[9.1](backport #5088) [FIPS] Test that ES client will not connect to ES with invalid TLS certificate#5142
Merged
ycombinator merged 1 commit into9.1from Jul 10, 2025
Merged
Conversation
…rtificate (#5088) * Adding unit test for connecting to FIPS-incapable ES * Make linter happy * Reordering imports * Run FIPS unit tests on FIPS VM * Install Microsoft Go if FIPS=true * Debugging * Use fleet server FIPS VM image * Debugging: extracting microsoft/go outside of fleet-server folder * Explicitly specify Go distribution for tests * Use temporary folder for microsoft/go SDK * Don't pass GOEXPERIMENT=systemcrypto when running tests with Go stdlib * Remove debugging statements * Reduce VM size (cherry picked from commit c0ae099)
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) ✅ license/snyk check is complete. No issues have been found. (View Details) |
github-actions
bot
added
the
Team:Elastic-Agent-Control-Plane
|
ycombinator
approved these changes
Jul 10, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is the problem this PR solves?
This PR ensures that any connections made by a FIPS-capable Fleet Server to Elasticsearch will only succeed if Elasticsearch is also FIPS-capable.
How does this PR solve the problem?
This PR adds a new test,
TestConnectionTLS, that fakes an Elasticsearch HTTPS server that returns a TLS certificate that's been created with a key length of < 2048 bits, making it invalid for FIPS-compliant use.If running in FIPS mode, the test asserts that Fleet Server's connection to Elasticsearch will fail with a TLS error.
If not running in FIPS mode, the test asserts that Fleet Server's connection to Elasticsearch will succeed.
How to test this PR locally
In a non-FIPS environment:
In a FIPS environment, i.e. with the Microsoft Go fork installed and with the OpenSSL FIPS provider installed:
Design Checklist
I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesI have added an entry in./changelog/fragmentsusing the changelog toolRelated issues
This is an automatic backport of pull request #5088 done by [Mergify](https://mergify.com).