Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: input: output: Provide restoring way for tls.verify hebavior [Backport 3.0] #8967

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions include/fluent-bit/flb_input.h
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,7 @@ struct flb_input_instance {
/* TLS settings */
int use_tls; /* bool, try to use TLS for I/O */
int tls_verify; /* Verify certs (default: true) */
int tls_verify_hostname; /* Verify hostname (default: false) */
int tls_debug; /* mbedtls debug level */
char *tls_vhost; /* Virtual hostname for SNI */
char *tls_ca_path; /* Path to certificates */
Expand Down
1 change: 1 addition & 0 deletions include/fluent-bit/flb_output.h
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,7 @@ struct flb_output_instance {

#ifdef FLB_HAVE_TLS
int tls_verify; /* Verify certs (default: true) */
int tls_verify_hostname; /* Verify hostname (default: false) */
int tls_debug; /* mbedtls debug level */
char *tls_vhost; /* Virtual hostname for SNI */
char *tls_ca_path; /* Path to certificates */
Expand Down
3 changes: 3 additions & 0 deletions include/fluent-bit/tls/flb_tls.h
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ struct flb_tls {
int debug; /* Debug level */
char *vhost; /* Virtual hostname for SNI */
int mode; /* Client or Server */
int verify_hostname; /* Verify hostname */

/* Bakend library for TLS */
void *ctx; /* TLS context created */
Expand All @@ -112,6 +113,8 @@ int flb_tls_destroy(struct flb_tls *tls);

int flb_tls_set_alpn(struct flb_tls *tls, const char *alpn);

int flb_tls_set_verify_hostname(struct flb_tls *tls, int verify_hostname);

int flb_tls_load_system_certificates(struct flb_tls *tls);

struct mk_list *flb_tls_get_config_map(struct flb_config *config);
Expand Down
1 change: 1 addition & 0 deletions plugins/filter_kubernetes/kube_conf.h
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ struct flb_kube {
int dummy_meta;
int tls_debug;
int tls_verify;
int tls_verify_hostname;
int kube_token_ttl;
flb_sds_t meta_preload_cache_dir;

Expand Down
20 changes: 19 additions & 1 deletion plugins/filter_kubernetes/kube_meta.c
Original file line number Diff line number Diff line change
Expand Up @@ -1681,6 +1681,7 @@ static int wait_for_dns(struct flb_kube *ctx)

static int flb_kubelet_network_init(struct flb_kube *ctx, struct flb_config *config)
{
int ret;
int io_type = FLB_IO_TCP;
int api_https = FLB_TRUE;
ctx->kubelet_upstream = NULL;
Expand Down Expand Up @@ -1709,6 +1710,14 @@ static int flb_kubelet_network_init(struct flb_kube *ctx, struct flb_config *con
return -1;
}

if (ctx->tls_verify_hostname == FLB_TRUE) {
ret = flb_tls_set_verify_hostname(ctx->kubelet_tls, ctx->tls_verify_hostname);
if (ret == -1) {
flb_plg_debug(ctx->ins, "kubelet network tls set up failed for hostname verification");
return -1;
}
}

io_type = FLB_IO_TLS;
}

Expand All @@ -1726,12 +1735,13 @@ static int flb_kubelet_network_init(struct flb_kube *ctx, struct flb_config *con

/* Remove async flag from upstream */
flb_stream_disable_async_mode(&ctx->kubelet_upstream->base);

return 0;
}

static int flb_kube_network_init(struct flb_kube *ctx, struct flb_config *config)
{
int ret;
int io_type = FLB_IO_TCP;
int kubelet_network_init_ret = 0;

Expand All @@ -1753,6 +1763,14 @@ static int flb_kube_network_init(struct flb_kube *ctx, struct flb_config *config
return -1;
}

if (ctx->tls_verify_hostname == FLB_TRUE) {
ret = flb_tls_set_verify_hostname(ctx->tls, ctx->tls_verify_hostname);
if (ret == -1) {
flb_plg_debug(ctx->ins, "network tls set up failed for hostname verification");
return -1;
}
}

io_type = FLB_IO_TLS;
}

Expand Down
7 changes: 7 additions & 0 deletions plugins/filter_kubernetes/kubernetes.c
Original file line number Diff line number Diff line change
Expand Up @@ -800,6 +800,13 @@ static struct flb_config_map config_map[] = {
"set optional TLS virtual host"
},

/* TLS: set tls.hostame_verification feature */
{
FLB_CONFIG_MAP_BOOL, "tls.verify_hostname", "off",
0, FLB_TRUE, offsetof(struct flb_kube, tls_verify_hostname),
"enable or disable to verify hostname"
},

