fix: restore use of DefaultHostnameVerifier (#193)

edmocosta · yaauie · web-flow · commit f96dad3c80eb · 2023-06-02T17:01:09.000+01:00
* Document why we are using :default instead of :strict

Co-authored-by: Ry Biesemeyer &lt;yaauie@users.noreply.github.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 4.17.2
+  - Fixes a regression introduced in 4.17.0 which could prevent a connection from being established to Elasticsearch in some SSL configurations [#193](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/193)
+
 ## 4.17.1
   - Fix: scroll slice high memory consumption [#189](https://github.com/logstash-plugins/logstash-input-elasticsearch/pull/189)
 
diff --git a/lib/logstash/inputs/elasticsearch.rb b/lib/logstash/inputs/elasticsearch.rb
@@ -521,7 +521,9 @@ def setup_client_ssl
                         "to make sure your data is secure set `ssl_verification_mode => full`"
           ssl_options[:verify] = :disable
         else
-          ssl_options[:verify] = :strict
+          # Manticore's :default maps to Apache HTTP Client's DefaultHostnameVerifier,
+          # which is the modern STRICT verifier that replaces the deprecated StrictHostnameVerifier
+          ssl_options[:verify] = :default
       end
     end
 
diff --git a/logstash-input-elasticsearch.gemspec b/logstash-input-elasticsearch.gemspec
@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-input-elasticsearch'
-  s.version         = '4.17.1'
+  s.version         = '4.17.2'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Reads query results from an Elasticsearch cluster"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
diff --git a/spec/inputs/elasticsearch_ssl_spec.rb b/spec/inputs/elasticsearch_ssl_spec.rb
@@ -123,7 +123,7 @@
 
       it "should pass the flag to the ES client" do
         expect(::Elasticsearch::Client).to receive(:new) do |args|
-          expect(args[:ssl]).to match hash_including(:ssl => true, :verify => :strict)
+          expect(args[:ssl]).to match hash_including(:ssl => true, :verify => :default)
         end.and_return(es_client_double)
 
         subject.register
@@ -200,7 +200,7 @@
                                       :truststore => ssl_truststore_path,
                                       :truststore_type => "jks",
                                       :truststore_password => "foo",
-                                      :verify => :strict,
+                                      :verify => :default,
                                       :cipher_suites => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"],
                                       :protocols => ["TLSv1.3"],
                                     )
@@ -236,7 +236,7 @@
                                       :ca_file => ssl_certificate_authorities_path,
                                       :client_cert => ssl_certificate_path,
                                       :client_key => ssl_key_path,
-                                      :verify => :strict,
+                                      :verify => :default,
                                       :cipher_suites => ["TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"],
                                       :protocols => ["TLSv1.3"],
                                     )
