fix: provide ssl engine with advisory peer and algorithm info

logstash-plugins · Nov 11, 2022 · e211d1a · e211d1a
1 parent 10686a3
commit e211d1a
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 3.6.1
+ - Fix: provide SSL engine with advisory peer and algorithm information [#159](https://github.com/logstash-plugins/logstash-input-http/issues/159)
+
 ## 3.6.0
  - Feat: review and deprecate ssl protocol/cipher related settings [#151](https://github.com/logstash-plugins/logstash-input-http/pull/151)
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.6.0
+3.6.1
diff --git a/src/main/java/org/logstash/plugins/inputs/http/HttpInitializer.java b/src/main/java/org/logstash/plugins/inputs/http/HttpInitializer.java
@@ -10,6 +10,7 @@
 import io.netty.handler.ssl.SslHandler;
 import org.logstash.plugins.inputs.http.util.SslHandlerProvider;
 
+import java.net.InetSocketAddress;
 import java.util.concurrent.ThreadPoolExecutor;
 
 /**
@@ -34,7 +35,7 @@ protected void initChannel(SocketChannel socketChannel) throws Exception {
         ChannelPipeline pipeline = socketChannel.pipeline();
 
         if(sslHandlerProvider != null) {
-            SslHandler sslHandler = sslHandlerProvider.getSslHandler(socketChannel.alloc());
+            SslHandler sslHandler = sslHandlerProvider.getSslHandler(socketChannel);
             pipeline.addLast(sslHandler);
         }
         pipeline.addLast(new HttpServerCodec());

diff --git a/src/main/java/org/logstash/plugins/inputs/http/util/SslHandlerProvider.java b/src/main/java/org/logstash/plugins/inputs/http/util/SslHandlerProvider.java
@@ -1,12 +1,15 @@
 package org.logstash.plugins.inputs.http.util;
 
 import io.netty.buffer.ByteBufAllocator;
+import io.netty.channel.socket.SocketChannel;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslHandler;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import java.net.InetSocketAddress;
 import java.util.Arrays;
 
 public class SslHandlerProvider {
@@ -28,14 +31,20 @@ public SslHandlerProvider(SslContext sslContext) {
         this.sslContext = sslContext;
     }
 
-    public SslHandler getSslHandler(ByteBufAllocator bufferAllocator) {
+    public SslHandler getSslHandler(final SocketChannel socketChannel) {
+        final InetSocketAddress remoteAddress = socketChannel.remoteAddress();
+        final String peerHost = remoteAddress.getHostString();
+        final int peerPort = remoteAddress.getPort();
+        final SslHandler sslHandler = sslContext.newHandler(socketChannel.alloc(), peerHost, peerPort);
 
-        SslHandler sslHandler = sslContext.newHandler(bufferAllocator);
-
-        SSLEngine engine = sslHandler.engine();
+        final SSLEngine engine = sslHandler.engine();
         engine.setEnabledProtocols(protocols);
         engine.setUseClientMode(false);
 
+        final SSLParameters sslParameters = engine.getSSLParameters();
+        sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+        engine.setSSLParameters(sslParameters);
+
         if (verifyMode == SslClientVerifyMode.FORCE_PEER) {
             // Explicitly require a client certificate
             engine.setNeedClientAuth(true);