/* Merge structured record as independent keys */
{
FLB_CONFIG_MAP_BOOL, "merge_log", "false",
Expand Down
15 changes: 15 additions & 0 deletions src/flb_input.c
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,7 @@ struct flb_input_instance *flb_input_new(struct flb_config *config,
instance->tls = NULL;
instance->tls_debug = -1;
instance->tls_verify = FLB_TRUE;
instance->tls_verify_hostname = FLB_FALSE;
instance->tls_vhost = NULL;
instance->tls_ca_path = NULL;
instance->tls_ca_file = NULL;
Expand Down Expand Up @@ -553,6 +554,10 @@ int flb_input_set_property(struct flb_input_instance *ins,
ins->tls_verify = flb_utils_bool(tmp);
flb_sds_destroy(tmp);
}
else if (prop_key_check("tls.verify_hostname", k, len) == 0 && tmp) {
ins->tls_verify_hostname = flb_utils_bool(tmp);
flb_sds_destroy(tmp);
}
else if (prop_key_check("tls.debug", k, len) == 0 && tmp) {
ins->tls_debug = atoi(tmp);
flb_sds_destroy(tmp);
Expand Down Expand Up @@ -1121,6 +1126,16 @@ int flb_input_instance_init(struct flb_input_instance *ins,

return -1;
}

if (ins->tls_verify_hostname == FLB_TRUE) {
ret = flb_tls_set_verify_hostname(ins->tls, ins->tls_verify_hostname);
if (ret == -1) {
flb_error("[input %s] error set up to verify hostname in TLS context",
ins->name);

return -1;
}
}
}

struct flb_config_map *m;
Expand Down
15 changes: 15 additions & 0 deletions src/flb_output.c
Original file line number Diff line number Diff line change
Expand Up @@ -678,6 +678,7 @@ struct flb_output_instance *flb_output_new(struct flb_config *config,
instance->tls = NULL;
instance->tls_debug = -1;
instance->tls_verify = FLB_TRUE;
instance->tls_verify_hostname = FLB_FALSE;
instance->tls_vhost = NULL;
instance->tls_ca_path = NULL;
instance->tls_ca_file = NULL;
Expand Down Expand Up @@ -872,6 +873,10 @@ int flb_output_set_property(struct flb_output_instance *ins,
ins->tls_verify = flb_utils_bool(tmp);
flb_sds_destroy(tmp);
}
else if (prop_key_check("tls.verify_hostname", k, len) == 0 && tmp) {
ins->tls_verify_hostname = flb_utils_bool(tmp);
flb_sds_destroy(tmp);
}
else if (prop_key_check("tls.debug", k, len) == 0 && tmp) {
ins->tls_debug = atoi(tmp);
flb_sds_destroy(tmp);
Expand Down Expand Up @@ -1249,6 +1254,16 @@ int flb_output_init_all(struct flb_config *config)
flb_output_instance_destroy(ins);
return -1;
}

if (ins->tls_verify_hostname == FLB_TRUE) {
ret = flb_tls_set_verify_hostname(ins->tls, ins->tls_verify_hostname);
if (ret == -1) {
flb_error("[output %s] error set up to verify hostname in TLS context",
ins->name);

return -1;
}
}
}
#endif
/*
Expand Down
17 changes: 17 additions & 0 deletions src/tls/flb_tls.c
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,12 @@ struct flb_config_map tls_configmap[] = {
"Hostname to be used for TLS SNI extension"
},

{
FLB_CONFIG_MAP_BOOL, "tls.verify_hostname", "off",
0, FLB_FALSE, 0,
"Enable or disable to verify hostname"
},

/* EOF */
{0}
};
Expand Down Expand Up @@ -191,6 +197,7 @@ struct flb_tls *flb_tls_create(int mode,
tls->verify = verify;
tls->debug = debug;
tls->mode = mode;
tls->verify_hostname = FLB_FALSE;

if (vhost != NULL) {
tls->vhost = flb_strdup(vhost);
Expand Down Expand Up @@ -231,6 +238,16 @@ int flb_tls_set_alpn(struct flb_tls *tls, const char *alpn)
return 0;
}

int flb_tls_set_verify_hostname(struct flb_tls *tls, int verify_hostname)
{
if (!tls) {
return -1;
}

tls->verify_hostname = !!verify_hostname;

return 0;
}

int flb_tls_net_read(struct flb_tls_session *session, void *buf, size_t len)
{
Expand Down
3 changes: 2 additions & 1 deletion src/tls/openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -692,7 +692,8 @@ static int tls_net_handshake(struct flb_tls *tls,
}
}

if (tls->verify == FLB_TRUE) {
if (tls->verify == FLB_TRUE &&
tls->verify_hostname == FLB_TRUE) {
if (vhost != NULL) {
ret = setup_hostname_validation(session, vhost);
}
Expand Down
Loading