logstash-plugins · makenowjust · Nov 6, 2017
diff --git a/lib/logstash/outputs/syslog.rb b/lib/logstash/outputs/syslog.rb
@@ -72,6 +72,9 @@ class LogStash::Outputs::Syslog < LogStash::Outputs::Base
   # The SSL CA certificate, chainfile or CA path. The system CA path is automatically included.
   config :ssl_cacert, :validate => :path
 
+  # Do not perform TLS Mutal Authentication, only require a certificate for the client.
+  config :ssl_mutual, :validate => :boolean, :default => true
+
   # SSL certificate path
   config :ssl_cert, :validate => :path
 
@@ -226,8 +229,10 @@ def connect
   def setup_ssl
     require "openssl"
     ssl_context = OpenSSL::SSL::SSLContext.new
-    ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
-    ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase)
+    if @ssl_mutal
+      ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(@ssl_cert))
+      ssl_context.key = OpenSSL::PKey::RSA.new(File.read(@ssl_key),@ssl_key_passphrase)
+    end
     if @ssl_verify
       cert_store = OpenSSL::X509::Store.new
       # Load the system default certificate path to the store
@@ -238,7 +243,11 @@ def setup_ssl
         cert_store.add_file(@ssl_cacert)
       end
       ssl_context.cert_store = cert_store
-      ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+      if @ssl_mutual
+        @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+      else
+        @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      end
     end
     ssl_context
   end