-
Notifications
You must be signed in to change notification settings - Fork 81
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
elastic-agent-libs v0.14.0 sets the server side certificate verification mode to 'certificate' by default (cherry picked from commit 7d77467)
- Loading branch information
Showing
1 changed file
with
44 additions
and
0 deletions.
There are no files selected for viewing
44 changes: 44 additions & 0 deletions
44
...ses-'ssl.verification_mode:-certificate'-by-default-for-incomming-client-connections.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| # Kind can be one of: | ||
| # - breaking-change: a change to previously-documented behavior | ||
| # - deprecation: functionality that is being removed in a later release | ||
| # - bug-fix: fixes a problem in a previous version | ||
| # - enhancement: extends functionality but does not break or fix existing behavior | ||
| # - feature: new functionality | ||
| # - known-issue: problems that we are aware of in a given version | ||
| # - security: impacts on the security of a product or a user’s deployment. | ||
| # - upgrade: important information for someone upgrading from a prior version | ||
| # - other: does not fit into any of the other categories | ||
| kind: feature | ||
|
|
||
| # Change summary; a 80ish characters long description of the change. | ||
| summary: | | ||
| Fleet Server uses 'ssl.verification_mode: certificate' by default for incoming client connections | ||
| # Long description; in case the summary is not enough to describe the change | ||
| # this field accommodate a description without length limits. | ||
| # NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. | ||
| description: | | ||
| Fleet Server now uses [github/com/elastic/elastic-agent-libs v0.14.0](https://github.com/elastic/elastic-agent-libs/releases/tag/v0.14.0) | ||
| which by default configures server TLS verification mode as 'certificate'. | ||
| With this new default, when Fleet Server runs with Mutual TLS (mTLS) enabled, | ||
| it will only verify the presented client certificate during the TLS handshake, | ||
| without further validation against the `server_name` extension. Therefore | ||
| respecting the correct use of the 'server_name' extension as defined by | ||
| [RFC 6066](https://datatracker.ietf.org/doc/html/rfc6066). Previously | ||
| Fleet Server would attempt to perform a match, between the 'server_name' sent | ||
| by the client to either the client's certificate CN (common name), SANs or IPs. | ||
| Such verification would cause a rejection of the client's certificate if it | ||
| did not contain Fleet Server's host in either the CN, SANs or IPs. | ||
| # Affected component; a word indicating the component this changeset affects. | ||
| component: | ||
|
|
||
| # PR URL; optional; the PR number that added the changeset. | ||
| # If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. | ||
| # NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. | ||
| # Please provide it if you are adding a fragment for a different PR. | ||
| #pr: https://github.com/owner/repo/1234 | ||
|
|
||
| # Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). | ||
| # If not present is automatically filled by the tooling with the issue linked to the PR number. | ||
| #issue: https://github.com/owner/repo/1234 |