Feature Request: TLS configuration

[philomory]

It'd be nice if, when using the TcpTlsAppender, you could explicitly supply a Root CA to trust. It'd also be good if you could specify a client certificate and key to use for TLS Client Certificate Authentication.

[philomory]

It's worth noting that, without the ability to specify a trusted CA, all TLS connections effectively have trustAllCertificates set to true. The GELF protocol has nothing akin to verifying that the requested hostname matches the certificate subject like in HTTPS, so any certificate issued by a trusted root will be accepted.

[osiegmar]

Thanks for bringing this up!

I doubt that configuring a trusted CA increases the security much as the domain name of the certificate (CN) is still not checked as defined in RFC 2818. An attacker with a certificate signed by the same CA (which is rather easy to obtain in larger enterprises) could still perform a MITM-attack. Maybe this domain name check should be added to the implementation as the logic is based on SSL/TLS and not HTTPS (in contrast to the specification and standard implementation in Java). LDAPS is using a similar implementation (RFC 4513) for example. But the Graylog guys should at least document something about that to not have completely different client implementations. Maybe RFC 7525 could be the basis for that.

As a first step, I've implemented a server certificate whitelist in the branch feature/explicit-certificate-trust.

Let me know what you think.

[osiegmar]

Added certificate hostname verification (based on RFC 6125) per 2960bc4

[tparkercbn]

Hello. I am the person who put in #79 and am wondering about the MutualTLS. Has that also been added to the explicit-certificate-trust branch?

[osiegmar]

@tparkercbn Not yet. As there was no feedback on the branch yet. It currently only contains server certificate whitelisting. I'm willing to invest more time on this if someone provides feedback.

[tparkercbn]

Hi @osiegmar. What would you like to have feedback on? We certainly can deploy and test in our environment if you are able to update the code to do mutual TLS.

Tom