From b7fb7b41f252b057063cb4fe6174bbb04e286fd0 Mon Sep 17 00:00:00 2001
From: Anderson Queiroz <anderson.queiroz@elastic.co>
Date: Fri, 25 Oct 2024 20:37:34 +0200
Subject: [PATCH] update elastic-agent-libs (#4042)

elastic-agent-libs v0.14.0 sets the server side certificate verification mode to 'certificate' by default

(cherry picked from commit 7d77467984f6b34fcb339fbcf59b620dca9e3238)

# Conflicts:
#	NOTICE.txt
#	go.mod
#	go.sum
#	testing/go.mod
#	testing/go.sum
---
 NOTICE.txt                                    |  8 ++++
 ...ault-for-incomming-client-connections.yaml | 44 +++++++++++++++++++
 go.mod                                        |  4 ++
 go.sum                                        |  5 +++
 testing/go.mod                                |  4 ++
 testing/go.sum                                |  5 +++
 6 files changed, 70 insertions(+)
 create mode 100644 changelog/fragments/1729782694-Fleet-Server-uses-'ssl.verification_mode:-certificate'-by-default-for-incomming-client-connections.yaml

diff --git a/NOTICE.txt b/NOTICE.txt
index 91613a4f38..b895c0c2bf 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -661,11 +661,19 @@ SOFTWARE
 
 --------------------------------------------------------------------------------
 Dependency : github.com/elastic/elastic-agent-libs
+<<<<<<< HEAD
 Version: v0.12.1
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
 Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-libs@v0.12.1/LICENSE:
+=======
+Version: v0.14.0
+Licence type (autodetected): Apache-2.0
+--------------------------------------------------------------------------------
+
+Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-libs@v0.14.0/LICENSE:
+>>>>>>> 7d77467 (update elastic-agent-libs (#4042))
 
