Skip to content

Commit dfb92db

Browse files
kvchkvch
committed
Update Golang to 1.15.7 (#22495)
This PR updates the Go version in the repository to 1.15.7. Numerous improvements are coming with the new version of Golang. The most noteworthy is the binary sizes are reduced by 5-8%. You can check out the [release notes of Golang 1.15](https://golang.org/doc/go1.15) for more information. Another change is that the deprecated, legacy behaviour of treating the CommonName field on X.509 certificates as a hostname when no Subject Alternative Names are present is now disabled by default. We do not expect users to update their certificates immediately. Thus, the default behaviour is kept for all existing verification modes. Furthermore, a new verification mode is added named `strict`. If this mode is selected Beats expects to have a SAN in the certificate. `verification_mode` | behaviour ------- | ----- `""` | CommonName is checked if no DNSName is available, then full check (previous behaviour) `"strict"` | full check with new strict SAN requirements `"full"` | CommonName is checked if no DNSName is available, then full check (previous behaviour, default value) `"certificate"` | certificate check without hostname (previous behaviour) `"none"` | no check (previous behaviour) The legacy behaviour is going to be removed in the next major version 8.0. We expect users to update their certificates so it does not depend on CommonName. (cherry picked from commit e4ef5cc)
1 parent a5e8868 commit dfb92db

68 files changed

Lines changed: 1333 additions & 423 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.go-version

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
1.14.12
1+
1.15.7

CHANGELOG-developer.next.asciidoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,3 +98,4 @@ The list below covers the major changes between 7.0.0-rc2 and master only.
9898
- Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827]
9999
- Add support for customized monitoring API. {pull}22605[22605]
100100

101+
- Update Go version to 1.15.7. {pull}22495[22495]

CHANGELOG.next.asciidoc

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -687,6 +687,11 @@ port. {pull}19209[19209]
687687

688688
*Affecting all Beats*
689689

690+
- Selecting `full` in `ssl.verification_mode` option will not treat CommonName field in x509 certificates as
691+
a hostname when Subject Alternative Name is not present from v8.0.
692+
Please update your certificates so it contains at least one DNSName instead of relying on CommonName in the new
693+
major version of Beats.
694+
690695
*Filebeat*
691696

692697
- The experimental modules for Citrix Netscaler and Symantec Endpoint Protection have been removed.

auditbeat/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM golang:1.14.12
1+
FROM golang:1.15.7
22

