elastic · khushijain21 · Jan 28, 2025 · Jan 24, 2025 · Jan 28, 2025 · Jan 28, 2025
@@ -25,7 +25,7 @@ import (
 // Config defines the user configurable options in the yaml file.
 type Config struct {
 	Enabled              *bool                   `config:"enabled" yaml:"enabled,omitempty"`
-	VerificationMode     TLSVerificationMode     `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
+	VerificationMode     TLSVerificationMode     `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full', 'certificate' and 'strict'
 	Versions             []TLSVersion            `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
 	CipherSuites         []CipherSuite           `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
 	CAs                  []string                `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`

@@ -143,7 +143,7 @@ func (c *TLSConfig) BuildModuleClientConfig(host string) *tls.Config {
 	// because all slice/pointer fields won't be modified.
 	cc := *c
 
-	// Keep a copy of the host (wheather an IP or hostname)
+	// Keep a copy of the host (whether an IP or hostname)
 	// for later validation. It is used by makeVerifyConnection
 	cc.ServerName = host
 	config := cc.ToConfig()

@@ -40,7 +40,7 @@ import (
 )
 
 func TestMakeVerifyServerConnection(t *testing.T) {
-	testCerts := genTestCerts(t)
+	testCerts := GenTestCerts(t)
 
 	certPool := x509.NewCertPool()
 	certPool.AddCert(testCerts["ca"])
@@ -192,13 +192,13 @@ func TestMakeVerifyServerConnection(t *testing.T) {
 }
 
 func TestTrustRootCA(t *testing.T) {
-	certs := genTestCerts(t)
+	certs := GenTestCerts(t)
 
 	nonEmptyCertPool := x509.NewCertPool()
 	nonEmptyCertPool.AddCert(certs["wildcard"])
 	nonEmptyCertPool.AddCert(certs["unknown_authority"])
 
-	fingerprint := getFingerprint(certs["ca"])
+	fingerprint := GetCertFingerprint(certs["ca"])
 
 	testCases := []struct {
 		name                 string
@@ -267,8 +267,8 @@ func TestTrustRootCA(t *testing.T) {
 }
 
 func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) {
-	testCerts := genTestCerts(t)
-	fingerprint := getFingerprint(testCerts["ca"])
+	testCerts := GenTestCerts(t)
+	fingerprint := GetCertFingerprint(testCerts["ca"])
 
 	testcases := map[string]struct {
 		verificationMode     TLSVerificationMode
@@ -684,12 +684,14 @@ func startTestServer(t *testing.T, serverAddr string, serverCerts []tls.Certific
 	return *serverURL
 }
 
-func getFingerprint(cert *x509.Certificate) string {
+// GetCertFingerPrint takes a certificate and returns its HEX encoded SHA-256
+func GetCertFingerprint(cert *x509.Certificate) string {
 	caSHA256 := sha256.Sum256(cert.Raw)
 	return hex.EncodeToString(caSHA256[:])
 }
 
-func genTestCerts(t *testing.T) map[string]*x509.Certificate {
+func GenTestCerts(t *testing.T) map[string]*x509.Certificate {
+	t.Helper()
 	ca, err := genCA()
 	if err != nil {
 		t.Fatalf("cannot generate root CA: %s", err)

@@ -125,7 +125,7 @@ var tlsClientAuthTypes = map[string]TLSClientAuth{
 }
 
 // TLSVerificationMode represents the type of verification to do on the remote host:
-// `none`, `certificate`, and `full` and we default to `full`.
+// `none`, `certificate`, `full` and `strict` - we default to `full`.
 // Internally this option is transformed into the `insecure` field in the `tls.Config` struct.
 type TLSVerificationMode uint8