✨ Implement an option for disable SSL Certificate Verify about elastic-serverless-forwarder HOT 12 CLOSED

Nice !
Waiting for the feature to be merged to migrate from function beat to elastic-serverless-forwarder 😍

from elastic-serverless-forwarder.

@JeromeSola as I said I'm not discussing your specific use case and infra scenario. but the option to have somehow a lower security standard :)

If not for the complexity of relying on ca_certs in a Lambda context it would be the primary and immediate choice to add support for self-signed certificates.

I've brought the topic to discussion internally to the team and I will keep you posted

from elastic-serverless-forwarder.

@JeromeSola please, take a look at #173

from elastic-serverless-forwarder.

@Ben00it do you use a self-hosted ES cluster?

The option to expose should be ca_certs (https://elasticsearch-py.readthedocs.io/en/v7.17.6/transports.html#urllib3httpconnection), but unluckily there is no easy way to provide the proper value on a Lambda deployed from SAR: since it requires to add the cert files to a path accessible from the lambda

from elastic-serverless-forwarder.

The best would be if you are able to generate public certs with letsencrypt or similar

from elastic-serverless-forwarder.

Hello @aspacca,
Thanks for the quick response,
What about the "verify_certs" option ? We were using functionbeat before and it was possible to use the option "verification_mode=none" (https://www.elastic.co/guide/en/beats/functionbeat/current/configuration-ssl.html#client-verification-mode).
It would help us a lot to have this option in this repository.

Thanks for your help

from elastic-serverless-forwarder.

@JeromeSola verify_certs is prone to open a secure vulnerability I would prefer to consider all the other available options before making a call on that

please, don't consider my question a judgement on your security practice, but what are the limit that would prevents youto generate a valid cert from a certificate authority? :)

Have you looked at https://aws.amazon.com/certificate-manager/? (assuming your cluster is on the aws cloud)

from elastic-serverless-forwarder.

@aspacca i see your point.

However i think it is required to know the full context to admit if their is a security breach or not. Our cluster is well hosted in AWS in a full private network etc...
Moreover it is difficult on our buisiness context to have access to some ressources while it is easy for us to make this simple change on the config file and our network segmentation does not expose critical stuff.

That's why I thought it was a good thing to just add options to your tool then it is client security concern to use or not use the option...

Thanks anyway

from elastic-serverless-forwarder.

@Ben00it please, take a look at #173

from elastic-serverless-forwarder.

Hello, Oh a good news, that's great.

We will migrate that asap once merged and we will let you know.

Thank you @aspacca

from elastic-serverless-forwarder.

Hello @aspacca we were looking to deploy the new version, unfortunatly we use AWS repository to deploy the tool and it seems to still be the old version of the tool.

What is your process to push a new version to AWS repository? Can we expect the new version to be pushed soon ?
Thanks :)

from elastic-serverless-forwarder.

@JeromeSola pushed the new version yesterday after a little while from your messsage :)

from elastic-serverless-forwarder.