33
RUN \
44
apt-get update \

auditbeat/auditbeat.reference.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -530,6 +530,12 @@ output.elasticsearch:
530530
# matches the names identified within the certificate.
531531
# * certificate, which verifies that the provided certificate is signed by a
532532
# trusted authority (CA), but does not perform any hostname verification.
533+
# * strict, which verifies that the provided certificate is signed by a trusted
534+
# authority (CA) and also verifies that the server's hostname (or IP address)
535+
# matches the names identified within the certificate. If the Subject Alternative
536+
# Name is empty, it returns an error.
537+
# * certificate, which verifies that the provided certificate is signed by a
538+
# trusted authority (CA), but does not perform any hostname verification.
533539
# * none, which performs no verification of the server's certificate. This
534540
# mode disables many of the security benefits of SSL/TLS and should only be used
535541
# after very careful consideration. It is primarily intended as a temporary
@@ -657,6 +663,12 @@ output.elasticsearch:
657663
# matches the names identified within the certificate.
658664
# * certificate, which verifies that the provided certificate is signed by a
659665
# trusted authority (CA), but does not perform any hostname verification.
666+
# * strict, which verifies that the provided certificate is signed by a trusted
667+
# authority (CA) and also verifies that the server's hostname (or IP address)
668+
# matches the names identified within the certificate. If the Subject Alternative
669+
# Name is empty, it returns an error.
670+
# * certificate, which verifies that the provided certificate is signed by a
671+
# trusted authority (CA), but does not perform any hostname verification.
660672
# * none, which performs no verification of the server's certificate. This
661673
# mode disables many of the security benefits of SSL/TLS and should only be used
662674
# after very careful consideration. It is primarily intended as a temporary
@@ -854,6 +866,12 @@ output.elasticsearch:
854866
# matches the names identified within the certificate.
855867
# * certificate, which verifies that the provided certificate is signed by a
856868
# trusted authority (CA), but does not perform any hostname verification.
869+
# * strict, which verifies that the provided certificate is signed by a trusted
870+
# authority (CA) and also verifies that the server's hostname (or IP address)
871+
# matches the names identified within the certificate. If the Subject Alternative
872+
# Name is empty, it returns an error.
873+
# * certificate, which verifies that the provided certificate is signed by a
874+
# trusted authority (CA), but does not perform any hostname verification.
857875
# * none, which performs no verification of the server's certificate. This
858876
# mode disables many of the security benefits of SSL/TLS and should only be used
859877
# after very careful consideration. It is primarily intended as a temporary
@@ -1010,6 +1028,12 @@ output.elasticsearch:
10101028
# matches the names identified within the certificate.
10111029
# * certificate, which verifies that the provided certificate is signed by a
10121030
# trusted authority (CA), but does not perform any hostname verification.
1031+
# * strict, which verifies that the provided certificate is signed by a trusted
1032+
# authority (CA) and also verifies that the server's hostname (or IP address)
1033+
# matches the names identified within the certificate. If the Subject Alternative
1034+
# Name is empty, it returns an error.
1035+
# * certificate, which verifies that the provided certificate is signed by a
1036+
# trusted authority (CA), but does not perform any hostname verification.
10131037
# * none, which performs no verification of the server's certificate. This
10141038
# mode disables many of the security benefits of SSL/TLS and should only be used
10151039
# after very careful consideration. It is primarily intended as a temporary
@@ -1302,6 +1326,12 @@ setup.kibana:
13021326
# matches the names identified within the certificate.
13031327
# * certificate, which verifies that the provided certificate is signed by a
13041328
# trusted authority (CA), but does not perform any hostname verification.
1329+
# * strict, which verifies that the provided certificate is signed by a trusted
1330+
# authority (CA) and also verifies that the server's hostname (or IP address)
1331+
# matches the names identified within the certificate. If the Subject Alternative
1332+
# Name is empty, it returns an error.
1333+
# * certificate, which verifies that the provided certificate is signed by a
1334+
# trusted authority (CA), but does not perform any hostname verification.
13051335
# * none, which performs no verification of the server's certificate. This
13061336
# mode disables many of the security benefits of SSL/TLS and should only be used
13071337
# after very careful consideration. It is primarily intended as a temporary
@@ -1499,6 +1529,12 @@ logging.files:
14991529
# matches the names identified within the certificate.
15001530
# * certificate, which verifies that the provided certificate is signed by a
15011531
# trusted authority (CA), but does not perform any hostname verification.
1532+
# * strict, which verifies that the provided certificate is signed by a trusted
1533+
# authority (CA) and also verifies that the server's hostname (or IP address)
1534+
# matches the names identified within the certificate. If the Subject Alternative
1535+
# Name is empty, it returns an error.
1536+
# * certificate, which verifies that the provided certificate is signed by a
1537+
# trusted authority (CA), but does not perform any hostname verification.
15021538
# * none, which performs no verification of the server's certificate. This
15031539
# mode disables many of the security benefits of SSL/TLS and should only be used
15041540
# after very careful consideration. It is primarily intended as a temporary

filebeat/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM golang:1.14.12
1+
FROM golang:1.15.7
22

