TLS Options

edit

You can specify TLS options for any output that supports TLS.

Example configuration:

output:
  elasticsearch:
    hosts: ["192.168.1.42:9200"]

    tls:
      # List of root certificates for HTTPS server verifications
      certificate_authorities: ["/etc/pki/root/ca.pem"]

      # Certificate for TLS client authentication
      certificate: "/etc/pki/client/cert.pem"

      # Client Certificate Key
      certificate_key: "/etc/pki/client/cert.key"

TLS Options

edit

You can specify the following options under the tls section:

certificate_authorities

edit

The list of root certificates for server verifications. If certificate_authorities is empty or not set, the trusted certificate authorities of the host system are used.

certificate: "/etc/pki/client/cert.pem"

edit

The path to the certificate for TLS client authentication. If the certificate is not specified, client authentication is not available. The connection might fail if the server requests client authentication. If the TLS server does not require client authentication, the certificate will be loaded, but not requested or used by the server.

When this option is configured, the certificate_key: "/etc/pki/client/cert.key" option is also required.

certificate_key: "/etc/pki/client/cert.key"

edit

The client certificate key used for client authentication. This option is required if certificate: "/etc/pki/client/cert.pem" is specified.

min_version

edit

The minimum SSL/TLS version allowed for the encrypted connections. The value must be one of the following: SSL-3.0 for SSL 3, 1.0 for TLS 1.0, 1.1 for TLS 1.1 and 1.2 for TLS 1.2.

The default value is 1.0.

max_version

edit

The maximum SSL/TLS version allowed for the encrypted connections. The value must be one of the following: SSL-3.0 for SSL 3, 1.0 for TLS 1.0, 1.1 for TLS 1.1 and 1.2 for TLS 1.2.

The default value is 1.2.

insecure

edit

This option controls whether the client verifies server certificates and host names. If insecure is set to true, all server host names and certificates are accepted. In this mode, TLS-based connections are susceptible to man-in-the-middle attacks. Use this option for testing only.

cipher_suites

edit

The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended).

Here is a list of allowed cipher suites and their meanings.

  • 3DES: Cipher suites using triple DES
  • AES128/256: Cipher suites using AES with 128/256-bit keys.
  • CBC: Cipher using Cipher Block Chaining as block cipher mode.
  • ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
  • ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
  • GCM: Galois/Counter mode is used for symmetric key cryptography.
  • RC4: Cipher suites using RC4.
  • RSA: Cipher suites using RSA.
  • SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.

The following cipher suites are available:

  • RSA-RC4-128-SHA (disabled by default - RC4 not recommended)
  • RSA-3DES-CBC3-SHA
  • RSA-AES128-CBC-SHA
  • RSA-AES256-CBC-SHA
  • ECDHE-ECDSA-RC4-128-SHA (disabled by default - RC4 not recommended)
  • ECDHE-ECDSA-AES128-CBC-SHA
  • ECDHE-ECDSA-AES256-CBC-SHA
  • ECDHE-RSA-RC4-128-SHA (disabled by default- RC4 not recommended)
  • ECDHE-RSA-3DES-CBC3-SHA
  • ECDHE-RSA-AES128-CBC-SHA
  • ECDHE-RSA-AES256-CBC-SHA
  • ECDHE-RSA-AES128-GCM-SHA256 (TLS 1.2 only)
  • ECDHE-ECDSA-AES128-GCM-SHA256 (TLS 1.2 only)
  • ECDHE-RSA-AES256-GCM-SHA384 (TLS 1.2 only)
  • ECDHE-ECDSA-AES256-GCM-SHA384 (TLS 1.2 only)

curve_types

edit

The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).

The following elliptic curve types are available:

  • P-256
  • P-384
  • P-521