Description
logstash: 5.3.0-1
logstash-output-tcp: 4.0.0
I need to enable ssl to send logs to a remote host.
This failed all the time, until I recognized that ssl_key_passphrase seems to be set incorrectly.
My logstash node is in client mode, so using ssl_key and ssl_key_passphrase doesn't make sense at all.
Config looks like this:
tcp {
host => "remotehost.tld"
port => "443"
ssl_enable => true
ssl_verify => false
ssl_cacert => "/etc/ssl/certs/cacert.crt"
ssl_cert => "/etc/ssl/certs/remotehost.crt"
}
ssl_key and ssl_key_passphrase are not used!
Logs showed this:
... @output=<LogStash::Outputs::Tcp host=>\"remotehost.tld\", port=>443, ssl_enable=>true, ssl_verify=>false, ssl_cacert=>\"/etc/ssl/certs/cacert.crt\", ssl_cert=>\"/etc/ssl/certs/remotehost.crt\", id=>\"625aeed8c25b6ff18a6f726f93472a7669caa10d-4\", enable_metric=>true, codec=><LogStash::Codecs::JSON id=>\"json_5471d7b1-b49e-4dcf-92a0-37acf97ec3f2\", enable_metric=>true, charset=>\"UTF-8\">, workers=>1, reconnect_interval=>10, mode=>\"client\", ssl_key_passphrase=><password>>, ...
It's strange that ssl_key_passphrase=><password> is shown here.
So I edited
/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-tcp-4.0.0/lib/logstash/outputs/tcp.rb
I replaced
@ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase)
with
if @ssl_key
@ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key))
if @ssl_key_passphrase
@ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase)
end
end
I'm not a developer, there might be a better solution, but it works this way.
This is probably related to #22.
I have to set ssl_cert and ssl_cacert to make it work, but because the remote site uses an official certificate I don't think this should be needed.