Skip to content

Commit

Permalink
Add SSL support
Browse files Browse the repository at this point in the history
See vklochan#28

Adds initial support for SSL. The implementation supports the following
features:

* Remote certificate validation
* Custom CA bundles
* Client side certs

SSL is now on by default.
  • Loading branch information
skwashd committed Aug 10, 2016
1 parent 890e043 commit f0f7eba
Showing 1 changed file with 37 additions and 2 deletions.
39 changes: 37 additions & 2 deletions logstash/handler_tcp.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from logging.handlers import DatagramHandler, SocketHandler
import ssl
from logging.handlers import SocketHandler
from logstash import formatter


Expand All @@ -12,14 +13,48 @@ class TCPLogstashHandler(SocketHandler, object):
:param fqdn; Indicates whether to show fully qualified domain name or not (default False).
:param version: version of logstash event schema (default is 0).
:param tags: list of tags for a logger (default is None).
:param ssl: Should SSL be enabled for the connection? Default is True.
:param ssl_verify: Should the server's SSL certificate be verified?
:param keyfile: The path to client side SSL key file (default is None).
:param certfile: The path to client side SSL certificate file (default is None).
:param ca_certs: The path to the file containing recognised CA certificates. System wide CA certs are used if omitted.
"""

def __init__(self, host, port=5959, message_type='logstash', tags=None, fqdn=False, version=0):
def __init__(self, host, port=5959, message_type='logstash', tags=None, fqdn=False, version=0, ssl=True, ssl_verify=True, keyfile=None, certfile=None, ca_certs=None):
super(TCPLogstashHandler, self).__init__(host, port)

self.ssl = ssl
self.ssl_verify = ssl_verify
self.keyfile = keyfile
self.certfile = certfile
self.ca_certs = ca_certs

if version == 1:
self.formatter = formatter.LogstashFormatterVersion1(message_type, tags, fqdn)
else:
self.formatter = formatter.LogstashFormatterVersion0(message_type, tags, fqdn)

def makePickle(self, record):
return self.formatter.format(record) + b'\n'


def makeSocket(self, timeout=1):
s = super(TCPLogstashHandler, self).makeSocket(timeout)

if not self.ssl:
return s

context = ssl.create_default_context(cafile=self.ca_certs)
context.verify_mode = ssl.CERT_REQUIRED
if not self.ssl_verify:
if self.ca_certs:
context.verify_mode = ssl.CERT_OPTIONAL
else:
context.verify_mode = ssl.CERT_NONE
context.check_hostname = False

# Client side certificate auth.
if self.certfile and self.keyfile:
context.load_cert_chain(self.certfile, keyfile=self.keyfile)

return context.wrap_socket(s, server_hostname=self.host)

0 comments on commit f0f7eba

Please sign in to comment.