33
RUN \
44
apt-get update \

filebeat/filebeat.reference.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1409,6 +1409,12 @@ output.elasticsearch:
14091409
# matches the names identified within the certificate.
14101410
# * certificate, which verifies that the provided certificate is signed by a
14111411
# trusted authority (CA), but does not perform any hostname verification.
1412+
# * strict, which verifies that the provided certificate is signed by a trusted
1413+
# authority (CA) and also verifies that the server's hostname (or IP address)
1414+
# matches the names identified within the certificate. If the Subject Alternative
1415+
# Name is empty, it returns an error.
1416+
# * certificate, which verifies that the provided certificate is signed by a
1417+
# trusted authority (CA), but does not perform any hostname verification.
14121418
# * none, which performs no verification of the server's certificate. This
14131419
# mode disables many of the security benefits of SSL/TLS and should only be used
14141420
# after very careful consideration. It is primarily intended as a temporary
@@ -1536,6 +1542,12 @@ output.elasticsearch:
15361542
# matches the names identified within the certificate.
15371543
# * certificate, which verifies that the provided certificate is signed by a
15381544
# trusted authority (CA), but does not perform any hostname verification.
1545+
# * strict, which verifies that the provided certificate is signed by a trusted
1546+
# authority (CA) and also verifies that the server's hostname (or IP address)
1547+
# matches the names identified within the certificate. If the Subject Alternative
1548+
# Name is empty, it returns an error.
1549+
# * certificate, which verifies that the provided certificate is signed by a
1550+
# trusted authority (CA), but does not perform any hostname verification.
15391551
# * none, which performs no verification of the server's certificate. This
15401552
# mode disables many of the security benefits of SSL/TLS and should only be used
15411553
# after very careful consideration. It is primarily intended as a temporary
@@ -1733,6 +1745,12 @@ output.elasticsearch:
17331745
# matches the names identified within the certificate.
17341746
# * certificate, which verifies that the provided certificate is signed by a
17351747
# trusted authority (CA), but does not perform any hostname verification.
1748+
# * strict, which verifies that the provided certificate is signed by a trusted
1749+
# authority (CA) and also verifies that the server's hostname (or IP address)
1750+
# matches the names identified within the certificate. If the Subject Alternative
1751+
# Name is empty, it returns an error.
1752+
# * certificate, which verifies that the provided certificate is signed by a
1753+
# trusted authority (CA), but does not perform any hostname verification.
17361754
# * none, which performs no verification of the server's certificate. This
17371755
# mode disables many of the security benefits of SSL/TLS and should only be used
17381756
# after very careful consideration. It is primarily intended as a temporary
@@ -1889,6 +1907,12 @@ output.elasticsearch:
18891907
# matches the names identified within the certificate.
18901908
# * certificate, which verifies that the provided certificate is signed by a
18911909
# trusted authority (CA), but does not perform any hostname verification.
1910+
# * strict, which verifies that the provided certificate is signed by a trusted
1911+
# authority (CA) and also verifies that the server's hostname (or IP address)
1912+
# matches the names identified within the certificate. If the Subject Alternative
1913+
# Name is empty, it returns an error.
1914+
# * certificate, which verifies that the provided certificate is signed by a
1915+
# trusted authority (CA), but does not perform any hostname verification.
18921916
# * none, which performs no verification of the server's certificate. This
18931917
# mode disables many of the security benefits of SSL/TLS and should only be used
18941918
# after very careful consideration. It is primarily intended as a temporary
@@ -2181,6 +2205,12 @@ setup.kibana:
21812205
# matches the names identified within the certificate.
21822206
# * certificate, which verifies that the provided certificate is signed by a
21832207
# trusted authority (CA), but does not perform any hostname verification.
2208+
# * strict, which verifies that the provided certificate is signed by a trusted
2209+
# authority (CA) and also verifies that the server's hostname (or IP address)
2210+
# matches the names identified within the certificate. If the Subject Alternative
2211+
# Name is empty, it returns an error.
2212+
# * certificate, which verifies that the provided certificate is signed by a
2213+
# trusted authority (CA), but does not perform any hostname verification.
21842214
# * none, which performs no verification of the server's certificate. This
21852215
# mode disables many of the security benefits of SSL/TLS and should only be used
21862216
# after very careful consideration. It is primarily intended as a temporary
@@ -2378,6 +2408,12 @@ logging.files:
23782408
# matches the names identified within the certificate.
23792409
# * certificate, which verifies that the provided certificate is signed by a
23802410
# trusted authority (CA), but does not perform any hostname verification.
2411+
# * strict, which verifies that the provided certificate is signed by a trusted
2412+
# authority (CA) and also verifies that the server's hostname (or IP address)
2413+
# matches the names identified within the certificate. If the Subject Alternative
2414+
# Name is empty, it returns an error.
2415+
# * certificate, which verifies that the provided certificate is signed by a
2416+
# trusted authority (CA), but does not perform any hostname verification.
23812417
# * none, which performs no verification of the server's certificate. This
23822418
# mode disables many of the security benefits of SSL/TLS and should only be used
23832419
# after very careful consideration. It is primarily intended as a temporary

filebeat/input/kafka/config.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -177,7 +177,7 @@ func newSaramaConfig(config kafkaInputConfig) (*sarama.Config, error) {
177177
}
178178
if tls != nil {
179179
k.Net.TLS.Enable = true
180-
k.Net.TLS.Config = tls.BuildModuleConfig("")
180+
k.Net.TLS.Config = tls.BuildModuleClientConfig("")
181181
}
182182

183183
if config.Kerberos.IsEnabled() {

filebeat/input/mqtt/client.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ func createClientOptions(config mqttInputConfig, onConnectHandler func(client li
4040
if err != nil {
4141
return nil, err
4242
}
43-
clientOptions.SetTLSConfig(tlsConfig.BuildModuleConfig(""))
43+
clientOptions.SetTLSConfig(tlsConfig.BuildModuleClientConfig(""))
4444
}
4545
return clientOptions, nil
4646
}

filebeat/inputsource/tcp/server.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,7 @@ func (s *Server) createServer() (net.Listener, error) {
6868
var l net.Listener
6969
var err error
7070
if s.tlsConfig != nil {
71-
t := s.tlsConfig.BuildModuleConfig(s.config.Host)
71+
t := s.tlsConfig.BuildServerConfig(s.config.Host)
7272
l, err = tls.Listen("tcp", s.config.Host, t)
7373
if err != nil {
7474
return nil, err

0 commit comments

Comments
 (0)