in lib/logstash/outputs/opensearch/http_client_builder.rb [119:167]
def self.setup_ssl(logger, params)
params["ssl"] = true if params["hosts"].any? {|h| h.scheme == "https" }
return {} if params["ssl"].nil?
return {:ssl => {:enabled => false}} if params["ssl"] == false
cacert, truststore, truststore_password, keystore, keystore_password, tls_client_cert, tls_client_key =
params.values_at('cacert', 'truststore', 'truststore_password', 'keystore', 'keystore_password', 'tls_certificate', 'tls_key')
if cacert && truststore
raise(LogStash::ConfigurationError, "Use either \"cacert\" or \"truststore\" when configuring the CA certificate") if truststore
end
if (tls_client_cert && !tls_client_key)
raise(LogStash::ConfigurationError, "\"tls_key\" is missing")
end
if (!tls_client_cert && tls_client_key)
raise(LogStash::ConfigurationError, "\"tls_certificate\" is missing")
end
ssl_options = {:enabled => true}
if cacert
ssl_options[:ca_file] = cacert
elsif truststore
ssl_options[:truststore_password] = truststore_password.value if truststore_password
end
ssl_options[:truststore] = truststore if truststore
if keystore
ssl_options[:keystore] = keystore
ssl_options[:keystore_password] = keystore_password.value if keystore_password
end
if (tls_client_cert && tls_client_key)
ssl_options[:client_cert] = tls_client_cert
ssl_options[:client_key] = tls_client_key
end
if !params["ssl_certificate_verification"]
logger.warn [
"** WARNING ** Detected UNSAFE options in opensearch output configuration!",
"** WARNING ** You have enabled encryption but DISABLED certificate verification.",
"** WARNING ** To make sure your data is secure change :ssl_certificate_verification to true"
].join("\n")
ssl_options[:verify] = false
end
{ ssl: ssl_options }
end