TLS Options
editTLS Options
editYou can specify TLS options for any output that supports TLS.
Example configuration:
output: elasticsearch: hosts: ["192.168.1.42:9200"] tls: # List of root certificates for HTTPS server verifications certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for TLS client authentication certificate: "/etc/pki/client/cert.pem" # Client Certificate Key certificate_key: "/etc/pki/client/cert.key"
TLS Options
editYou can specify the following options under the tls
section:
certificate_authorities
editThe list of root certificates for server verifications. If certificate_authorities
is empty or not set, the trusted certificate authorities of the host system are used.
certificate: "/etc/pki/client/cert.pem"
editThe path to the certificate for TLS client authentication. If the certificate is not specified, client authentication is not available. The connection might fail if the server requests client authentication. If the TLS server does not require client authentication, the certificate will be loaded, but not requested or used by the server.
When this option is configured, the certificate_key: "/etc/pki/client/cert.key" option is also required.
certificate_key: "/etc/pki/client/cert.key"
editThe client certificate key used for client authentication. This option is required if certificate: "/etc/pki/client/cert.pem" is specified.
min_version
editThe minimum SSL/TLS version allowed for the encrypted connections. The value must be one of the following:
SSL-3.0
for SSL 3, 1.0
for TLS 1.0, 1.1
for TLS 1.1 and 1.2
for TLS 1.2.
The default value is 1.0
.
max_version
editThe maximum SSL/TLS version allowed for the encrypted connections. The value must be one of the following:
SSL-3.0
for SSL 3, 1.0
for TLS 1.0, 1.1
for TLS 1.1 and 1.2
for TLS 1.2.
The default value is 1.2
.
insecure
editThis option controls whether the client verifies server certificates and host names. If insecure is set to true, all server host names and certificates are accepted. In this mode, TLS-based connections are susceptible to man-in-the-middle attacks. Use this option for testing only.
cipher_suites
editThe list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended).
Here is a list of allowed cipher suites and their meanings.
- 3DES: Cipher suites using triple DES
- AES128/256: Cipher suites using AES with 128/256-bit keys.
- CBC: Cipher using Cipher Block Chaining as block cipher mode.
- ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
- ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
- GCM: Galois/Counter mode is used for symmetric key cryptography.
- RC4: Cipher suites using RC4.
- RSA: Cipher suites using RSA.
- SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.
The following cipher suites are available:
- RSA-RC4-128-SHA (disabled by default - RC4 not recommended)
- RSA-3DES-CBC3-SHA
- RSA-AES128-CBC-SHA
- RSA-AES256-CBC-SHA
- ECDHE-ECDSA-RC4-128-SHA (disabled by default - RC4 not recommended)
- ECDHE-ECDSA-AES128-CBC-SHA
- ECDHE-ECDSA-AES256-CBC-SHA
- ECDHE-RSA-RC4-128-SHA (disabled by default- RC4 not recommended)
- ECDHE-RSA-3DES-CBC3-SHA
- ECDHE-RSA-AES128-CBC-SHA
- ECDHE-RSA-AES256-CBC-SHA
- ECDHE-RSA-AES128-GCM-SHA256 (TLS 1.2 only)
- ECDHE-ECDSA-AES128-GCM-SHA256 (TLS 1.2 only)
- ECDHE-RSA-AES256-GCM-SHA384 (TLS 1.2 only)
- ECDHE-ECDSA-AES256-GCM-SHA384 (TLS 1.2 only)
curve_types
editThe list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
The following elliptic curve types are available:
- P-256
- P-384
- P-521