                                  Apache License
                            Version 2.0, January 2004
diff --git a/changelog/fragments/1729782694-Fleet-Server-uses-'ssl.verification_mode:-certificate'-by-default-for-incomming-client-connections.yaml b/changelog/fragments/1729782694-Fleet-Server-uses-'ssl.verification_mode:-certificate'-by-default-for-incomming-client-connections.yaml
new file mode 100644
index 0000000000..ceefc9357a
--- /dev/null
+++ b/changelog/fragments/1729782694-Fleet-Server-uses-'ssl.verification_mode:-certificate'-by-default-for-incomming-client-connections.yaml
@@ -0,0 +1,44 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: feature
+
+# Change summary; a 80ish characters long description of the change.
+summary: |
+  Fleet Server uses 'ssl.verification_mode: certificate' by default for incoming client connections
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: |
+  Fleet Server now uses [github/com/elastic/elastic-agent-libs v0.14.0](https://github.com/elastic/elastic-agent-libs/releases/tag/v0.14.0) 
+  which by default configures server TLS verification mode as 'certificate'.
+  With this new default, when Fleet Server runs with Mutual TLS (mTLS) enabled,
+  it will only verify the presented client certificate during the TLS handshake,
+  without further validation against the `server_name` extension. Therefore
+  respecting the correct use of the 'server_name' extension as defined by
+  [RFC 6066](https://datatracker.ietf.org/doc/html/rfc6066). Previously
+  Fleet Server would attempt to perform a match, between the 'server_name' sent
+  by the client to either the client's certificate CN (common name), SANs or IPs.
+  Such verification would cause a rejection of the client's certificate if it
+  did not contain Fleet Server's host in either the CN, SANs or IPs.
+
+# Affected component; a word indicating the component this changeset affects.
+component:
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: https://github.com/owner/repo/1234
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234
diff --git a/go.mod b/go.mod
index 79b9c2adc8..4b5c22545b 100644
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,11 @@ require (
 	github.com/dgraph-io/ristretto v0.1.1
 	github.com/docker/go-units v0.5.0
 	github.com/elastic/elastic-agent-client/v7 v7.16.0
+<<<<<<< HEAD
 	github.com/elastic/elastic-agent-libs v0.12.1
+=======
+	github.com/elastic/elastic-agent-libs v0.14.0
+>>>>>>> 7d77467 (update elastic-agent-libs (#4042))
 	github.com/elastic/elastic-agent-system-metrics v0.11.3
 	github.com/elastic/go-elasticsearch/v8 v8.15.0
 	github.com/elastic/go-ucfg v0.8.8
diff --git a/go.sum b/go.sum
index 6e8aff26f2..93656e0cb5 100644
--- a/go.sum
+++ b/go.sum
@@ -35,8 +35,13 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/elastic/elastic-agent-client/v7 v7.16.0 h1:yKGq2+CxAuW8Kh0EoNl202tqAyQKfBcPRawVKs2Jve0=
 github.com/elastic/elastic-agent-client/v7 v7.16.0/go.mod h1:6h+f9QdIr3GO2ODC0Y8+aEXRwzbA5W4eV4dd/67z7nI=
+<<<<<<< HEAD
 github.com/elastic/elastic-agent-libs v0.12.1 h1:5jkxMx15Bna8cq7/Sz/XUIVUXfNWiJ80iSk4ICQ7KJ0=
 github.com/elastic/elastic-agent-libs v0.12.1/go.mod h1:5CR02awPrBr+tfmjBBK+JI+dMmHNQjpVY24J0wjbC7M=
+=======
+github.com/elastic/elastic-agent-libs v0.14.0 h1:a2kCeIBMeJ8U5UIIMB8JyW2C8J7ocK7qerYYH89r7Hw=
+github.com/elastic/elastic-agent-libs v0.14.0/go.mod h1:5CR02awPrBr+tfmjBBK+JI+dMmHNQjpVY24J0wjbC7M=
+>>>>>>> 7d77467 (update elastic-agent-libs (#4042))
 github.com/elastic/elastic-agent-system-metrics v0.11.3 h1:LDzRwP8kxvsYEtMDgMSKZs1TgPcSEukit+/EAP5Y28A=
 github.com/elastic/elastic-agent-system-metrics v0.11.3/go.mod h1:saqLKe9fuyuAo6IADAnnuy1kaBI7VNlxfwMo8KzSRyQ=
 github.com/elastic/elastic-transport-go/v8 v8.6.0 h1:Y2S/FBjx1LlCv5m6pWAF2kDJAHoSjSRSJCApolgfthA=
diff --git a/testing/go.mod b/testing/go.mod
index 7002518cb0..95ef10321f 100644
--- a/testing/go.mod
+++ b/testing/go.mod
@@ -31,7 +31,11 @@ require (
 	github.com/distribution/reference v0.5.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+<<<<<<< HEAD
 	github.com/elastic/elastic-agent-libs v0.12.1 // indirect
+=======
+	github.com/elastic/elastic-agent-libs v0.14.0 // indirect
+>>>>>>> 7d77467 (update elastic-agent-libs (#4042))
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
diff --git a/testing/go.sum b/testing/go.sum
index 2aef05e24b..cc657b2f6a 100644
--- a/testing/go.sum
+++ b/testing/go.sum
@@ -39,8 +39,13 @@ github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/elastic/elastic-agent-client/v7 v7.16.0 h1:yKGq2+CxAuW8Kh0EoNl202tqAyQKfBcPRawVKs2Jve0=
 github.com/elastic/elastic-agent-client/v7 v7.16.0/go.mod h1:6h+f9QdIr3GO2ODC0Y8+aEXRwzbA5W4eV4dd/67z7nI=
+<<<<<<< HEAD
 github.com/elastic/elastic-agent-libs v0.12.1 h1:5jkxMx15Bna8cq7/Sz/XUIVUXfNWiJ80iSk4ICQ7KJ0=
 github.com/elastic/elastic-agent-libs v0.12.1/go.mod h1:5CR02awPrBr+tfmjBBK+JI+dMmHNQjpVY24J0wjbC7M=
+=======
+github.com/elastic/elastic-agent-libs v0.14.0 h1:a2kCeIBMeJ8U5UIIMB8JyW2C8J7ocK7qerYYH89r7Hw=
+github.com/elastic/elastic-agent-libs v0.14.0/go.mod h1:5CR02awPrBr+tfmjBBK+JI+dMmHNQjpVY24J0wjbC7M=
+>>>>>>> 7d77467 (update elastic-agent-libs (#4042))
 github.com/elastic/go-sysinfo v1.14.2 h1:DeIy+pVfdRsd08Nx2Xjh+dUS+jrEEI7LGc29U/BKVWo=
 github.com/elastic/go-sysinfo v1.14.2/go.mod h1:jPSuTgXG+dhhh0GKIyI2Cso+w5lPJ5PvVqKlL8LV/Hk=
 github.com/elastic/go-ucfg v0.8.8 h1:54KIF/2zFKfl0MzsSOCGOsZ3O2bnjFQJ0nDJcLhviyk=