ssl.SSLEngine; +import javax.net.ssl.SSLParameters; +import java.net.InetSocketAddress; import java.util.Arrays; public class SslHandlerProvider { @@ -28,14 +31,20 @@ public SslHandlerProvider(SslContext sslContext) { this.sslContext = sslContext; } - public SslHandler getSslHandler(ByteBufAllocator bufferAllocator) { + public SslHandler getSslHandler(final SocketChannel socketChannel) { + final InetSocketAddress remoteAddress = socketChannel.remoteAddress(); + final String peerHost = remoteAddress.getHostString(); + final int peerPort = remoteAddress.getPort(); + final SslHandler sslHandler = sslContext.newHandler(socketChannel.alloc(), peerHost, peerPort); - SslHandler sslHandler = sslContext.newHandler(bufferAllocator); - - SSLEngine engine = sslHandler.engine(); + final SSLEngine engine = sslHandler.engine(); engine.setEnabledProtocols(protocols); engine.setUseClientMode(false); + final SSLParameters sslParameters = engine.getSSLParameters(); + sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); + engine.setSSLParameters(sslParameters); + if (verifyMode == SslClientVerifyMode.FORCE_PEER) { // Explicitly require a client certificate engine.setNeedClientAuth(true);