diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 1037efe..5ed26f4 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -92,6 +92,7 @@ This plugin supports the following configuration options plus the <> |<>|No | <> |<>|No | <> |<>|No +| <> |<>|No | <> |<>|No |======================================================================= @@ -300,6 +301,16 @@ instructions into the query. If enabled, SSL will be used when communicating with the Elasticsearch server (i.e. HTTPS will be used instead of plain HTTP). +[id="plugins-{type}s-{plugin}-ssl_certificate_verification"] +===== `ssl_certificate_verification` + + * Value type is <> + * Default value is `true` + +Option to validate the server's certificate. Disabling this severely compromises security. +For more information on disabling certificate verification please read +https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf + [id="plugins-{type}s-{plugin}-user"] ===== `user` diff --git a/lib/logstash/inputs/elasticsearch.rb b/lib/logstash/inputs/elasticsearch.rb index 5d24844..f46266d 100644 --- a/lib/logstash/inputs/elasticsearch.rb +++ b/lib/logstash/inputs/elasticsearch.rb @@ -151,6 +151,9 @@ class LogStash::Inputs::Elasticsearch < LogStash::Inputs::Base # SSL config :ssl, :validate => :boolean, :default => false + # ssl_certificate_verification - Disable ssl_verification with false + config :ssl_certificate_verification, :validate => :boolean, :default => true + # SSL Certificate Authority file in PEM encoded format, must also include any chain certificates as necessary config :ca_file, :validate => :path @@ -197,7 +200,8 @@ def register else @hosts end - ssl_options = { :ssl => true, :ca_file => @ca_file } if @ssl && @ca_file + ssl_options = { :ssl => true, :ca_file => @ca_file, :verify => @ssl_certificate_verification } if @ssl && @ca_file + ssl_options ||= { :ssl => @ssl, :verify => @ssl_certificate_verification } if @ssl ssl_options ||= {} @logger.warn "Supplied proxy setting (proxy => '') has no effect" if @proxy.eql?('')